CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
We have discovered 1,606,566 live websites that are affected by CWE-863.
CVEs
- Count - 201
CWE References
Website Distribution by Country
Number of websites using CWE-863 United States | 477,040 websites |
 British Virgin Islands | 248,689 websites |
 Russia | 182,679 websites |
 Germany | 99,313 websites |
 GB | 91,170 websites |
 France | 52,269 websites |
 Netherlands | 32,846 websites |
 Italy | 31,702 websites |
 China | 31,330 websites |
 Japan | 24,739 websites |
Website Distribution by TLD
Number of websites using CWE-863| .com | 753,087 websites |
| .ru | 150,032 websites |
| .org | 86,149 websites |
| .net | 62,122 websites |
| .co.uk | 49,921 websites |
| .de | 48,348 websites |
| .nl | 27,542 websites |
| .it | 24,433 websites |
| .fr | 22,040 websites |
| .com.br | 15,371 websites |
Newest CVEs
List of the most recent CVEs that are part of CWE-863| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Apr, 2026 | CVE-2026-2712 | WP-Optimize <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update and Image Manipulation | 16 |
| Apr, 2026 | CVE-2026-33460 | Incorrect Authorization in Kibana Fleet Leading to Information Disclosure | 42 |
| Apr, 2026 | CVE-2026-33461 | Incorrect Authorization in Kibana Fleet Leading to Information Disclosure | 42 |
| Mar, 2026 | CVE-2026-33869 | Mastodon has a denial of service for quote authorization | 849 |
| Mar, 2026 | CVE-2026-33884 | Statamic's live preview token bypasses content protection for unrelated entries | 1 |
| Mar, 2026 | CVE-2025-15488 | Responsive Plus < 3.4.3 - Unauthenticated Arbitrary Shortcode Execution | 1,834 |
| Mar, 2026 | CVE-2026-3115 | Guest users can view group member IDs without respecting view restrictions | 160 |
| Mar, 2026 | CVE-2026-4274 | Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access | 160 |
| Mar, 2026 | CVE-2026-28755 | NGINX ngx_stream_ssl_module vulnerability | 855,067 |
| Mar, 2026 | CVE-2026-31805 | Discourse has a poll authorization bypass via post_id array parameter | 884 |
The most widespread CVEs
List of the most common CVEs that are part of CWE-863| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Mar, 2026 | CVE-2026-28755 | NGINX ngx_stream_ssl_module vulnerability | 855,067 |
| Jan, 2024 | CVE-2022-0775 | WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion | 178,701 |
| Feb, 2025 | CVE-2025-23419 | TLS Session Resumption Vulnerability | 152,495 |
| Nov, 2024 | CVE-2024-9926 | Jetpack < 13.9.1 - Subscriber+ Arbitrary Feedback Access | 124,742 |
| Mar, 2025 | CVE-2025-31673 | Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002 | 108,654 |
| Sep, 2025 | CVE-2025-8944 | OceanWP < 4.1.2 - Subscriber+ Limited Option Update | 64,818 |
| Jan, 2023 | CVE-2022-45353 | WordPress Betheme theme <= 26.6.1 is vulnerable to Broken Access Control | 36,378 |
| Mar, 2024 | CVE-2024-1479 | WP Show Posts <= 1.1.4 - Information Exposure | 33,428 |
| Dec, 2025 | CVE-2025-14081 | Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass | 18,874 |
| Jun, 2023 | CVE-2023-2877 | Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution | 8,991 |
Websites affected by CWE-863
Top websites that are affected by CWE-863. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.org | United States | *** | |
| ******.com | British Virgin Islands | *** | |
| ****.*********.com | British Virgin Islands | *** | |
| *******.com | United States | *** | |
| ****.******.org | United States | *** | |
| ***.**.uk | GB | *** | |
| ********.**************.com | United States | *** | |
| ***.**.**.com | China | *** | |
| ******.***.cc | Germany | *** | |
| **********.com | United States | *** |