Skip to main content

CWE-287

Improper Authentication

2779 CVEs Avg CVSS 7.6 MITRE
878
CRITICAL
901
HIGH
897
MEDIUM
93
LOW
633
POC
34
KEV

Monthly

CVE-2026-12585 HIGH POC PATCH This Week

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled.

WordPress Abandoned Cart Lite For Woocommerce Authentication Bypass
NVD WPScan
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-12492 CRITICAL POC PATCH Act Now

Authentication bypass in the Happy Coders OTP Login for WooCommerce WordPress plugin (versions 1.5 through 2.7) lets unauthenticated remote attackers log in as any existing user, including administrators, and create arbitrary accounts. The plugin authenticates a user from a supplied identifier without confirming that the one-time password was ever validated. Publicly available exploit code exists (WPScan) and a vendor patch (2.8) is available; EPSS remains low at 0.15% despite the maximal 9.8 CVSS score.

Authentication Bypass WordPress Happy Coders Otp Login For Woocommerce
NVD WPScan
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-55445 CRITICAL Act Now

Authentication bypass in Qinglong (whyour/qinglong) task-management platform before 2.20.1 lets an unauthenticated remote attacker reset administrator credentials on an already-initialized instance by sending PUT /open/user/init. The flaw stems from a path-rewrite ordering mistake: the init-guard middleware whitelists /open/* through JWT auth, then rewrites it to /api/user/init after the guard's initialization check has already been bypassed. No public exploit identified at time of analysis, but the fixing PR diff publicly discloses the exact bypass, making weaponization trivial; CVSS 4.0 base score is 9.3 (Critical).

Authentication Bypass Qinglong
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-55652 CRITICAL Act Now

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker impersonate any account, including admin. The header-login feature's getRequestIp() in server/lib/headerLoginAuth.js trusts the client-supplied X-Forwarded-For header instead of the real TCP socket peer, so an attacker who can reach the HTTP port can spoof a trusted source IP and submit HEADER_LOGIN_ID for any username to receive a valid meteor_login_token session. Tracked by the vendor as 'ProxyBleed' (GHSA-jggc-qvfc-jr6x); CVSS 9.8. No public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-52893 CRITICAL Act Now

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider account asserting a victim's email or username to hijack the victim's existing Wekan account. The vulnerable Accounts.onCreateUser hook in server/models/users.js merged incoming OIDC identities into any local account whose email OR username matched, without verifying ownership or checking email_verified, letting the attacker inherit the victim's boards, attachments, API tokens, and admin status. No public exploit identified at time of analysis, but the fix is confirmed in version 9.32 and the flaw carries a CVSS 4.0 base score of 9.2 (critical).

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-47156 PHP CRITICAL PATCH GHSA Act Now

Privilege escalation to administrator in MantisBT 2.28.3 and earlier lets a low-privileged or self-registered user impersonate any account, including the administrator, through the SOAP API's flawed mci_check_login() function. Because the function accepts any valid cookie_string without checking that it belongs to the supplied username, an attacker who knows a target username (e.g. 'administrator') and possesses their own MANTIS_STRING_COOKIE can authenticate as that user without a password. With self-registration enabled by default ($g_allow_signup = ON), this is exploitable from zero prior access, granting full read/write and destructive control over all projects, issues, and user data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the underlying bug is trivially reliable.

Authentication Bypass PHP
NVD GitHub
CVE-2026-44986 CRITICAL PATCH Act Now

Account takeover in Penpot before 2.14.5 allows an authenticated registered user to hijack any non-blocked profile without knowing its password. The flaw chains three defects: create-team-invitations leaks invitation tokens, prepare-register-profile embeds an existing profile's id into the prepared-register JWE, and register-profile then mints a session on an invitation email match while skipping password verification (CWE-287). No public exploit has been identified, but the fix commit and PR diff are public and the CVSS base score is 9.9.

Authentication Bypass Penpot
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-47159 MEDIUM PATCH This Month

Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values - to unauthenticated requests for arbitrary email addresses, enabling organization enumeration and authentication workflow abuse. All Vaultwarden deployments prior to 1.36.0 with SSO enabled are affected; an attacker with network access could query the `/organizations/domain/sso/verified` endpoint with any email address to harvest real org names and identifiers, then leverage those identifiers to obtain a valid pre-validation JWT through the `prevalidate()` flow without legitimate credentials. No public exploit code is identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Vaultwarden
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-61740 CRITICAL PATCH Act Now

Authentication bypass in HKUDS LightRAG before 1.5.4 lets a remote unauthenticated attacker defeat X-API-Key protection when the server runs in the API-key-only profile (LIGHTRAG_API_KEY set, AUTH_ACCOUNTS unset). Because auth.py falls back to a public hardcoded DEFAULT_TOKEN_SECRET and /auth-status and /login freely mint guest JWTs, combined_dependency honored a guest token before ever checking the API key, exposing document read/upload/delete, graph mutation, and query endpoints. No public exploit is identified at time of analysis, but the underlying fix (PR #3319) ships a regression test showing that forging a valid guest token with the default secret is trivial; fixed in 1.5.4.

