Skip to main content

Server EUVDEUVD-2026-15553

| CVE-2026-2414 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-25 HYPR GHSA-m6wh-6x2c-qqwh
5.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
10.7.2
EUVD ID Assigned
Mar 25, 2026 - 17:17 euvd
EUVD-2026-15553
Analysis Generated
Mar 25, 2026 - 17:17 vuln.today
CVE Published
Mar 25, 2026 - 17:03 nvd
MEDIUM 5.6

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2.

AnalysisAI

A user-controlled key authorization bypass vulnerability in HYPR Server versions 9.5.2 through 10.7.1 enables authenticated attackers to escalate privileges through improper authorization checks. An attacker with low-level privileges can manipulate cryptographic keys or authorization tokens to gain high-level access, compromising confidentiality, integrity, and availability of the authentication system. This vulnerability requires local or physical access to the system and valid user credentials, limiting its immediate threat scope but representing a critical risk in multi-tenant or shared infrastructure deployments.

Technical ContextAI

The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), a root cause involving improper validation of user-supplied cryptographic material or authorization parameters. HYPR Server (cpe:2.3:a:hypr:server:*:*:*:*:*:*:*:*), an authentication and identity management platform, fails to properly validate or restrict how authenticated users can influence key material used in privilege decisions. Rather than deriving authorization levels from immutable server-side sources, the system allows users to supply or modify key values that directly influence access control decisions. This is particularly dangerous in zero-trust or passwordless authentication contexts where HYPR operates, as it undermines the cryptographic assurances these systems depend upon.

RemediationAI

Immediately upgrade HYPR Server to version 10.7.2 or later, which contains the fix for this authorization bypass vulnerability. Refer to https://www.hypr.com/trust-center/security-advisories for detailed upgrade procedures and release notes. For organizations unable to patch immediately, implement compensating controls: restrict administrative console and API access to trusted networks only, enforce multifactor authentication for all HYPR administrative accounts, audit and monitor all privilege escalation attempts and authorization token issuance, and segregate HYPR Server instances in air-gapped or heavily monitored environments if possible. Review audit logs for any evidence of exploitation (privilege escalation events or unauthorized key modifications) prior to patching. Post-patch, validate that authorization decisions now correctly refuse user-controlled key manipulation through security testing.

More in Server

View all
CVE-2018-1000881 CRITICAL POC
9.8 Dec 20

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2021-42973 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl

CVE-2021-42972 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2023-30223 HIGH POC
7.5 Jun 16

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen

CVE-2023-30222 HIGH POC
7.5 Jun 16

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2017-7855 MEDIUM POC
6.1 Aug 31

In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet

CVE-2022-39395 CRITICAL
9.9 Nov 10

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se

Share

EUVD-2026-15553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy