Monthly
Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0
Local privilege escalation in haveged (HArdware Volatile Entropy Gathering and Expansion Daemon) allows authenticated low-privileged users to escalate to root via the daemon's command socket, which is affected by missing authentication for a critical function (CWE-305). The flaw was disclosed on the oss-security mailing list on 2026-05-20 by Jiri Hladky, with vendor patches available from SUSE and tracking in Debian (bug#1137096); no public exploit identified at time of analysis.
OAuth authorization code interception in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated OAuth clients to redeem authorization codes issued to different clients. An attacker controlling a malicious OAuth application can intercept and exchange authorization codes meant for legitimate applications, potentially gaining unauthorized access to user data or sessions. CVSS score of 3.1 reflects high attack complexity and required privileges, with EPSS data not provided. Vendor patch released per Mattermost advisory MMSA-2026-00570.
Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.
Authentication bypass in Red Hat Ansible Automation Platform 2.6 allows authenticated attackers to hijack arbitrary user accounts, including administrator accounts, via email-based identity provider linking manipulation. The AAP gateway's user auto-link feature matches external IDP identities to existing accounts by email without ownership verification, enabling account takeover when an attacker controls an IDP account with a victim's email address. Red Hat has released patch RHSA-2026:13508. EPSS and KEV data not provided, but the low attack complexity (AC:L) and high confidentiality/integrity impact make this a critical authentication control failure requiring immediate remediation in environments using external identity providers.
Authentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. Affects all versions before 2025.0.9, all 2024.x versions before 2024.1.8, and all versions prior to 2024.0.0. Progress Software has released patches for all supported versions. CVSS 9.8 critical severity with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit or active exploitation confirmed at time of analysis, though the authentication bypass nature and MOVEit's history as a high-value target make this a priority remediation candidate.
Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2.
A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device.
Authentication bypass in Siemens Industrial Edge Management systems (Pro V1 ≥1.7.6 <1.15.17, Pro V2 ≥2.0.0 <2.1.1, Virtual ≥2.2.0 <2.8.0) allows unauthenticated remote attackers with user interaction to impersonate legitimate users and tunnel to managed devices when remote connection features are enabled. Exploitation requires knowledge of connection headers and ports but does not bypass device-level application authentication. No public exploit identified at time of analysis. CVSS 7.1 with network attack vector, low complexity, and no authentication required (PR:N), indicating moderate real-world risk for industrial environments with exposed management interfaces.
Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0
Local privilege escalation in haveged (HArdware Volatile Entropy Gathering and Expansion Daemon) allows authenticated low-privileged users to escalate to root via the daemon's command socket, which is affected by missing authentication for a critical function (CWE-305). The flaw was disclosed on the oss-security mailing list on 2026-05-20 by Jiri Hladky, with vendor patches available from SUSE and tracking in Debian (bug#1137096); no public exploit identified at time of analysis.
OAuth authorization code interception in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated OAuth clients to redeem authorization codes issued to different clients. An attacker controlling a malicious OAuth application can intercept and exchange authorization codes meant for legitimate applications, potentially gaining unauthorized access to user data or sessions. CVSS score of 3.1 reflects high attack complexity and required privileges, with EPSS data not provided. Vendor patch released per Mattermost advisory MMSA-2026-00570.
Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.
Authentication bypass in Red Hat Ansible Automation Platform 2.6 allows authenticated attackers to hijack arbitrary user accounts, including administrator accounts, via email-based identity provider linking manipulation. The AAP gateway's user auto-link feature matches external IDP identities to existing accounts by email without ownership verification, enabling account takeover when an attacker controls an IDP account with a victim's email address. Red Hat has released patch RHSA-2026:13508. EPSS and KEV data not provided, but the low attack complexity (AC:L) and high confidentiality/integrity impact make this a critical authentication control failure requiring immediate remediation in environments using external identity providers.
Authentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. Affects all versions before 2025.0.9, all 2024.x versions before 2024.1.8, and all versions prior to 2024.0.0. Progress Software has released patches for all supported versions. CVSS 9.8 critical severity with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit or active exploitation confirmed at time of analysis, though the authentication bypass nature and MOVEit's history as a high-value target make this a priority remediation candidate.
Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2.
A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device.
Authentication bypass in Siemens Industrial Edge Management systems (Pro V1 ≥1.7.6 <1.15.17, Pro V2 ≥2.0.0 <2.1.1, Virtual ≥2.2.0 <2.8.0) allows unauthenticated remote attackers with user interaction to impersonate legitimate users and tunnel to managed devices when remote connection features are enabled. Exploitation requires knowledge of connection headers and ports but does not bypass device-level application authentication. No public exploit identified at time of analysis. CVSS 7.1 with network attack vector, low complexity, and no authentication required (PR:N), indicating moderate real-world risk for industrial environments with exposed management interfaces.