Monthly
Hono's jwt and jwk middleware components fail to enforce the Bearer scheme in the Authorization header, allowing any two-part header value - such as 'Basic <token>' or 'Token <token>' - to pass JWT verification identically to a correctly formed Bearer request. All Hono releases prior to 4.12.21 on any supported JavaScript runtime are affected when these middlewares protect routes. No public exploit identified at time of analysis, and this is not listed in CISA KEV; real-world exploitation requires the attacker to already possess a valid, properly signed JWT.
Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.
Authorization bypass in IBM Db2 12.1.0 through 12.1.4 enables authenticated low-privilege users to upload data to remote object storage paths that should be beyond their access scope by including a specially crafted query. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the attack is network-accessible, requires no user interaction, and demands only a low-privilege database account, while the I:H score indicates high integrity impact - unauthorized writes to restricted storage destinations. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Improper authorization in Apple macOS allows a locally-installed malicious application to access sensitive user data without proper entitlement checks. Affected releases span three macOS generations: Sequoia (prior to 15.7), Sonoma (prior to 14.8), and the forthcoming Tahoe (prior to 26). The flaw stems from a logic issue in access validation, meaning apps lacking legitimate permissions can bypass gating controls to read protected data. No public exploit code or CISA KEV listing has been identified at time of analysis.
Improper authorization in NocoDB (npm/nocodb ≤ 0.301.3) allows unauthenticated network attackers holding only a shared-base UUID to enumerate base members and inject arbitrary email addresses as permanent authenticated base members. The invited account redeems the invite through the normal signup flow, obtains a persistent JWT scoped to the target base, and retains that access even after the base owner revokes the shared link - effectively converting ephemeral anonymous share access into durable authenticated membership. No public exploit code has been identified and there is no CISA KEV listing at time of analysis, but the absence of a released patch and the trivial exploitation prerequisites materially elevate operational risk beyond what the CVSS 5.8 score alone implies.
Improper cache key generation in SpiceDB's dispatch layer allows authorization bypass when caveat structures use nested lists. Affected versions (v1.15.0 through v1.51.x) generate colliding cache keys due to non-deterministic serialization of nested list structures in caveat contexts, causing the system to erroneously serve a cached positive authorization result in place of a correct negative one. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog, but exploitation is structurally straightforward for any party with the ability to send crafted CheckBulkPermission or LookupResources requests to a misconfigured deployment.
Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Improper authorization in Z-BlogPHP 1.7.4.3430 allows authenticated attackers to bypass comment approval controls via the CheckComment function in c_system_event.php. Remote exploitation requires low-complexity attacks with low-privilege credentials and no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). Public exploit code is available (VulDB 364334), enabling attackers to read, modify, or disrupt comment moderation workflows with low confidentiality, integrity, and availability impact. No vendor patch information identified at time of analysis; EPSS and KEV data not provided.
Improper authorization in Open5GS AMF/MME component (versions up to 2.7.6) allows authenticated network attackers to manipulate NGAP user context lookups, potentially accessing or interfering with other users' 5G/LTE sessions. The vulnerability stems from insufficient validation of AMF_UE_NGAP_ID and RAN_UE_NGAP_ID pairs in the ran_ue_find_by_amf_ue_ngap_id function, enabling attackers with low-level network privileges to bypass session-to-base-station association controls. Publicly available exploit code exists (GitHub issue #4498), and a vendor-released patch (commit 5746b857) is available. CVSS 6.3 (Medium) reflects network vector with low attack complexity but requires authentication.
Open WebUI versions 0.8.10 and earlier allow authenticated users to bypass model access control by appending ?bypass_filter=true to POST requests to /openai/chat/completions or /ollama/api/chat endpoints. The vulnerability exposes an internal-only FastAPI function parameter to external HTTP clients via query string binding, permitting any authenticated user to invoke admin-restricted models regardless of their assigned access grants. Vendor-released patch: v0.8.11 (March 2026). No public exploit code identified beyond the PoC in the advisory, but exploitation is trivial for any authenticated user.
Hono's jwt and jwk middleware components fail to enforce the Bearer scheme in the Authorization header, allowing any two-part header value - such as 'Basic <token>' or 'Token <token>' - to pass JWT verification identically to a correctly formed Bearer request. All Hono releases prior to 4.12.21 on any supported JavaScript runtime are affected when these middlewares protect routes. No public exploit identified at time of analysis, and this is not listed in CISA KEV; real-world exploitation requires the attacker to already possess a valid, properly signed JWT.
Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.
Authorization bypass in IBM Db2 12.1.0 through 12.1.4 enables authenticated low-privilege users to upload data to remote object storage paths that should be beyond their access scope by including a specially crafted query. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the attack is network-accessible, requires no user interaction, and demands only a low-privilege database account, while the I:H score indicates high integrity impact - unauthorized writes to restricted storage destinations. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Improper authorization in Apple macOS allows a locally-installed malicious application to access sensitive user data without proper entitlement checks. Affected releases span three macOS generations: Sequoia (prior to 15.7), Sonoma (prior to 14.8), and the forthcoming Tahoe (prior to 26). The flaw stems from a logic issue in access validation, meaning apps lacking legitimate permissions can bypass gating controls to read protected data. No public exploit code or CISA KEV listing has been identified at time of analysis.
Improper authorization in NocoDB (npm/nocodb ≤ 0.301.3) allows unauthenticated network attackers holding only a shared-base UUID to enumerate base members and inject arbitrary email addresses as permanent authenticated base members. The invited account redeems the invite through the normal signup flow, obtains a persistent JWT scoped to the target base, and retains that access even after the base owner revokes the shared link - effectively converting ephemeral anonymous share access into durable authenticated membership. No public exploit code has been identified and there is no CISA KEV listing at time of analysis, but the absence of a released patch and the trivial exploitation prerequisites materially elevate operational risk beyond what the CVSS 5.8 score alone implies.
Improper cache key generation in SpiceDB's dispatch layer allows authorization bypass when caveat structures use nested lists. Affected versions (v1.15.0 through v1.51.x) generate colliding cache keys due to non-deterministic serialization of nested list structures in caveat contexts, causing the system to erroneously serve a cached positive authorization result in place of a correct negative one. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog, but exploitation is structurally straightforward for any party with the ability to send crafted CheckBulkPermission or LookupResources requests to a misconfigured deployment.
Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Improper authorization in Z-BlogPHP 1.7.4.3430 allows authenticated attackers to bypass comment approval controls via the CheckComment function in c_system_event.php. Remote exploitation requires low-complexity attacks with low-privilege credentials and no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). Public exploit code is available (VulDB 364334), enabling attackers to read, modify, or disrupt comment moderation workflows with low confidentiality, integrity, and availability impact. No vendor patch information identified at time of analysis; EPSS and KEV data not provided.
Improper authorization in Open5GS AMF/MME component (versions up to 2.7.6) allows authenticated network attackers to manipulate NGAP user context lookups, potentially accessing or interfering with other users' 5G/LTE sessions. The vulnerability stems from insufficient validation of AMF_UE_NGAP_ID and RAN_UE_NGAP_ID pairs in the ran_ue_find_by_amf_ue_ngap_id function, enabling attackers with low-level network privileges to bypass session-to-base-station association controls. Publicly available exploit code exists (GitHub issue #4498), and a vendor-released patch (commit 5746b857) is available. CVSS 6.3 (Medium) reflects network vector with low attack complexity but requires authentication.
Open WebUI versions 0.8.10 and earlier allow authenticated users to bypass model access control by appending ?bypass_filter=true to POST requests to /openai/chat/completions or /ollama/api/chat endpoints. The vulnerability exposes an internal-only FastAPI function parameter to external HTTP clients via query string binding, permitting any authenticated user to invoke admin-restricted models regardless of their assigned access grants. Vendor-released patch: v0.8.11 (March 2026). No public exploit code identified beyond the PoC in the advisory, but exploitation is trivial for any authenticated user.