Idor

Praison AI's praisonai-platform is vulnerable to an insecure direct object reference (IDOR) in the label endpoints (CVE-2026-47414), allowing cross-workspace label modification and information disclosure due to improper validation of label and issue IDs.

PraisonAI Platform is vulnerable to cross-workspace IDOR and member-role privilege escalation, allowing unauthorized users to read, update, or delete resources across workspaces, escalate privileges, and potentially take over accounts and workspaces due to insufficient access controls and role enforcement.

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification, leading to privilege escalation.

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference (CVE-2026-8679) in versions up to 2.0.2, allowing unauthenticated attackers to view track metadata of any playlist, regardless of its status.

Open WebUI is vulnerable to an IDOR vulnerability in its Retrieval API that bypasses knowledge base access controls, allowing any authenticated user who knows a private knowledge base UUID to read, inject content into, or overwrite another user's knowledge base.

FlowiseAI is vulnerable to a mass assignment vulnerability via `Object.assign(entity, body)` which allows a client-controlled `workspaceId` to be overwritten on the Dataset entity, leading to cross-workspace data takeover and IDOR.

FlowiseAI is vulnerable to a mass assignment vulnerability in the DatasetRow controller/service, allowing an authenticated attacker to overwrite the `workspaceId` and `id` of a DatasetRow entity, leading to cross-workspace data takeover and IDOR.

FlowiseAI is vulnerable to a mass assignment vulnerability in the Evaluator controller/service, where an attacker can manipulate the `workspaceId` during evaluator creation or updates, leading to cross-workspace data takeover and IDOR.

wger 2.5 and earlier is vulnerable to CVE-2026-43977, an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to read another user's private workout session notes, exercise history, and training statistics by accessing the `/logs/` and `/stats/` actions on a public template routine they do not own.

An insecure direct object reference in Cisco Slido's REST API could have allowed an authenticated remote attacker to access social profile data or affect quiz/poll results.

The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.

Zyosoft's School App contains an Insecure Direct Object Reference vulnerability (CVE-2026-7491) that allows authenticated remote attackers to modify parameters and access or modify other users' data.

IBM Langflow Desktop versions 1.0.0 through 1.8.4 are vulnerable to an indirect object reference (IDOR) vulnerability (CVE-2026-4503), allowing unauthenticated users to view other users' images due to a user-controlled key.

Crafty Controller's Users API component contains an insecure direct object reference vulnerability, allowing a remote, authenticated attacker to perform unauthorized user modification actions due to improper API permissions validation (CVE-2026-5652).

A Paperclip API vulnerability allows a board user from one company to create, list, and revoke agent API keys in another company, leading to full cross-tenant compromise due to insufficient authorization checks on `/agents/:id/keys` routes.

An Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS (CVE-2026-32930) allows authenticated teachers to modify gradebook evaluation settings of other courses by manipulating the 'editeval' GET parameter, leading to unauthorized data modification.

The Amelia WordPress plugin is vulnerable to an insecure direct object reference, allowing authenticated attackers with Provider-level access or higher to escalate privileges and gain persistence by taking over any WordPress account, including Administrator by manipulating the `externalId` field.

Brave CMS versions prior to 2.0.6 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability allowing authenticated users with edit permissions to delete images attached to articles owned by other users due to missing ownership verification in the deleteImage method.

Langflow versions 1.5.0 and earlier contain an IDOR vulnerability (CVE-2026-34046) that allows authenticated users to read, modify, and delete flows belonging to other users due to a missing ownership check, potentially exposing sensitive information and enabling unauthorized control over AI agent logic.

Aegra versions 0.9.0 through 0.9.6 are vulnerable to a cross-tenant IDOR, enabling authenticated users to execute graph runs against other users' threads, read checkpoint states, inject messages, and conceal their actions due to missing user ID validation on run creation endpoints; patched in version 0.9.7.