Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-566 (通过用户控制SQL主密钥绕过授权机制) — Vulnerability Class 4

4 vulnerabilities classified as CWE-566 (通过用户控制SQL主密钥绕过授权机制). AI Chinese analysis included.

CWE-566 represents a critical authorization bypass weakness where applications execute SQL queries using primary keys directly supplied by users, failing to enforce proper access controls. Attackers typically exploit this vulnerability by manipulating input parameters, such as changing an ID value in a URL or API request, to access or modify records belonging to other users or sensitive administrative data. This occurs because the application trusts the user-provided identifier without verifying if the requesting actor has legitimate permission to view or alter that specific resource. To prevent this, developers must implement strict server-side authorization checks that validate the current user’s rights against the requested resource before executing any database operations. Additionally, using parameterized queries and abstracting database access through secure service layers can further mitigate risks by ensuring that data retrieval is always governed by verified business logic rather than raw user input.

MITRE CWE Description
The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records. Database access control errors occur when: Data enters a program from an untrusted source. The data is used to specify the value of a primary key in a SQL query. The untrusted source does not have the permissions to be able to access all rows in the associated table.
Common Consequences (1)
Confidentiality, Integrity, Access ControlRead Application Data, Modify Application Data, Bypass Protection Mechanism
Mitigations (2)
ImplementationAssume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy.
ImplementationUse a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.
Examples (1)
The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.
... conn = new SqlConnection(_ConnectionString); conn.Open(); int16 id = System.Convert.ToInt16(invoiceID.Text); SqlCommand query = new SqlCommand( "SELECT * FROM invoices WHERE id = @id", conn); query.Parameters.AddWithValue("@id", id); SqlDataReader objReader = objCommand.ExecuteReader(); ...
Bad · C#
CVE IDTitleCVSSSeverityPublished
CVE-2025-9953 SQLi in Database Software's Databank Accreditation Software — Databank Accreditation Software 9.8 Critical2026-02-19
CVE-2025-30369 Zulip allows the deletion of Custom profile fields by administrators of a different organization — zulip 2.7 Low2025-03-31
CVE-2025-30368 Zulip allows the deletion of organization by administrators of a different organization — zulip 2.7 Low2025-03-31
CVE-2024-22261 SQL Injection in Harbor scan log API — Harbor 2.7 Low2024-06-10

Vulnerabilities classified as CWE-566 (通过用户控制SQL主密钥绕过授权机制) represent 4 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.