Incorrect Authorization Affecting actingweb package, versions [,3.7.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-ACTINGWEB-14829638
- published1 Jan 2026
- disclosed1 Jan 2026
- creditUnknown
Introduced: 1 Jan 2026
CVE NOT AVAILABLE CWE-863 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade actingweb to version 3.7.1 or higher.
Overview
actingweb is a The official ActingWeb library
Affected versions of this package are vulnerable to Incorrect Authorization due to unsafe permission-override merge semantics in the merge_permissions() function in actingweb/trust_permissions.py. When individual trust relationship overrides are configured, base security exclusions (e.g., private/, security/, oauth_*) can be cleared, providing an attacker with unintended access to protected resources.