Skip to main content

CWE-290

Authentication Bypass by Spoofing

485 CVEs Avg CVSS 7.0 MITRE
88
CRITICAL
142
HIGH
243
MEDIUM
12
LOW
82
POC
3
KEV

Monthly

CVE-2026-12382 HIGH This Week

mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated remote attackers to inject spoofed events into protected Event-Driven Ansible (EDA) event streams. The non-mTLS route to EDA event streams fails to strip the client-supplied Subject HTTP header even though the source defines requestHeadersToRemove for it, so an attacker can forge a Subject value matching a legitimate client certificate's Distinguished Name and impersonate an authenticated client. No public exploit identified at time of analysis; the issue is tracked by Red Hat (CWE-290, CVSS 8.2) but is not on CISA KEV and no EPSS score was provided.

Authentication Bypass Red Hat Ansible Automation Platform 2
NVD
CVSS 3.1
8.2
CVE-2026-62644 MEDIUM PATCH This Month

Username spoofing via session data in Roundcube Webmail's password plugin allows an authenticated attacker to manipulate session state so that the plugin operates on a victim's account rather than the attacker's own, enabling password changes on the target account and full account takeover. All 1.6.x versions prior to 1.6.17 and all 1.7.x versions prior to 1.7.2 are affected when the password plugin is enabled. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the high integrity and confidentiality impact ratings reflect genuine account hijacking potential in shared hosting environments.

Authentication Bypass Webmail
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-55954 CRITICAL PATCH Act Now

Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. No public exploit identified at time of analysis, but the vendor-confirmed fix (0.6.2) and a clear replay path make this a high-priority auth flaw; EPSS and KEV data were not provided.

Apple Authentication Bypass Ueberauth Apple
NVD GitHub
CVSS 4.0
9.1
EPSS
0.4%
CVE-2026-58488 MEDIUM This Month

Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.

Authentication Bypass Hedgedoc
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-61428 MEDIUM PATCH This Month

Webhook signature verification is absent in PraisonAI AgentMail before version 4.6.78, permitting any unauthenticated network attacker to POST crafted message.received events directly to the webhook endpoint with spoofed sender identities. This bypasses configured sender allow/block lists, injecting arbitrary content into the AI agent's processing pipeline and causing the agent to dispatch replies to attacker-controlled addresses. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though the low-complexity, unauthenticated attack vector makes exploitation straightforward for any attacker with network access to the webhook endpoint.

Authentication Bypass Praisonai
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-55641 HIGH PATCH This Week

Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: localhost' header so the /v1 LLM proxy treats the request as local and skips API-key checks. Once past authentication, an attacker abuses stored provider credentials for upstream LLM calls and leverages /v1/search's searxng provider_options.baseUrl to force server-side requests to internal or cloud-metadata endpoints (SSRF). No public exploit identified at time of analysis, though the fixing commit is public, and EPSS/KEV signals are not provided.

Authentication Bypass 9Router
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-8651 HIGH PATCH This Week

Authentication bypass by spoofing in Progress MOVEit Transfer's HTTPS module allows remote unauthenticated attackers to impersonate or partially bypass identity verification, compromising integrity (CVSS 7.5, I:H) without exposing or destroying data (C:N/A:N). The flaw affects MOVEit Transfer builds before 2025.0.7 and the 2025.1.x line before 2025.1.3; a vendor patch is available. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, but MOVEit Transfer's history as a mass-exploitation target warrants prompt patching.

Authentication Bypass Moveit Transfer
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-56360 npm MEDIUM PATCH This Month

Webhook signature bypass in n8n's ZendeskTrigger node allows network-adjacent attackers who possess the webhook URL to inject arbitrary data into n8n workflows by sending unsigned POST requests. The ZendeskTrigger node omits the mandatory HMAC-SHA256 verification step that Zendesk's webhook security model requires, treating any inbound POST as a legitimate Zendesk event. This affects n8n v1.x before 1.123.18 and v2.x before 2.6.2; no public exploit or CISA KEV designation has been identified at time of analysis.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-55501 npm HIGH PATCH GHSA This Week

Brute-force protection bypass in the 9router dashboard (npm package 9router) lets remote attackers defeat the login lockout by rotating the attacker-controlled X-Forwarded-For header on each request, giving every attempt a fresh rate-limit bucket. Because the CVSS vector is PR:N/UI:N, unauthenticated remote attackers can target any instance directly exposed or sitting behind a proxy that does not overwrite forwarding headers, enabling unlimited password guessing and, against default or weak credentials, full administrative takeover. A working exploit is published in the GitHub Security Advisory (GHSA-7cfm-pqrj-xgq7); the issue is not listed in CISA KEV and no EPSS score was provided.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.3
EPSS
0.5%
CVE-2026-24013 PyPI CRITICAL PATCH Act Now

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauthenticated attacker forge the sessionId parameter on certain Thrift RPC query handlers and retrieve valid query results without ever calling openSession. This exposes stored time-series data to arbitrary readers. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile) despite the 9.1 CVSS, so exploitation is not confirmed in the wild.

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVSS 8.2
HIGH This Week

mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated remote attackers to inject spoofed events into protected Event-Driven Ansible (EDA) event streams. The non-mTLS route to EDA event streams fails to strip the client-supplied Subject HTTP header even though the source defines requestHeadersToRemove for it, so an attacker can forge a Subject value matching a legitimate client certificate's Distinguished Name and impersonate an authenticated client. No public exploit identified at time of analysis; the issue is tracked by Red Hat (CWE-290, CVSS 8.2) but is not on CISA KEV and no EPSS score was provided.

Authentication Bypass Red Hat Ansible Automation Platform 2
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Username spoofing via session data in Roundcube Webmail's password plugin allows an authenticated attacker to manipulate session state so that the plugin operates on a victim's account rather than the attacker's own, enabling password changes on the target account and full account takeover. All 1.6.x versions prior to 1.6.17 and all 1.7.x versions prior to 1.7.2 are affected when the password plugin is enabled. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the high integrity and confidentiality impact ratings reflect genuine account hijacking potential in shared hosting environments.

Authentication Bypass Webmail
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. No public exploit identified at time of analysis, but the vendor-confirmed fix (0.6.2) and a clear replay path make this a high-priority auth flaw; EPSS and KEV data were not provided.

Apple Authentication Bypass Ueberauth Apple
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.

Authentication Bypass Hedgedoc
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Webhook signature verification is absent in PraisonAI AgentMail before version 4.6.78, permitting any unauthenticated network attacker to POST crafted message.received events directly to the webhook endpoint with spoofed sender identities. This bypasses configured sender allow/block lists, injecting arbitrary content into the AI agent's processing pipeline and causing the agent to dispatch replies to attacker-controlled addresses. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though the low-complexity, unauthenticated attack vector makes exploitation straightforward for any attacker with network access to the webhook endpoint.

Authentication Bypass Praisonai
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authentication bypass in 9Router (decolua/9router) before 0.5.2 lets a remote unauthenticated attacker forge a 'Host: localhost' header so the /v1 LLM proxy treats the request as local and skips API-key checks. Once past authentication, an attacker abuses stored provider credentials for upstream LLM calls and leverages /v1/search's searxng provider_options.baseUrl to force server-side requests to internal or cloud-metadata endpoints (SSRF). No public exploit identified at time of analysis, though the fixing commit is public, and EPSS/KEV signals are not provided.

Authentication Bypass 9Router
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication bypass by spoofing in Progress MOVEit Transfer's HTTPS module allows remote unauthenticated attackers to impersonate or partially bypass identity verification, compromising integrity (CVSS 7.5, I:H) without exposing or destroying data (C:N/A:N). The flaw affects MOVEit Transfer builds before 2025.0.7 and the 2025.1.x line before 2025.1.3; a vendor patch is available. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, but MOVEit Transfer's history as a mass-exploitation target warrants prompt patching.

Authentication Bypass Moveit Transfer
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Webhook signature bypass in n8n's ZendeskTrigger node allows network-adjacent attackers who possess the webhook URL to inject arbitrary data into n8n workflows by sending unsigned POST requests. The ZendeskTrigger node omits the mandatory HMAC-SHA256 verification step that Zendesk's webhook security model requires, treating any inbound POST as a legitimate Zendesk event. This affects n8n v1.x before 1.123.18 and v2.x before 2.6.2; no public exploit or CISA KEV designation has been identified at time of analysis.

Authentication Bypass N8n
NVD GitHub
EPSS 1% CVSS 7.3
HIGH PATCH This Week

Brute-force protection bypass in the 9router dashboard (npm package 9router) lets remote attackers defeat the login lockout by rotating the attacker-controlled X-Forwarded-For header on each request, giving every attempt a fresh rate-limit bucket. Because the CVSS vector is PR:N/UI:N, unauthenticated remote attackers can target any instance directly exposed or sitting behind a proxy that does not overwrite forwarding headers, enabling unlimited password guessing and, against default or weak credentials, full administrative takeover. A working exploit is published in the GitHub Security Advisory (GHSA-7cfm-pqrj-xgq7); the issue is not listed in CISA KEV and no EPSS score was provided.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauthenticated attacker forge the sessionId parameter on certain Thrift RPC query handlers and retrieve valid query results without ever calling openSession. This exposes stored time-series data to arbitrary readers. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile) despite the 9.1 CVSS, so exploitation is not confirmed in the wild.

Authentication Bypass Apache Apache Iotdb
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy