CWE-639


Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

We have discovered 3,327,117 live websites that are affected by CWE-639.

Contact us to get more info







CVEs

  • Count - 269



Website Distribution by Country

Number of websites using CWE-639
United States943,840 websites


Germany340,448 websites
France183,880 websites
GB148,973 websites
Italy129,194 websites
Brazil112,677 websites
Netherlands110,449 websites
Spain99,217 websites
Poland75,318 websites
Canada68,033 websites

Website Distribution by TLD

Number of websites using CWE-639
.com1,399,401 websites
.de196,875 websites
.org144,767 websites
.com.br105,141 websites
.nl99,662 websites
.it93,599 websites
.co.uk87,346 websites
.fr82,266 websites
.net73,201 websites
.pl57,337 websites

Newest CVEs

List of the most recent CVEs that are part of CWE-639
DiscoveredCVEDescriptionWebsites
Apr, 2026CVE-2026-3371 Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification8,493
Apr, 2026CVE-2026-32930 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Evaluation Edit Without Ownership Check9
Apr, 2026CVE-2026-33141 Chamilo LMS has an IDOR in REST API Stats Endpoint Exposes Any User's Learning Data9
Apr, 2026CVE-2026-33702 Chamilo LMS has an Insecure Direct Object Reference (IDOR)9
Apr, 2026CVE-2026-4654 Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter1,282
Apr, 2026CVE-2026-5167 Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint278
Apr, 2026CVE-2026-5465 Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter1,987
Apr, 2026CVE-2026-4896 WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation1,881
Mar, 2026CVE-2026-3139 User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field11,736
Mar, 2026CVE-2026-3124 Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'22,271

The most widespread CVEs

List of the most common CVEs that are part of CWE-639
DiscoveredCVEDescriptionWebsites
Mar, 2026CVE-2026-1206 Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template2,559,160
May, 2025CVE-2024-10075 Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution205,486
Dec, 2025CVE-2025-15033 WooCommerce - Subscriber/Customer+ Order Data Disclosure174,586
Feb, 2026CVE-2025-13842 Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure102,717
Dec, 2024CVE-2024-12335 Avada Builder <= 3.11.12 - Authenticated (Contributor+) Protected Post Disclosure81,058
Mar, 2026CVE-2026-2888 Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter59,936
Dec, 2025CVE-2025-11924 Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token58,840
Mar, 2026CVE-2026-1992 ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation54,456
Mar, 2026CVE-2026-2917 Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter46,700
Mar, 2026CVE-2026-2918 Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions46,700

Websites affected by CWE-639

Top websites that are affected by CWE-639. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
****.io France***
**************.de Germany***
**********.com United States***
*******.com United States***
*********.com United States***
************.org United States***
*****.com United States***
******.*******.org United States***
**.*******.com China***
************.com United States*,***
See full domain list