CWE-86214 advisories

Missing Authorization

What it is

An endpoint performs a sensitive action without checking whether the caller is allowed to.

How to fix it

Upgrade and add an authorization check to the affected endpoint.

How to avoid it

Gate every sensitive endpoint behind an explicit, default-deny authorization check.

Known Missing Authorization vulnerabilities

CVE-2026-22555 — high · Go/code.gitea.io/gitea
CVE-2026-26231 — high · Go/code.gitea.io/gitea
AI-GROK-BANKR-WALLET-2026 — critical · Twitter/X/Grok (xAI) + Bankrbot crypto agent on X · exploited
AI-GEMINI-INVITATION-PROMPTWARE-2025 — high · Google Gemini/Google Gemini (Calendar/Workspace integration) · exploited
AI-EXCESSIVE-AGENCY-2025 — high · LLM security/Excessive agency / unsafe tool use
WEB3-APPROVAL-PHISHING-2023 — high · Web3 · Ethereum/Unlimited ERC-20 approvals and ERC-721/1155 setApprovalForAll phishing · exploited
WEB3-DRAINER-2024 — critical · Web3 · Wallets/Wallet drainer-as-a-service kits · exploited
APPSEC-TMOBILE-API-2023 — high · API · Telecom/T-Mobile
APPSEC-AUTO-API-2023 — critical · API · Automotive/Automaker telematics APIs (Kia, Hyundai, BMW, Ferrari, and more)
WEB3-BEANSTALK-2022 — critical · Web3 · Ethereum/Beanstalk Farms · exploited
APPSEC-COINBASE-TRADE-LOGIC-2022 — critical · API · Finance/Coinbase Retail Advanced Trading API · exploited
WEB3-POLY-NETWORK-2021 — critical · Web3 · Ethereum/Poly Network · exploited
APPSEC-PELOTON-API-2021 — medium · API/Peloton
APPSEC-USPS-INFORMEDVIS-2018 — high · API/USPS (Informed Visibility)

Stateward flags Missing Authorization in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.