Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable login API with no auth or interaction (AV:N/AC:L/PR:N/UI:N); brute-force yields account takeover so C:H, but only per-account integrity (I:L) and no availability impact.
Primary rating from Vendor (TR-CERT).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass.
This issue affects Pause+ Mobile App: from v1.0.6 before v1.5.
AnalysisAI
Authentication bypass in Başbelen Group's Pause+ Mobile App versions 1.0.6 through 1.4.x allows remote attackers to defeat login protections by exhausting authentication attempts without lockout, per CWE-307. The CVSS 9.8 score and PR:N/UI:N vector indicate unauthenticated network-based exploitation against any user account, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
The Pause+ Mobile App is a customer-facing mobile application published by Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co., a Turkish food/cafe operator. The root cause is CWE-307 (Improper Restriction of Excessive Authentication Attempts), meaning the backend authentication endpoint serving the mobile app fails to enforce rate limiting, account lockout, CAPTCHA, or exponential backoff against repeated credential submissions. This class of weakness turns any login API into an oracle for online brute-force or credential-stuffing attacks, where an attacker can iterate through password or OTP candidates until valid credentials are found. The CPE entry covers all versions of the Pause+ Mobile App from this vendor.
RemediationAI
Upgrade the Pause+ Mobile App to version 1.5 or later, which is identified as the first fixed release per the affected-version range (Patch available per vendor advisory; consult TR-CERT bulletin https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0368 for vendor-specific guidance). Because this is a server-side authentication weakness exposed through a mobile client, the operator should also harden the backend authentication endpoint by enforcing per-account and per-IP rate limiting, account lockout with exponential backoff, and CAPTCHA after a small number of failed attempts; note that aggressive lockout can enable denial-of-service against legitimate users, so pair it with notification and self-service unlock. As an interim control, restrict or monitor unusual volumes of login traffic at the WAF or API gateway and require re-authentication or step-up MFA for sensitive actions to limit blast radius if credentials are guessed.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36429
GHSA-hmm4-32x8-q64g