VariantIncomplete

CWE-566Authorization Bypass Through User-Controlled SQL Primary Key

Category: injection

Description

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

Common consequences· 1

  • Confidentiality / Integrity / Access Control — Read Application Data, Modify Application Data, Bypass Protection Mechanism

Potential mitigations· 2

  • [Implementation]Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy.
  • [Implementation]Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.

References

  1. https://cwe.mitre.org/data/definitions/566.html

(incoming)3

TypeTargetConfidenceTier
VulnerabilityCVE-2025-61781cve-2025-617810%live
VulnerabilityCVE-2025-9953cve-2025-99530%live
VulnerabilityCVE-2026-21886cve-2026-218860%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Authorization Bypass Through User-Controlled Key
CWE
Improper Access Control
CWE
Improper Authorization
CWE
Unprotected Primary Channel
CWE
Exposure of Sensitive Information to an Unauthorized Actor
CWE
Missing Authorization
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.