Skip to main content

Pause+ Mobile App CVE-2026-6853

| EUVDEUVD-2026-36429 CRITICAL
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-06-12 TR-CERT GHSA-hmm4-32x8-q64g
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (TR-CERT) PRIMARY
CRITICAL
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.2 HIGH

Network-reachable login API with no auth or interaction (AV:N/AC:L/PR:N/UI:N); brute-force yields account takeover so C:H, but only per-account integrity (I:L) and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 14:50 vuln.today

DescriptionNVD

Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass.

This issue affects Pause+ Mobile App: from v1.0.6 before v1.5.

AnalysisAI

Authentication bypass in Başbelen Group's Pause+ Mobile App versions 1.0.6 through 1.4.x allows remote attackers to defeat login protections by exhausting authentication attempts without lockout, per CWE-307. The CVSS 9.8 score and PR:N/UI:N vector indicate unauthenticated network-based exploitation against any user account, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

The Pause+ Mobile App is a customer-facing mobile application published by Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co., a Turkish food/cafe operator. The root cause is CWE-307 (Improper Restriction of Excessive Authentication Attempts), meaning the backend authentication endpoint serving the mobile app fails to enforce rate limiting, account lockout, CAPTCHA, or exponential backoff against repeated credential submissions. This class of weakness turns any login API into an oracle for online brute-force or credential-stuffing attacks, where an attacker can iterate through password or OTP candidates until valid credentials are found. The CPE entry covers all versions of the Pause+ Mobile App from this vendor.

RemediationAI

Upgrade the Pause+ Mobile App to version 1.5 or later, which is identified as the first fixed release per the affected-version range (Patch available per vendor advisory; consult TR-CERT bulletin https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0368 for vendor-specific guidance). Because this is a server-side authentication weakness exposed through a mobile client, the operator should also harden the backend authentication endpoint by enforcing per-account and per-IP rate limiting, account lockout with exponential backoff, and CAPTCHA after a small number of failed attempts; note that aggressive lockout can enable denial-of-service against legitimate users, so pair it with notification and self-service unlock. As an interim control, restrict or monitor unusual volumes of login traffic at the WAF or API gateway and require re-authentication or step-up MFA for sensitive actions to limit blast radius if credentials are guessed.

Share

CVE-2026-6853 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy