Tag: authorization

All the articles with the tag "authorization".

• Middleware Authorization Bypass: Skipping Next.js Auth with a Single Header (CVE-2025-29927)

  kOaDT

  21 Mar, 2026

  Exploiting CVE-2025-29927 to bypass Next.js middleware-based authentication using the x-middleware-subrequest internal header, accessing a protected internal status page without credentials.

• Broken Object Level Authorization: Accessing Private Wishlists

  kOaDT

  31 Jan, 2026

  A BOLA vulnerability in OopsSec Store's wishlist API lets any logged-in user read anyone else's private wishlist, including an admin one that contains the flag.