{"id":"CVE-2024-57190","details":"Erxes \u003c1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a \"User\" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint.","aliases":["GHSA-7rhv-xm4q-wh42"],"modified":"2026-04-09T10:30:04.586989Z","published":"2025-06-10T17:20:38.540Z","references":[{"type":"FIX","url":"https://github.com/erxes/erxes/commit/4ed2ca797241d2ba0c9083feeadd9755c1310ce8"},{"type":"EVIDENCE","url":"https://www.sonarsource.com/blog/micro-services-major-headaches-detecting-vulnerabilities-in-erxes-microservices/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/erxes/erxes","events":[{"introduced":"0"},{"fixed":"dee8d3e6ffb4a6ff78e6b0e9e36bf388436572d8"},{"fixed":"4ed2ca797241d2ba0c9083feeadd9755c1310ce8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.6.1"}]}}],"versions":["1.5.10","1.5.9","1.6.0","1.6.0-rc.0","1.6.0-rc.1","1.6.0-rc.2","1.6.0-rc.3","1.6.0-rc.4","1.6.0-rc.5","1.6.0-rc.6","1.6.0-rc.7","1.6.0-rc.8","1.6.1-rc.0","1.6.1-rc.1","1.6.1-rc.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57190.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}