Authentication Bypass Lightrag
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-61436 HIGH PATCH This Week

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.received' events when the framework runs in AgentMail webhook mode. Because incoming payloads are trusted without validating the Svix signature (CWE-287), an attacker can POST crafted JSON to the webhook endpoint and cause configured agents to process attacker-chosen sender addresses and message bodies. A vendor patch exists (4.6.78); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
8.8
EPSS
0.3%
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled.

WordPress Abandoned Cart Lite For Woocommerce Authentication Bypass
NVD WPScan
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Authentication bypass in the Happy Coders OTP Login for WooCommerce WordPress plugin (versions 1.5 through 2.7) lets unauthenticated remote attackers log in as any existing user, including administrators, and create arbitrary accounts. The plugin authenticates a user from a supplied identifier without confirming that the one-time password was ever validated. Publicly available exploit code exists (WPScan) and a vendor patch (2.8) is available; EPSS remains low at 0.15% despite the maximal 9.8 CVSS score.

Authentication Bypass WordPress Happy Coders Otp Login For Woocommerce
NVD WPScan
EPSS 0% CVSS 9.3
CRITICAL Act Now

Authentication bypass in Qinglong (whyour/qinglong) task-management platform before 2.20.1 lets an unauthenticated remote attacker reset administrator credentials on an already-initialized instance by sending PUT /open/user/init. The flaw stems from a path-rewrite ordering mistake: the init-guard middleware whitelists /open/* through JWT auth, then rewrites it to /api/user/init after the guard's initialization check has already been bypassed. No public exploit identified at time of analysis, but the fixing PR diff publicly discloses the exact bypass, making weaponization trivial; CVSS 4.0 base score is 9.3 (Critical).

Authentication Bypass Qinglong
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker impersonate any account, including admin. The header-login feature's getRequestIp() in server/lib/headerLoginAuth.js trusts the client-supplied X-Forwarded-For header instead of the real TCP socket peer, so an attacker who can reach the HTTP port can spoof a trusted source IP and submit HEADER_LOGIN_ID for any username to receive a valid meteor_login_token session. Tracked by the vendor as 'ProxyBleed' (GHSA-jggc-qvfc-jr6x); CVSS 9.8. No public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL Act Now

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider account asserting a victim's email or username to hijack the victim's existing Wekan account. The vulnerable Accounts.onCreateUser hook in server/models/users.js merged incoming OIDC identities into any local account whose email OR username matched, without verifying ownership or checking email_verified, letting the attacker inherit the victim's boards, attachments, API tokens, and admin status. No public exploit identified at time of analysis, but the fix is confirmed in version 9.32 and the flaw carries a CVSS 4.0 base score of 9.2 (critical).

Authentication Bypass Wekan
NVD GitHub
CRITICAL PATCH Act Now

Privilege escalation to administrator in MantisBT 2.28.3 and earlier lets a low-privileged or self-registered user impersonate any account, including the administrator, through the SOAP API's flawed mci_check_login() function. Because the function accepts any valid cookie_string without checking that it belongs to the supplied username, an attacker who knows a target username (e.g. 'administrator') and possesses their own MANTIS_STRING_COOKIE can authenticate as that user without a password. With self-registration enabled by default ($g_allow_signup = ON), this is exploitable from zero prior access, granting full read/write and destructive control over all projects, issues, and user data. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the underlying bug is trivially reliable.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Account takeover in Penpot before 2.14.5 allows an authenticated registered user to hijack any non-blocked profile without knowing its password. The flaw chains three defects: create-team-invitations leaks invitation tokens, prepare-register-profile embeds an existing profile's id into the prepared-register JWE, and register-profile then mints a session on an invitation email match while skipping password verification (CWE-287). No public exploit has been identified, but the fix commit and PR diff are public and the CVSS base score is 9.9.

Authentication Bypass Penpot
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values - to unauthenticated requests for arbitrary email addresses, enabling organization enumeration and authentication workflow abuse. All Vaultwarden deployments prior to 1.36.0 with SSO enabled are affected; an attacker with network access could query the `/organizations/domain/sso/verified` endpoint with any email address to harvest real org names and identifiers, then leverage those identifiers to obtain a valid pre-validation JWT through the `prevalidate()` flow without legitimate credentials. No public exploit code is identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Vaultwarden
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in HKUDS LightRAG before 1.5.4 lets a remote unauthenticated attacker defeat X-API-Key protection when the server runs in the API-key-only profile (LIGHTRAG_API_KEY set, AUTH_ACCOUNTS unset). Because auth.py falls back to a public hardcoded DEFAULT_TOKEN_SECRET and /auth-status and /login freely mint guest JWTs, combined_dependency honored a guest token before ever checking the API key, exposing document read/upload/delete, graph mutation, and query endpoints. No public exploit is identified at time of analysis, but the underlying fix (PR #3319) ships a regression test showing that forging a valid guest token with the default secret is trivial; fixed in 1.5.4.

Authentication Bypass Lightrag
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.received' events when the framework runs in AgentMail webhook mode. Because incoming payloads are trusted without validating the Svix signature (CWE-287), an attacker can POST crafted JSON to the webhook endpoint and cause configured agents to process attacker-chosen sender addresses and message bodies. A vendor patch exists (4.6.78); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Praisonai
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy