Skip to main content

CWE-305

Authentication Bypass by Primary Weakness

119 CVEs Avg CVSS 7.5 MITRE
32
CRITICAL
43
HIGH
39
MEDIUM
3
LOW
22
POC
1
KEV

Monthly

CVE-2026-9597 MEDIUM This Month

Deactivated guest accounts in Mattermost 11.6.x through 11.6.4 and 11.7.x through 11.7.2 can regain platform access using magic-link tokens issued before deactivation, because the magic-link login path omits an account-status check during session creation. This directly undermines guest account revocation as an access control mechanism - administrators who deactivate a guest account expecting immediate exclusion will find the control is defeatable while any pre-issued token remains valid. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-9571 MEDIUM This Month

Mattermost fails to invalidate OAuth refresh tokens when a user account is deactivated, enabling former users - or any attacker who possesses a valid refresh token - to continue minting functional access tokens against the OAuth refresh token grant endpoint indefinitely after access revocation should have taken effect. All three actively maintained release branches are affected (10.11.x, 11.6.x, 11.7.x), making this a cross-branch session-persistence flaw with high confidentiality and integrity impact on any workspace relying on OAuth-integrated access control. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the attack path requires minimal skill for any party already holding a refresh token.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-35159 MEDIUM PATCH This Month

Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Dell Information Disclosure Inspiron 15 3520 G15 5530 +175
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-10539 CRITICAL Act Now

Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Control M Server
NVD VulDB
CVSS 4.0
9.5
EPSS
0.2%
CVE-2026-41052 Go CRITICAL PATCH GHSA Act Now

Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to improperly escalate their privileges beyond their assigned project scope, per advisory GHSA-vx8h-4prv-g744. Affected releases are 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.4 and scope-changing impact mean a successful escalation can compromise cluster-wide confidentiality, integrity, and availability.

Privilege Escalation Rancher
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2025-4994 HIGH PATCH This Week

Authentication bypass in SafeLine SL6 and SL6+ elevator emergency intercom devices allows an attacker within Bluetooth Low Energy range to reach the configuration service without credentials and gain administrative control. The flaw was disclosed by SCHUTZWERK (SA-2025-001), carries a CVSS 4.0 score of 8.7 (adjacent network, low complexity, no privileges, no user interaction), and currently has no public exploit identified at time of analysis.

Authentication Bypass Safeline Sl6 Sl6
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-7064 MEDIUM CISA This Month

Authentication bypass via primary weakness (CWE-305) in ABB Freelance DCS affects every major release line from 2013 through 2024, allowing a locally authenticated low-privilege user to circumvent the product's authentication mechanism and gain elevated control over the system. The CVSS vector (AV:L/PR:L/I:H) confirms the attacker must already hold a foothold on the host but can then achieve high integrity impact - particularly serious in an industrial control system context where manipulating controller configurations can affect physical processes. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the wide version span and OT deployment context elevate remediation urgency.

Authentication Bypass Abb
NVD VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2026-25555 CRITICAL POC Act Now

Authentication bypass in OpenBullet2 through 0.3.2 lets unauthenticated remote attackers obtain full admin access by sending an empty X-Api-Key HTTP header, because the API key middleware compares the submitted value against a default empty AdminApiKey string. With CVSS 4.0 score 9.3, publicly available exploit code, and a writeup from VulnCheck/Hackernoon, this is a trivially exploitable flaw exposing the admin console and every API endpoint of any internet-reachable deployment running default configuration.

Authentication Bypass Openbullet2
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-9798 Maven MEDIUM This Month

Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.

Authentication Bypass Build Of Keycloak
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-9047 Monitor

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0

Authentication Bypass Server
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM This Month

Deactivated guest accounts in Mattermost 11.6.x through 11.6.4 and 11.7.x through 11.7.2 can regain platform access using magic-link tokens issued before deactivation, because the magic-link login path omits an account-status check during session creation. This directly undermines guest account revocation as an access control mechanism - administrators who deactivate a guest account expecting immediate exclusion will find the control is defeatable while any pre-issued token remains valid. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Mattermost
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Mattermost fails to invalidate OAuth refresh tokens when a user account is deactivated, enabling former users - or any attacker who possesses a valid refresh token - to continue minting functional access tokens against the OAuth refresh token grant endpoint indefinitely after access revocation should have taken effect. All three actively maintained release branches are affected (10.11.x, 11.6.x, 11.7.x), making this a cross-branch session-persistence flaw with high confidentiality and integrity impact on any workspace relying on OAuth-integrated access control. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the attack path requires minimal skill for any party already holding a refresh token.

Information Disclosure Mattermost
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Dell Information Disclosure +177
NVD
EPSS 0% CVSS 9.5
CRITICAL Act Now

Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Control M Server
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Privilege escalation in SUSE Rancher (Kubernetes management platform) allows a user holding the Project Owner role to improperly escalate their privileges beyond their assigned project scope, per advisory GHSA-vx8h-4prv-g744. Affected releases are 2.14 before 2.14.2, 2.13 before 2.13.6, and 2.12 before 2.12.10. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.4 and scope-changing impact mean a successful escalation can compromise cluster-wide confidentiality, integrity, and availability.

Privilege Escalation Rancher
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in SafeLine SL6 and SL6+ elevator emergency intercom devices allows an attacker within Bluetooth Low Energy range to reach the configuration service without credentials and gain administrative control. The flaw was disclosed by SCHUTZWERK (SA-2025-001), carries a CVSS 4.0 score of 8.7 (adjacent network, low complexity, no privileges, no user interaction), and currently has no public exploit identified at time of analysis.

Authentication Bypass Safeline Sl6 Sl6
NVD
EPSS 0% CVSS 5.6
MEDIUM This Month

Authentication bypass via primary weakness (CWE-305) in ABB Freelance DCS affects every major release line from 2013 through 2024, allowing a locally authenticated low-privilege user to circumvent the product's authentication mechanism and gain elevated control over the system. The CVSS vector (AV:L/PR:L/I:H) confirms the attacker must already hold a foothold on the host but can then achieve high integrity impact - particularly serious in an industrial control system context where manipulating controller configurations can affect physical processes. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the wide version span and OT deployment context elevate remediation urgency.

Authentication Bypass Abb
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Authentication bypass in OpenBullet2 through 0.3.2 lets unauthenticated remote attackers obtain full admin access by sending an empty X-Api-Key HTTP header, because the API key middleware compares the submitted value against a default empty AdminApiKey string. With CVSS 4.0 score 9.3, publicly available exploit code, and a writeup from VulnCheck/Hackernoon, this is a trivially exploitable flaw exposing the admin console and every API endpoint of any internet-reachable deployment running default configuration.

Authentication Bypass Openbullet2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.

Authentication Bypass Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 7.6
Monitor

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0

Authentication Bypass Server
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy