Skip to main content

Authentication Bypass

31257 CVEs technique

Monthly

CVE-2026-56310 MEDIUM PATCH This Month

Authorization bypass in Capgo (cap-go before 12.128.2) allows holders of org-limited API keys to read membership data from organizations outside their assigned scope by calling the GET /organization/members endpoint without proper enforcement of limited_to_orgs restrictions. Exposed fields include uid, email, image_url, role, and is_tmp - sufficient to enumerate organization membership and email addresses across tenants. No public exploit identified at time of analysis; CVSS 4.0 scores this at 5.3 reflecting a low-privilege, network-accessible attack with limited confidentiality impact.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56302 MEDIUM PATCH This Month

Unauthenticated remote attackers can read, insert, and delete stored app icons in Capgo (all versions before 12.128.2) due to a Supabase images bucket entirely lacking row-level security (RLS) controls. Exploitation leaks sensitive app IDs and user IDs embedded in bucket metadata, and enables full icon deletion causing visual degradation of hosted applications. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 12.128.2.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56270 npm HIGH PATCH This Week

Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.

Authentication Bypass Microsoft Google Flowise
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56269 npm MEDIUM PATCH This Month

Flowise versions 3.0.13 and earlier silently fall back to a hardcoded AES-256-CBC encryption key derived from the publicly known literal 'Secre$t' when TOKEN_HASH_SECRET is not configured, exposing the user and workspace IDs encoded in the 'meta' field of every JWT token issued by an unconfigured deployment. An authenticated user or network-positioned attacker who obtains any valid JWT can decrypt this metadata using the default key - now disclosed in the GHSA advisory and source code - and re-encrypt manipulated identifiers to probe downstream access controls. JWT signature validation is handled independently, so this does not constitute standalone token forgery, but identifier disclosure and metadata manipulation create a realistic stepping stone toward privilege escalation or unauthorized workspace access in multi-tenant deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patch Flowise 3.1.0 is available.

Authentication Bypass Privilege Escalation Node.js Flowise
NVD GitHub
CVSS 4.0
4.3
EPSS
0.1%
CVE-2026-56262 PyPI MEDIUM PATCH This Month

Authentication bypass in the Crawl4AI Docker API server before 0.8.7 exposes all monitor router endpoints - including the destructive /monitor/actions/cleanup action - to unauthenticated remote attackers due to missing token dependency injection on the monitor router. Any attacker with network access to the Docker API port can invoke cleanup operations and manipulate monitoring state, causing service disruption without credentials. No active exploitation (CISA KEV) or public POC has been identified at time of analysis; the CVSS 4.0 vector of AV:N/AC:L/AT:N/PR:N/UI:N confirms trivial remote unauthenticated access with no special conditions required.

Authentication Bypass Crawl4ai
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-56257 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users to directly modify the public.apps.owner_org column via PostgREST, circumventing the intended transfer_app() workflow. Successful exploitation creates a split-brain ownership state where apps.owner_org and app_versions.owner_org diverge, letting the original organization's API keys retain access to version data while the new owning organization controls the app record. No public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56237 CRITICAL PATCH Act Now

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tampering with a client-side parameter in the key generation request, because the backend never validates that keys are server-generated or bound to the authenticated user. The forged keys grant access to protected endpoints, yielding full confidentiality and integrity compromise of tenant data. No public exploit identified at time of analysis, but the flaw is trivially reproducible from any HTTP client.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-56232 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users with valid subkeys to escape scope restrictions by supplying their own subkey identifier in the x-limited-key-id header, causing middlewareKey to fall back to the unrestricted parent key. With CVSS 4.0 of 8.7 and high impact across confidentiality, integrity, and availability, exploitation only requires low-privileged API access, though no public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56231 HIGH PATCH This Week

Cross-tenant build sabotage in Capgo before 12.128.2 allows authenticated users with the app.build_native permission to start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId to the /build/start/:jobId and /build/cancel/:jobId endpoints. The handlers trust the attacker-supplied app_id in the request body and never verify jobId ownership, enabling denial of service, unauthorized compute consumption, and billing impact across tenants. No public exploit identified at time of analysis.

Authentication Bypass Denial Of Service Capgo
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-56223 CRITICAL PATCH Act Now

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a malicious IdP to forge SAML assertions and merge arbitrary victim accounts based solely on email match. The provision-user endpoint fails to validate that the asserting SSO provider is authorized for the victim's email domain, granting full takeover of accounts, organizations, and data. No public exploit identified at time of analysis; CVSS 4.0 base is 9.3 (Critical) reflecting high impact across both vulnerable and subsequent systems.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-7761 HIGH This Week

Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. No public exploit identified at time of analysis, though Wordfence has published detailed technical write-ups that significantly lower the bar for weaponization.

Authentication Bypass WordPress Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-8690 MEDIUM This Month

Authorization bypass in the RentMy Real-Time Rental Management Plugin for WordPress exposes full CRUD control over rental event records and location configuration to unauthenticated remote attackers, affecting all versions through 4.0.4.1. The root cause is missing authorization checks in the plugin's AJAX handler class (class-rentmy-ajax.php), allowing any unauthenticated visitor to invoke privileged actions via WordPress's standard AJAX endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the zero-barrier entry point - unauthenticated, network-accessible, low complexity - means any exposed deployment is immediately at risk without requiring attacker sophistication.

Authentication Bypass WordPress Rentmy Real Time Rental Management Plugin
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9178 HIGH This Week

Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.

Information Disclosure Authentication Bypass WordPress Wp Forms Connector
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-8688 MEDIUM This Month

Authorization bypass in the Advance Nav Menu Manager WordPress plugin (all versions through 1.3) permits any authenticated subscriber-level user to manipulate site navigation menus without authorization. The plugin invokes wp_insert_post() for nav_menu_item operations - duplicate, copy, move, and publish - without enforcing capability checks, allowing low-privilege users to alter navigation structure at will. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the low barrier to exploitation (any registered subscriber account) makes it a meaningful risk on sites with open or compromised user registration.

Authentication Bypass WordPress Advance Nav Menu Manager
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12417 CRITICAL POC Act Now

Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed.

Authentication Bypass PHP Privilege Escalation WordPress Signup Signin
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-9172 MEDIUM This Month

{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.

Authentication Bypass WordPress Devs Accounting Simple Accounting And Invoicing Solution
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-9616 MEDIUM This Month

Authorization bypass in the Generate Security.txt WordPress plugin (all versions through 1.0.12) allows authenticated attackers with subscriber-level access to delete the site's security.txt file or create the .well-known directory by invoking unprotected AJAX actions directly. The root cause is a failure to verify user capabilities before executing the delete_securitytxt and create_wellknown_folder AJAX handlers, a classic CWE-862 (Missing Authorization) pattern reported by Wordfence. No public exploit or CISA KEV listing has been identified at time of analysis, and with a CVSS score of 4.3 and limited integrity impact, this is a low-urgency but straightforward-to-exploit flaw for any authenticated WordPress user.

Authentication Bypass WordPress Generate Security Txt
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-8617 MEDIUM This Month

Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. No public exploit or active exploitation has been identified at time of analysis, and real-world impact is limited to disruption of the plugin's search functionality or substitution of attacker-controlled account tokens.

Authentication Bypass WordPress Searchplus
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-9184 MEDIUM This Month

Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS rates this as medium-low (4.3), consistent with the authenticated-only, integrity-limited impact.

Authentication Bypass WordPress 24Liveblog Live Blog Tool
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-8614 MEDIUM This Month

Unauthorized settings deletion in the Assistio WordPress plugin (versions ≤ 1.1.2) allows any authenticated Subscriber-level user to invoke the assistio_plugin_delete_assistio_settings() function and wipe critical plugin options, including the 'assistiobot_oauth_settings' OAuth token, breaking the site's Assistio bot integration. The function lacks both WordPress capability verification and nonce validation - two standard WordPress security controls - meaning the authorization boundary is entirely absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS score of 4.3 accurately reflects the limited but real integrity impact against low-privilege authenticated attackers.

Authentication Bypass WordPress Assistio
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7617 MEDIUM This Month

Unauthenticated remote attackers can disconnect any WordPress site running the Secufor_OAuth plugin from its linked Secufor identity account by triggering an unprotected action handler that clears the stored OAuth token and login configuration. All plugin versions through 1.0.7 are affected, confirmed by Wordfence and traceable to specific lines in the plugin source. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the trivially low attack complexity (AV:N/AC:L/PR:N) means exploitation requires only an HTTP request.

Authentication Bypass WordPress Secufor Oauth
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9619 MEDIUM This Month

Authorization bypass in the Reviews and Rating - Docplanner WordPress plugin (versions ≤ 1.1.4) allows any authenticated subscriber-level user to invoke privileged plugin actions without proper capability checks. Exploitation enables two distinct abuse paths: triggering server-side outbound scraping of attacker-controlled or arbitrary external URLs with results written to the wp_dp_reviews database table, and dispatching feature-request emails impersonating the site administrator's address. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Reviews And Rating Docplanner
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-4297 HIGH This Week

Privilege escalation in the Welcome Software Publishing WordPress plugin (versions ≤ 0.0.31) allows any authenticated user with Subscriber-level access or above to update arbitrary WordPress options via the nc.setOption XML-RPC method. By modifying the default_role option to 'administrator' and registering a new account, attackers achieve full site takeover. No public exploit identified at time of analysis, but the attack pattern is trivial and well-documented for similar WordPress XML-RPC missing-capability flaws.

Authentication Bypass Privilege Escalation WordPress Welcome Software Publishing
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-12094 MEDIUM This Month

Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the `wp_ajax_nopriv_cf7cdb_delete` hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking `$wpdb->delete()`. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is trivially automatable due to sequential integer primary keys and no authentication barrier.

Authentication Bypass WordPress Advanced Contact Form 7 Compact Db
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9175 MEDIUM This Month

Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.

Information Disclosure Authentication Bypass WordPress Devs Accounting Simple Accounting And Invoicing Solution
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-5818 HIGH This Week

Firmware verification bypass in Caliptra Core Runtime Firmware versions 2.0.0 through 2.0.1 and 2.1.0 allows an attacker with high privileges to load unverified MCU firmware during a hitless update. The flaw resides in the ActivateFirmwareCmd::activate_fw module, where an incorrect check of a function return value causes the Root-of-Trust to skip authentication of the Microcontroller Unit firmware image. No public exploit identified at time of analysis, and the issue was responsibly disclosed by the Caliptra project itself.

Authentication Bypass Core Runtime Firmware
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-55542 PHP LOW PATCH GHSA Monitor

Signature image retrieval in Snipe-IT's S3-backed deployments bypasses authorization, allowing any authenticated user to obtain a 5-minute pre-signed S3 URL for acceptance signature images they are not permitted to view. The flaw exists in ActionlogController.php where the S3 code path returns a signed URL before the authorize() call is reached - a call that is correctly enforced only in the local-file code path. Affected are all Snipe-IT deployments on versions <= 8.5.0 configured to use S3 storage; no public exploit code exists and this CVE is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.4%
CVE-2026-55519 PHP LOW PATCH GHSA Monitor

Improper authorization in Snipe-IT v8.4.0 permits any authenticated user holding generic asset edit permissions to delete files attached to any asset across the entire system, bypassing both ownership and company assignment boundaries. The flaw exists in both the web and API file deletion controllers, where a class-level policy check is applied instead of the required instance-level check, constituting a classic IDOR (CWE-285). No public exploit or active exploitation has been identified at time of analysis; a vendor-released patch exists in version 8.4.1.

Authentication Bypass
NVD GitHub
CVE-2026-55483 PHP MEDIUM PATCH GHSA This Month

Privilege escalation in Snipe-IT's user creation endpoint allows any authenticated holder of the `users.create` permission to provision new accounts with full admin privileges. The `store()` method in both the web UI and API `UsersController` correctly strips the superuser flag from user-creation payloads submitted by non-superusers, but applies no equivalent check to the admin permission, creating a direct path from delegated HR or department-lead roles to full administrative control over the Snipe-IT instance. A vendor-released patch is available in version 8.6.0; no public exploit has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVE-2026-55482 PHP MEDIUM PATCH GHSA This Month

Multi-tenancy isolation is broken in Snipe-IT versions through 8.4.1, allowing authenticated non-superadmin users to reassign assets across company boundaries via the bulk asset update endpoint. The root cause is that `BulkAssetsController::update()` accepts `company_id` directly from HTTP request input without applying the `Company::getIdForCurrentUser()` scoping guard used by every other controller in the codebase. A fix is confirmed in version 8.4.2 via commit d58fda626e8febfeff4cabbc20ba03edfc411e18; no public exploit or CISA KEV listing exists at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.3
CVE-2026-50550 PHP MEDIUM PATCH GHSA This Month

Privilege escalation in Snipe-IT allows a low-privileged authenticated user with 'edit users' permission to reset a superadmin's two-factor authentication (2FA), stripping the highest-privilege account of its MFA protection. This CWE-862 (Missing Authorization) flaw affects all Snipe-IT composer releases prior to 8.5.0. No active exploitation (CISA KEV) or public proof-of-concept has been identified at time of analysis; however, the high integrity impact and direct erosion of the superadmin's secondary authentication factor make this a meaningful risk wherever the superadmin account is the critical security boundary.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.8
CVE-2026-49976 PHP MEDIUM PATCH GHSA This Month

Account takeover in Snipe-IT (versions prior to 8.6.0) is achievable by any user holding the `import` permission via a logic flaw in the CSV user-import update path. The `UserImporter.php` code correctly unsets auth fields from the Eloquent model object, but `sanitizeItemForUpdating()` rebuilds its update payload from the raw CSV row (`$this->item`) - not from the model - rendering the unset calls entirely ineffective. An authenticated user with only `import` rights can overwrite any non-admin, non-superuser account's email address and then trigger a password reset to complete a full account takeover. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the vendor-published advisory includes precise source code and a working reproduction path.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
CVE-2026-48493 PHP MEDIUM POC PATCH NEWS GHSA This Month

{their_own_id}`. The `PreserveUnauthorizedPrivilegedPermissionsAction` class failed to distinguish self-modification from modification of other users, allowing the permission set of the authenticated caller's own account to be silently expanded. No public exploit code or CISA KEV listing exists at time of analysis, but the flaw is practically exploitable by any delegated operator who holds the two prerequisite permissions.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-48492 PHP MEDIUM PATCH GHSA This Month

{object}/selectlist API endpoints allows any authenticated user-regardless of permissions-to enumerate the full user directory, assets, accessories, consumables, and licenses using only a valid session cookie. Affected versions prior to 8.5.1 expose usernames, display names, employee numbers, and user IDs for all active accounts, providing an ideal launchpad for credential stuffing, password spraying, and social engineering. No public exploit identified at time of analysis; vendor-released patch is available in version 8.5.1.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.4%
CVE-2026-56120 HIGH PATCH This Week

Cross-tenant alarm destruction in OpenRemote Manager (versions before 1.25.0) allows any authenticated user with alarm-write permissions in their own realm to permanently delete alarm records belonging to other tenants by submitting arbitrary sequential alarm IDs to the bulk-delete endpoint. The flaw stems from missing per-record realm scoping in removeAlarms() and is rated CVSS 4.0 8.6 (high); no public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path, making weaponization straightforward.

Authentication Bypass Java
NVD GitHub
CVSS 4.0
8.6
CVE-2026-54517 Maven MEDIUM PATCH GHSA This Month

@JsonView access-control bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows remote attackers to write values into setterless Collection/Map properties that are restricted by a @JsonView annotation, defeating view-based mass-assignment protection during deserialization. The regression was introduced when SetterlessProperty.isMerging() was changed to return true, routing these properties through an unguarded buffering branch in BeanDeserializer._deserializeUsingPropertyBased that lacked the prop.visibleInView(activeView) check applied to creator properties. No public exploit code has been identified and this is not listed in CISA KEV; however, applications relying on @JsonView for security-critical field-level access control - such as role or permission gating - are directly and completely bypassed.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-54513 Maven HIGH PATCH GHSA This Week

Allowlist bypass in jackson-databind's BasicPolymorphicTypeValidator (PTV) allows attackers to instantiate non-allowlisted classes by wrapping them in arrays (e.g., EvilType[]), defeating a control intended to block deserialization gadget chains. Affects versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 when applications use allowIfSubTypeIsArray() alongside an explicit concrete-type allowlist. No public exploit identified at time of analysis, but the upstream fix and full root-cause writeup are public on GitHub.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-54518 Maven MEDIUM PATCH GHSA This Month

Jackson-databind's `@JsonView` authorization boundary is bypassed for constructor parameters that combine `@JsonUnwrapped` and `@JsonView` annotations, affecting versions 2.21.0-2.21.3 and 3.0.0-3.1.3. The deserialization code path in `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters without calling `prop.visibleInView(activeView)`, while the standard property path correctly enforces this check. Applications that rely on `@JsonView` as a write-side access control boundary are exposed: an attacker supplying crafted JSON can populate admin-restricted constructor fields even when the application activates a less-privileged view. No public exploit identified at time of analysis; upstream patches are confirmed in 2.21.4 and 3.1.4.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-23513 HIGH PATCH This Week

Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and order records belonging to other clients by abusing SQL operator precedence in list-endpoint search queries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low complexity and low-privilege requirement make it a meaningful confidentiality risk for multi-tenant deployments. The flaw was remediated in version 0.8.0 released 2026-05-28.

Authentication Bypass Fossbilling
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-11820 MEDIUM This Month

Credential exposure in the Ansible nexmo module (plugins/modules/nexmo.py) causes Vonage/Nexmo API keys and secrets to appear in plaintext within HTTP GET request URLs, bypassing the no_log=True protection entirely. The module affects Red Hat Enterprise Linux 8, 9, and 10 deployments, and credentials are captured passively in Ansible verbose output, network proxy logs, SIEM traffic inspection, AWX/Automation Controller debug logs, and Vonage server-side access logs. No public exploit identified at time of analysis, though exploitation requires only read access to any of these log sources.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-55830 HIGH PATCH This Week

Sandbox escape in RestrictedPython (zopefoundation/RestrictedPython, GHSA-ffg3-p8fm-mjx2) allows an authenticated attacker who can execute code within the restricted Python environment to break out of that sandbox and execute arbitrary Python on the underlying host. This affects Plone deployments that rely on RestrictedPython to safely run through-the-web (TTW) Python Scripts and TALES expressions. Disclosed June 2026 as part of a coordinated Plone security release; no public exploit code or CISA KEV listing identified at time of analysis, but the 8.3 high severity and scope-changing nature make it a meaningful risk for any Zope/Plone installation where untrusted or semi-trusted users can author Python scripts.

Authentication Bypass Python
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2025-64105 MEDIUM PATCH This Month

Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versions 0.6.21 through 0.7.2 to link tickets to orders owned by other clients by manipulating the rel_id parameter. The ticketCreateForClient() method omits ownership verification for non-upgrade ticket relations, enabling cross-client order association. While no automated harm occurs, staff can be deceived into acting on the wrong client's order - such as processing unauthorised cancellation or upgrade requests - with minimal order ID disclosure as a secondary confidentiality concern. No public exploit is identified at time of analysis; the issue is patched in version 0.8.0.

Authentication Bypass Information Disclosure Fossbilling
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-12112 HIGH PATCH This Week

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take over active administrative sessions by reusing leaked session IDs that the server caches without re-validating authentication tokens. Because session IDs are written to standard logs, any user with log read access can replay them to gain administrative control and pivot to infrastructure-wide code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Authentication Bypass Privilege Escalation Red Hat Satellite 6
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-11807 CRITICAL PATCH Act Now

Credential disclosure in Red Hat Ansible Automation Platform 2.5 and 2.6 allows any authenticated user to retrieve plaintext OAuth tokens, vault passwords, and SSH keys by sending forged Worker messages to the Event-Driven Ansible websocket endpoint. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions on activation_id values, enabling lateral credential theft across tenants. No public exploit identified at time of analysis, but the low attack complexity and scope-changed CVSS of 9.6 make this a high-priority patch.

Hashicorp Authentication Bypass Red Hat Ansible Automation Platform 2 5 Red Hat Ansible Automation Platform 2 6 Red Hat Ansible Automation Platform 2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-54555 HIGH PATCH This Week

Authorization bypass in rtk (rtk-ai) prior to 0.42.2 allows hidden command execution to slip past the permission splitter that gates the Claude Code permission hook. Because the splitter fails to handle Bash command-execution boundary constructs (such as command substitution and chained operators) inside an allowlisted prefix like git, rtk rewrite returns exit code 0 and the hook emits permissionDecision: "allow", causing the secondary command to execute without the user confirmation the policy was supposed to require. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Rtk
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-55863 PyPI MEDIUM PATCH GHSA This Month

Unauthenticated remote action execution in motionEye (pip/motioneye < 0.44.0) exposes every camera action endpoint - snapshots, recording start/stop, and administrator-configured shell scripts - to any attacker who can reach port 8765, due to a missing @BaseHandler.auth() decorator on ActionHandler.post(). Dynamically confirmed on v0.43.1 in a Docker lab environment; exploitation requires only a single HTTP POST with no credentials, headers, or user interaction. Beyond the CVSS 5.3 Medium rating, real-world impact extends to physical security bypass (PTZ, alarms, lighting controls) if action scripts are configured, and SSRF via remote camera triggering - no public exploit or CISA KEV listing is identified at time of analysis.

Docker Authentication Bypass Python SSRF
NVD GitHub
CVSS 3.1
5.3
CVE-2026-54320 HIGH PATCH This Week

Authentication bypass in Daytona prior to 0.184.0 allows attackers to join organizations via pending invitations using unverified email addresses. The invitation accept and decline paths failed to enforce email verification (unlike organization creation), so on OIDC identity providers permitting self-service signup with pre-verification sessions, an attacker registering an email matching a pending invite can claim it and inherit the assigned role - up to Owner. No public exploit identified at time of analysis, but the path to full Owner-level organization takeover makes this a high-priority fix.

Elastic RCE Authentication Bypass Daytona
NVD GitHub
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-54318 HIGH PATCH This Week

Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.

Google Authentication Bypass Core
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-52810 Go HIGH PATCH GHSA This Week

Improper authorization in Gogs (self-hosted Git service) versions before 0.14.3 lets a read-only user write to repositories they should only be able to fetch from. The Git Smart HTTP handler derives the access policy from the client-supplied ?service= query parameter rather than the actual RPC path, so a POST to /repo.git/git-receive-pack carrying ?service=git-upload-pack is authorized as a read while the receive-pack (push) code path still executes. A working PoC is published in the GHSA advisory, so publicly available exploit code exists; it is not listed in CISA KEV and no active exploitation has been reported.

Authentication Bypass Python
NVD GitHub
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-34913 MEDIUM This Month

Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their own trackers to advertising campaigns owned by other managers on the same instance via campaign-trackers.php. The flaw enables unauthorized manipulation of campaign-tracker ownership relationships, corrupting attribution data and potentially introducing unauthorized tracking into other managers' campaigns. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-34917 MEDIUM This Month

Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID against the XML-RPC API, which is normally restricted to admin-level users. This authentication bypass (CWE-287) grants unauthorized API access, enabling the attacker to chain this foothold with additional API-level vulnerabilities to escalate impact beyond the base CVSS score suggests. No public exploit code and no CISA KEV listing have been identified at time of analysis; the issue was disclosed via HackerOne and a fix was implemented by recording session context alongside session data.

Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.3%
CVE-2026-44958 MEDIUM This Month

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or deactivate banner ads regardless of whether those permissions were explicitly granted. The banner-edit.php script evaluated banner status changes based solely on banner edit permissions, treating status modification as implicitly authorized whenever edit access existed. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it straightforward for any credentialed advertiser to abuse.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2026-44961 NONE Awaiting Data

Revive Adserver's XML-RPC API addUser method contains a validation bypass regression introduced by the patch for CVE-2025-55129, allowing authenticated API users to register usernames containing malicious payloads that enable impersonation of other accounts or deliver stored cross-site scripting attacks against administrative users. Reported via HackerOne (report #3680090), this vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis. The provided CVSS vector is a null placeholder with all impact metrics rated N, which directly contradicts the described integrity and confidentiality impacts of stored XSS and account impersonation, and must not be used for risk prioritization.

XSS Authentication Bypass Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-44957 MEDIUM This Month

Missing access control on XML-RPC API modify methods in Revive Adserver 6.0.6 and earlier permits authenticated low-privileged users to reassign entities to arbitrary parent entities, corrupting ownership relationships across campaigns, zones, or banners. This flaw is not independently exploitable - it requires chaining with CVE-2026-34917 or the presence of third-party API extensions that expose modify methods to low-privileged users, materially narrowing real-world risk. A vendor fix adding parent-entity access validation has been issued; no public exploit has been identified at time of analysis.

Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-34912 MEDIUM This Month

Revive Adserver 6.0.6 and earlier fails to enforce ownership validation when linking banners or campaigns to ad zones via the zone-include.php script or the platform API, allowing any authenticated low-privileged user to associate their zones with advertising assets owned by other managers on the same installation. This breaks the intended multi-tenant ownership isolation, producing inconsistent cross-account zone-to-banner and zone-to-campaign relationships that disrupt legitimate advertiser operations. No public exploit has been identified and there is no CISA KEV listing; however, the low attack complexity and network accessibility via both the web interface and API make exploitation straightforward for any authenticated platform user.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-13007 HIGH PATCH This Week

Unauthenticated information disclosure in Tenable Identity Exposure versions prior to 3.93.5 allows remote attackers to retrieve cleartext LDAP credentials, SAML configuration, user accounts, and directory settings via API endpoints under /w/api/*. The flaw is compounded by Cache-Control: public response headers that lack a Vary: Cookie directive, allowing reverse proxies and CDNs to cache and re-serve the sensitive data to other unauthenticated requesters. No public exploit identified at time of analysis, but the issue was disclosed by the vendor itself.

Authentication Bypass Information Disclosure Tenable Identity Exposure
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56696 MEDIUM PATCH This Month

Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI agent system prompts by exploiting unguarded /issue and /pr_comments slash commands. Any authenticated member of a connected remote channel (e.g., Slack via the ohmo gateway) can write arbitrary attacker-controlled Markdown into .openharness/issue.md and .openharness/pr_comments.md, which are subsequently injected into the agent's runtime system prompt on every subsequent invocation. No public exploit or CISA KEV listing exists at time of analysis, but the upstream patch (PR #272, commit 27bb93b) confirms the vulnerability and its mechanism.

Authentication Bypass Openharness
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56695 HIGH PATCH This Week

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume and /summary slash commands, which were incorrectly registered with remote_invocable=True by default, to enumerate and load arbitrary saved session snapshots by ID. Successful exploitation exposes another user's private prompts, credentials, tool outputs, and file paths exchanged through shared gateway channels (e.g. Slack threads). No public exploit identified at time of analysis, but a vendor patch and detailed test cases (PR #276) make the issue easy to weaponize.

Authentication Bypass Openharness
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56694 MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submitting forged or stale connect callback values during the channel-registration approval flow. The `handleChannelApprovalResponse` function accepted any `connect:ag-X` callback value without verifying that the approver held admin privileges over the target agent group, allowing a scoped admin to wire messaging channels into groups they do not govern. No active exploitation has been confirmed (not listed in CISA KEV), and an upstream fix is available in commit 0eef8fafdd7c475ab5fd8d37ea566a81e74cd834 (PR #2566).

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56402 HIGH PATCH This Week

Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privileged actions (such as package installation) by submitting crafted approval response payloads. The handleApprovalsResponse function dispatches sensitive handlers without verifying the responder holds an owner/admin role, turning approval callbacks into an authorization bypass. Publicly available exploit code exists via the upstream patch diff, but no active exploitation is currently confirmed.

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2025-15619 LOW Monitor

HCL Connections exposes a broken access control flaw that permits a low-privileged, authenticated user to view data they should not be authorized to access, but only under one specific scenario. Classified under CWE-284 (Improper Access Control), the vulnerability requires network access, low privileges, and user interaction, limiting its real-world exploitation surface considerably. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 3.5 reflects a genuinely low-severity finding.

Authentication Bypass Connections
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-62180 HIGH This Week

Authorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additional data they should not be permitted to view by submitting crafted URLs. The flaw is a CWE-639 authorization key manipulation issue affecting Pega Infinity deployments, with no public exploit identified at time of analysis and high confidentiality impact per the vendor-provided CVSS 4.0 vector.

Authentication Bypass Pega Infinity
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-35019 CRITICAL PATCH Act Now

Authentication bypass in NetComm NF20MESH routers (firmware R6B031 and earlier) allows unauthenticated remote attackers to forge valid encrypted session cookies using a hardcoded AES-256 key embedded in the firmware, granting full administrative control of the web management interface. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): because the same static AES-256 key is shared across all devices, any attacker who extracts it from firmware can impersonate any session. Exploitation requires an active administrator session and network reachability to the management interface; no KEV listing or confirmed public exploit exists at time of analysis, though the hardcoded-key nature makes the attack highly automatable once the key is disclosed.

Authentication Bypass Nf20Mesh
NVD
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-10609 MEDIUM This Month

Privilege escalation via ServiceAccount token exfiltration affects the OpenShift Cluster Logging Operator, allowing a user with delegated editor-level access to the ClusterLogForwarder resource to harvest SA tokens they were never authorized to use. The operator creates ServiceAccount tokens and forwards them to configured log output destinations without verifying whether the ClusterLogForwarder creator holds permission to consume those credentials. An attacker who has obtained an editor role within the logging namespace can weaponize this design gap to exfiltrate high-privilege SA tokens and escalate to broader cluster access. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Logging Subsystem For Red Hat Openshift
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-56784 Maven HIGH PATCH This Week

Cross-tenant alarm destruction in OpenRemote Manager before 1.24.2 lets any authenticated user in one realm permanently delete alarms belonging to other tenants by submitting arbitrary alarm IDs to the bulk removeAlarms() endpoint. The flaw is reported by VulnCheck with a CVSS 4.0 score of 8.6 and a proof-of-concept exists per the SSVC assessment, but there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because alarm IDs are sequential auto-increment values, enumeration and mass deletion of safety-critical and security alerts across tenants is trivial.

Authentication Bypass Openremote
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-56243 HIGH PATCH This Week

Authentication bypass in Capgo before 12.128.2 allows authenticated attackers to defeat the org-level hashed-API-key control by submitting plaintext API keys via the capgkey header directly to the PostgREST/RLS plane. Despite the enforce_hashed_api_keys setting being toggled on, the data plane fails to honor that policy, granting access to protected resources. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-56222 HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 allows organization administrators to attach role bindings to applications owned by other organizations via the POST /private/role_bindings endpoint, which validates org membership but not app_id ownership. Successful exploitation grants unauthorized read and modification access to victim applications across tenant boundaries. No public exploit identified at time of analysis, but a vendor advisory (GHSA-5r52-m8r9-7f8x) and VulnCheck disclosure confirm the issue.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-10711 HIGH PATCH This Week

Missing authentication in AKIN Software's CafePlus versions 12.05.03 through 12.05.04 allows adjacent-network attackers to access privileged functionality without credentials. The flaw enables full compromise of confidentiality, integrity, and availability over an adjacent network vector, with no public exploit identified at time of analysis. Reported by Turkey's national CERT (TR-CERT), the issue stems from critical functions lacking proper ACL enforcement.

Authentication Bypass Cafeplus
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52800 Go HIGH PATCH GHSA This Week

Cross-site request forgery in Gogs 0.14.1 lets a remote attacker escalate to organization owner by tricking a logged-in owner into loading a crafted URL. The `/teams/:team/action/:action` route accepts GET requests and the global CSRF check only fires on POST, so an `add` action against the Owners team executes without a token. No public exploit is identified at time of analysis beyond the advisory's reproduction steps, and the issue is not listed in CISA KEV.

Authentication Bypass CSRF
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-52799 Go HIGH PATCH GHSA This Week

Information disclosure in Gogs 0.14.1 (and all versions ≤ 0.14.2) allows unauthenticated remote attackers who know or guess an attachment UUID to download files attached to issues, comments, and releases in private repositories. The `/attachments/:uuid` endpoint performs no repository-level authorization check, so private-repo attachments - credentials, keys, internal documents, unpublished source - leak when `REQUIRE_SIGNIN_VIEW = false`. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-p9f5-h3rx-j5qw includes a full proof-of-concept reproduction.

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-50137 npm HIGH PATCH GHSA This Week

Unauthenticated S3 pre-signed URL minting in Budibase (npm @budibase/server before 3.39.0) lets anonymous attackers abuse the route POST /api/attachments/:datasourceId/url, which was registered with only a recaptcha middleware and no authorized() gate. An attacker who knows or enumerates a workspace id (app_...) and an S3 datasource id (ds_...) receives a 15-minute AWS SigV4 pre-signed PutObjectCommand URL minted on the victim's stored IAM credentials, and because the bucket is caller-controlled they can write to any bucket those credentials permit. Publicly available exploit code exists (a self-contained Node.js PoC is published in the advisory); this is not listed in CISA KEV and no EPSS score was provided.

Canonical Authentication Bypass Node.js
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-50136 npm MEDIUM PATCH GHSA This Month

Unauthenticated arbitrary S3 object write in Budibase server (npm/@budibase/server before 3.39.2) lets any remote caller who learns a workspace ID and S3 datasource ID obtain attacker-chosen PutObject presigned URLs signed with the workspace's stored AWS credentials. The /api/attachments/:datasourceId/url route is gated only by reCAPTCHA - no authentication, builder role, or datasource permission check - so an unauthenticated attacker can write arbitrary objects to any bucket the stored credentials can reach. No public exploit identified at time of analysis, though the advisory publishes a step-by-step non-destructive PoC.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-50132 npm HIGH PATCH GHSA This Week

Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.

Open Redirect Redis Authentication Bypass CSRF
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-46700 npm MEDIUM PATCH GHSA This Month

Missing authorization on the GET /secret/:name endpoint in @actual-app/sync-server allows any authenticated non-admin BASIC user in OpenID multi-user deployments to enumerate which admin-managed bank-sync integrations are configured - specifically GoCardless, SimpleFIN, and Pluggy AI credential names. The disclosure is existence-only (HTTP 204 vs 404); actual secret values are not returned. No active exploitation is confirmed (not in CISA KEV), but a working PoC is included in the GHSA advisory, and the attack is trivially scriptable for any valid session holder.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-48500 PHP MEDIUM POC PATCH GHSA This Month

Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x through 4.11.4, and 5.x through 5.6.4 allows remote attackers without any credentials to write files to the application's temporary storage. Filament indiscriminately applies Livewire's WithFileUploads trait to every Livewire component embedding a schema - including the panel login form, which has no legitimate file upload need - exposing the upload endpoint publicly. The practical impact is storage exhaustion or inflated cloud storage costs; no public exploit has been identified at time of analysis.

File Upload Authentication Bypass Filament
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-46608 PyPI HIGH PATCH GHSA This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python Authentication Bypass Kubernetes +1
NVD GitHub
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-56357 npm MEDIUM PATCH This Month

Webhook forgery in n8n's GitHub Webhook Trigger node allows unauthenticated remote attackers to spoof GitHub events and trigger arbitrary workflow execution by sending unsigned POST requests to any known webhook URL. The root cause is a complete absence of HMAC-SHA256 signature verification - the cryptographic control GitHub provides specifically to authenticate webhook deliveries - meaning n8n accepted all inbound POST traffic without validation. Affected versions span the v1 branch (below 1.123.15) and v2 branch (2.0.0 through 2.5.0); no public exploit code or CISA KEV listing exists at time of analysis, but the attack is trivially executable by any party possessing the webhook URL.

Authentication Bypass N8n
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56321 MEDIUM PATCH This Month

Capgo's Supabase edge function backend (versions before 12.128.2) inconsistently applies global authentication middleware across HTTP methods on the /private/role_bindings/:org_id endpoint - GET requests reach the handler unauthenticated while POST and DELETE are gated by middleware. The handler currently performs its own authorization check and rejects unauthenticated callers, so no data is exposed in the current implementation. This is a CWE-306 defense-in-depth failure: the middleware gap creates latent risk that any future relaxation of handler-level logic could silently permit unauthenticated access to organization role binding data, with no public exploit identified at time of analysis.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56311 MEDIUM PATCH This Month

Unauthenticated cross-tenant information disclosure in Capgo before 12.128.2 exposes billing plan metadata for arbitrary organizations via an improperly authorized Supabase RPC function. Any network-accessible attacker possessing only the public Supabase anon key can call the `public.get_current_plan_max_org` endpoint with any organization UUID to retrieve MAU limits, bandwidth, storage, and build time plan data belonging to unrelated tenants. No active exploitation is confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56306 MEDIUM PATCH This Month

Subkey permission bypass in Capgo before 12.128.2 allows authenticated API users to escalate from restricted subkey scope to full main API key privileges by sending malformed x-limited-key-id header values. The parsing flaw - triggered by submitting zero, NaN-coercible, or duplicate header values - causes the subkey scoping enforcement to evaluate to falsy, silently falling through to the unrestricted main API key context. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the bypass is mechanically straightforward for any holder of a valid subkey credential.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-56280 HIGH PATCH This Week

Privilege inversion in Cap-go (Capgo) before 12.128.2 lets holders of read-only API keys cancel running native builds by abusing the GET /build/logs/:jobId SSE endpoint. On client disconnect the server invokes cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY, bypassing the app.build_native permission enforced on POST /build/cancel/:jobId. No public exploit identified at time of analysis, but the issue is trivially reproducible against any deployment exposing the log stream.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56268 npm MEDIUM PATCH This Month

Cross-workspace chatflow configuration disclosure in Flowise before 3.1.2 allows any holder of a valid API key for one workspace to read the full configuration of unprotected chatflows belonging to all other workspaces in the same instance. The `/api/v1/chatflows/apikey/:apikey` endpoint's database query omits a workspace scope filter when the `keyonly` parameter is absent (the default), causing it to return every chatflow system-wide where `apikeyid` is NULL or empty - including `flowData`, system prompts, `chatbotConfig`, `apiConfig`, and credential IDs from unrelated tenants. No public exploit code or CISA KEV listing has been identified at time of analysis, but the vulnerability is trivially reproducible given the disclosed source code and standard HTTP tooling.

Authentication Bypass Information Disclosure Flowise
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-46488 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass in motionEye versions prior to 0.44.0 allows remote attackers to impersonate any user, including the administrator, by setting the client-controlled cookies meye_password_hash and meye_username without ever knowing the plaintext password. The server treats these attacker-controlled values as sufficient authentication material, and because the admin hash is stored in a world-readable file (/etc/motioneye/motion.conf), any local shell user can trivially escalate to admin via the web UI. Publicly available exploit code exists in the GitHub Security Advisory GHSA-r3cw-c95m-wfh9, but there is no public exploit identified beyond the PoC and the issue is not in CISA KEV.

Authentication Bypass
NVD GitHub
CVE-2026-44585 PHP MEDIUM PATCH GHSA This Month

Broken object level authorization (BOLA) in Paymenter's ticket creation endpoint allows any authenticated customer to reference another account's service by substituting the service ID in the HTTP request, causing support personnel to inadvertently review that third-party service. The flaw affects all Paymenter installations running versions prior to 1.5.0 (pkg:composer/paymenter/paymenter). No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the attack requires only a valid customer account and basic HTTP manipulation, making real-world abuse accessible to low-sophistication actors.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
CVE-2026-44584 PHP MEDIUM PATCH GHSA This Month

Email verification bypass in Paymenter allows authenticated users to retain verified account status after changing their email to an address they do not own or control. The email update function fails to reset the verification column, meaning a user who initially verifies with a legitimate address can subsequently substitute any arbitrary email and keep the verified flag intact. No public exploit has been identified at time of analysis; the vendor-confirmed fix is available in version 1.5.0.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
CVE-2026-44271 HIGH PATCH This Week

Authenticated SQL injection (CWE-89) in Dell Wyse Management Suite (WMS) before version 2605 lets a low-privileged remote user inject crafted SQL into application queries, yielding unauthorized read/write access to the management database with high impact to confidentiality, integrity, and availability. Tracked as EUVD-2026-38345 and disclosed by Dell in advisory DSA-2026-247, it carries CVSS 3.1 8.8 but has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), with CISA SSVC reporting no known exploitation.

SQLi Authentication Bypass Dell Wyse Management Suite Wms
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-44272 HIGH PATCH This Week

SQL injection in Dell Wyse Management Suite (WMS) versions prior to 2605 allows authenticated low-privileged remote attackers to manipulate backend database queries, leading to unauthorized data access and potential integrity or availability impact. The CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability under low attack complexity, though no public exploit identified at time of analysis. The flaw is tagged with 'Authentication Bypass' implications, suggesting the SQLi could be leveraged to escalate beyond the attacker's initial low-privilege context.

SQLi Authentication Bypass Dell Wyse Management Suite Wms
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-44274 HIGH PATCH This Week

Local privilege-bound symlink abuse in Dell Wyse Management Suite (WMS) versions prior to 2605 allows a low-privileged local user to gain unauthorized access to files or resources they should not reach. The flaw is rooted in improper link resolution before file access (CWE-59), and while no public exploit has been identified at time of analysis, the CVSS 7.8 score reflects full confidentiality, integrity, and availability impact once the local prerequisite is met.

Authentication Bypass Dell Wyse Management Suite Wms
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-33684 PHP MEDIUM POC PATCH GHSA This Month

Unauthenticated privilege escalation in AVideo (composer/wwbn/avideo) versions below 29.0 allows any user who can solve a CAPTCHA to self-grant upload, streaming, meeting-creation, and email-verified status during account registration. The root cause is that `set_api_signUp` in `plugin/API/API.php` applies admin-controlled permission parameters (`emailVerified`, `canUpload`, `canStream`, `canCreateMeet`) unconditionally across both its authenticated (APISecret) and anonymous (CAPTCHA) code paths, bypassing the `isAPISecretValid()` guard that correctly protects equivalent admin operations elsewhere in the codebase. A working proof-of-concept curl sequence is publicly documented in the GitHub security advisory GHSA-8j8m-p79x-g4jm; no active exploitation has been confirmed by CISA KEV at time of analysis.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-32315 PyPI MEDIUM PATCH GHSA This Month

World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection Authentication Bypass Information Disclosure Privilege Escalation
NVD GitHub
CVSS 3.1
5.5
EPSS
2.9%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Capgo (cap-go before 12.128.2) allows holders of org-limited API keys to read membership data from organizations outside their assigned scope by calling the GET /organization/members endpoint without proper enforcement of limited_to_orgs restrictions. Exposed fields include uid, email, image_url, role, and is_tmp - sufficient to enumerate organization membership and email addresses across tenants. No public exploit identified at time of analysis; CVSS 4.0 scores this at 5.3 reflecting a low-privilege, network-accessible attack with limited confidentiality impact.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated remote attackers can read, insert, and delete stored app icons in Capgo (all versions before 12.128.2) due to a Supabase images bucket entirely lacking row-level security (RLS) controls. Exploitation leaks sensitive app IDs and user IDs embedded in bucket metadata, and enables full icon deletion causing visual degradation of hosted applications. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 12.128.2.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.

Authentication Bypass Microsoft Google +1
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Flowise versions 3.0.13 and earlier silently fall back to a hardcoded AES-256-CBC encryption key derived from the publicly known literal 'Secre$t' when TOKEN_HASH_SECRET is not configured, exposing the user and workspace IDs encoded in the 'meta' field of every JWT token issued by an unconfigured deployment. An authenticated user or network-positioned attacker who obtains any valid JWT can decrypt this metadata using the default key - now disclosed in the GHSA advisory and source code - and re-encrypt manipulated identifiers to probe downstream access controls. JWT signature validation is handled independently, so this does not constitute standalone token forgery, but identifier disclosure and metadata manipulation create a realistic stepping stone toward privilege escalation or unauthorized workspace access in multi-tenant deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patch Flowise 3.1.0 is available.

Authentication Bypass Privilege Escalation Node.js +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authentication bypass in the Crawl4AI Docker API server before 0.8.7 exposes all monitor router endpoints - including the destructive /monitor/actions/cleanup action - to unauthenticated remote attackers due to missing token dependency injection on the monitor router. Any attacker with network access to the Docker API port can invoke cleanup operations and manipulate monitoring state, causing service disruption without credentials. No active exploitation (CISA KEV) or public POC has been identified at time of analysis; the CVSS 4.0 vector of AV:N/AC:L/AT:N/PR:N/UI:N confirms trivial remote unauthenticated access with no special conditions required.

Authentication Bypass Crawl4ai
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users to directly modify the public.apps.owner_org column via PostgREST, circumventing the intended transfer_app() workflow. Successful exploitation creates a split-brain ownership state where apps.owner_org and app_versions.owner_org diverge, letting the original organization's API keys retain access to version data while the new owning organization controls the app record. No public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tampering with a client-side parameter in the key generation request, because the backend never validates that keys are server-generated or bound to the authenticated user. The forged keys grant access to protected endpoints, yielding full confidentiality and integrity compromise of tenant data. No public exploit identified at time of analysis, but the flaw is trivially reproducible from any HTTP client.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 allows authenticated users with valid subkeys to escape scope restrictions by supplying their own subkey identifier in the x-limited-key-id header, causing middlewareKey to fall back to the unrestricted parent key. With CVSS 4.0 of 8.7 and high impact across confidentiality, integrity, and availability, exploitation only requires low-privileged API access, though no public exploit identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cross-tenant build sabotage in Capgo before 12.128.2 allows authenticated users with the app.build_native permission to start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId to the /build/start/:jobId and /build/cancel/:jobId endpoints. The handlers trust the attacker-supplied app_id in the request body and never verify jobId ownership, enabling denial of service, unauthorized compute consumption, and billing impact across tenants. No public exploit identified at time of analysis.

Authentication Bypass Denial Of Service Capgo
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a malicious IdP to forge SAML assertions and merge arbitrary victim accounts based solely on email match. The provision-user endpoint fails to validate that the asserting SSO provider is authorized for the victim's email domain, granting full takeover of accounts, organizations, and data. No public exploit identified at time of analysis; CVSS 4.0 base is 9.3 (Critical) reflecting high impact across both vulnerable and subsequent systems.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. No public exploit identified at time of analysis, though Wordfence has published detailed technical write-ups that significantly lower the bar for weaponization.

Authentication Bypass WordPress Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the RentMy Real-Time Rental Management Plugin for WordPress exposes full CRUD control over rental event records and location configuration to unauthenticated remote attackers, affecting all versions through 4.0.4.1. The root cause is missing authorization checks in the plugin's AJAX handler class (class-rentmy-ajax.php), allowing any unauthenticated visitor to invoke privileged actions via WordPress's standard AJAX endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the zero-barrier entry point - unauthenticated, network-accessible, low complexity - means any exposed deployment is immediately at risk without requiring attacker sophistication.

Authentication Bypass WordPress Rentmy Real Time Rental Management Plugin
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.

Information Disclosure Authentication Bypass WordPress +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Advance Nav Menu Manager WordPress plugin (all versions through 1.3) permits any authenticated subscriber-level user to manipulate site navigation menus without authorization. The plugin invokes wp_insert_post() for nav_menu_item operations - duplicate, copy, move, and publish - without enforcing capability checks, allowing low-privilege users to alter navigation structure at will. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the low barrier to exploitation (any registered subscriber account) makes it a meaningful risk on sites with open or compromised user registration.

Authentication Bypass WordPress Advance Nav Menu Manager
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed.

Authentication Bypass PHP Privilege Escalation +2
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.

Authentication Bypass WordPress Devs Accounting Simple Accounting And Invoicing Solution
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Generate Security.txt WordPress plugin (all versions through 1.0.12) allows authenticated attackers with subscriber-level access to delete the site's security.txt file or create the .well-known directory by invoking unprotected AJAX actions directly. The root cause is a failure to verify user capabilities before executing the delete_securitytxt and create_wellknown_folder AJAX handlers, a classic CWE-862 (Missing Authorization) pattern reported by Wordfence. No public exploit or CISA KEV listing has been identified at time of analysis, and with a CVSS score of 4.3 and limited integrity impact, this is a low-urgency but straightforward-to-exploit flaw for any authenticated WordPress user.

Authentication Bypass WordPress Generate Security Txt
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. No public exploit or active exploitation has been identified at time of analysis, and real-world impact is limited to disruption of the plugin's search functionality or substitution of attacker-controlled account tokens.

Authentication Bypass WordPress Searchplus
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS rates this as medium-low (4.3), consistent with the authenticated-only, integrity-limited impact.

Authentication Bypass WordPress 24Liveblog Live Blog Tool
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized settings deletion in the Assistio WordPress plugin (versions ≤ 1.1.2) allows any authenticated Subscriber-level user to invoke the assistio_plugin_delete_assistio_settings() function and wipe critical plugin options, including the 'assistiobot_oauth_settings' OAuth token, breaking the site's Assistio bot integration. The function lacks both WordPress capability verification and nonce validation - two standard WordPress security controls - meaning the authorization boundary is entirely absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS score of 4.3 accurately reflects the limited but real integrity impact against low-privilege authenticated attackers.

Authentication Bypass WordPress Assistio
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote attackers can disconnect any WordPress site running the Secufor_OAuth plugin from its linked Secufor identity account by triggering an unprotected action handler that clears the stored OAuth token and login configuration. All plugin versions through 1.0.7 are affected, confirmed by Wordfence and traceable to specific lines in the plugin source. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the trivially low attack complexity (AV:N/AC:L/PR:N) means exploitation requires only an HTTP request.

Authentication Bypass WordPress Secufor Oauth
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Reviews and Rating - Docplanner WordPress plugin (versions ≤ 1.1.4) allows any authenticated subscriber-level user to invoke privileged plugin actions without proper capability checks. Exploitation enables two distinct abuse paths: triggering server-side outbound scraping of attacker-controlled or arbitrary external URLs with results written to the wp_dp_reviews database table, and dispatching feature-request emails impersonating the site administrator's address. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Reviews And Rating Docplanner
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Welcome Software Publishing WordPress plugin (versions ≤ 0.0.31) allows any authenticated user with Subscriber-level access or above to update arbitrary WordPress options via the nc.setOption XML-RPC method. By modifying the default_role option to 'administrator' and registering a new account, attackers achieve full site takeover. No public exploit identified at time of analysis, but the attack pattern is trivial and well-documented for similar WordPress XML-RPC missing-capability flaws.

Authentication Bypass Privilege Escalation WordPress +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the `wp_ajax_nopriv_cf7cdb_delete` hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking `$wpdb->delete()`. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is trivially automatable due to sequential integer primary keys and no authentication barrier.

Authentication Bypass WordPress Advanced Contact Form 7 Compact Db
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.

Information Disclosure Authentication Bypass WordPress +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Firmware verification bypass in Caliptra Core Runtime Firmware versions 2.0.0 through 2.0.1 and 2.1.0 allows an attacker with high privileges to load unverified MCU firmware during a hitless update. The flaw resides in the ActivateFirmwareCmd::activate_fw module, where an incorrect check of a function return value causes the Root-of-Trust to skip authentication of the Microcontroller Unit firmware image. No public exploit identified at time of analysis, and the issue was responsibly disclosed by the Caliptra project itself.

Authentication Bypass Core Runtime Firmware
NVD GitHub
EPSS 0% CVSS 1.3
LOW PATCH Monitor

Signature image retrieval in Snipe-IT's S3-backed deployments bypasses authorization, allowing any authenticated user to obtain a 5-minute pre-signed S3 URL for acceptance signature images they are not permitted to view. The flaw exists in ActionlogController.php where the S3 code path returns a signed URL before the authorize() call is reached - a call that is correctly enforced only in the local-file code path. Affected are all Snipe-IT deployments on versions <= 8.5.0 configured to use S3 storage; no public exploit code exists and this CVE is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub VulDB
LOW PATCH Monitor

Improper authorization in Snipe-IT v8.4.0 permits any authenticated user holding generic asset edit permissions to delete files attached to any asset across the entire system, bypassing both ownership and company assignment boundaries. The flaw exists in both the web and API file deletion controllers, where a class-level policy check is applied instead of the required instance-level check, constituting a classic IDOR (CWE-285). No public exploit or active exploitation has been identified at time of analysis; a vendor-released patch exists in version 8.4.1.

Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

Privilege escalation in Snipe-IT's user creation endpoint allows any authenticated holder of the `users.create` permission to provision new accounts with full admin privileges. The `store()` method in both the web UI and API `UsersController` correctly strips the superuser flag from user-creation payloads submitted by non-superusers, but applies no equivalent check to the admin permission, creating a direct path from delegated HR or department-lead roles to full administrative control over the Snipe-IT instance. A vendor-released patch is available in version 8.6.0; no public exploit has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 6.3
MEDIUM PATCH This Month

Multi-tenancy isolation is broken in Snipe-IT versions through 8.4.1, allowing authenticated non-superadmin users to reassign assets across company boundaries via the bulk asset update endpoint. The root cause is that `BulkAssetsController::update()` accepts `company_id` directly from HTTP request input without applying the `Company::getIdForCurrentUser()` scoping guard used by every other controller in the codebase. A fix is confirmed in version 8.4.2 via commit d58fda626e8febfeff4cabbc20ba03edfc411e18; no public exploit or CISA KEV listing exists at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 5.8
MEDIUM PATCH This Month

Privilege escalation in Snipe-IT allows a low-privileged authenticated user with 'edit users' permission to reset a superadmin's two-factor authentication (2FA), stripping the highest-privilege account of its MFA protection. This CWE-862 (Missing Authorization) flaw affects all Snipe-IT composer releases prior to 8.5.0. No active exploitation (CISA KEV) or public proof-of-concept has been identified at time of analysis; however, the high integrity impact and direct erosion of the superadmin's secondary authentication factor make this a meaningful risk wherever the superadmin account is the critical security boundary.

Authentication Bypass
NVD GitHub
CVSS 6.5
MEDIUM PATCH This Month

Account takeover in Snipe-IT (versions prior to 8.6.0) is achievable by any user holding the `import` permission via a logic flaw in the CSV user-import update path. The `UserImporter.php` code correctly unsets auth fields from the Eloquent model object, but `sanitizeItemForUpdating()` rebuilds its update payload from the raw CSV row (`$this->item`) - not from the model - rendering the unset calls entirely ineffective. An authenticated user with only `import` rights can overwrite any non-admin, non-superuser account's email address and then trigger a password reset to complete a full account takeover. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the vendor-published advisory includes precise source code and a working reproduction path.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

{their_own_id}`. The `PreserveUnauthorizedPrivilegedPermissionsAction` class failed to distinguish self-modification from modification of other users, allowing the permission set of the authenticated caller's own account to be silently expanded. No public exploit code or CISA KEV listing exists at time of analysis, but the flaw is practically exploitable by any delegated operator who holds the two prerequisite permissions.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

{object}/selectlist API endpoints allows any authenticated user-regardless of permissions-to enumerate the full user directory, assets, accessories, consumables, and licenses using only a valid session cookie. Affected versions prior to 8.5.1 expose usernames, display names, employee numbers, and user IDs for all active accounts, providing an ideal launchpad for credential stuffing, password spraying, and social engineering. No public exploit identified at time of analysis; vendor-released patch is available in version 8.5.1.

Authentication Bypass
NVD GitHub VulDB
CVSS 8.6
HIGH PATCH This Week

Cross-tenant alarm destruction in OpenRemote Manager (versions before 1.25.0) allows any authenticated user with alarm-write permissions in their own realm to permanently delete alarm records belonging to other tenants by submitting arbitrary sequential alarm IDs to the bulk-delete endpoint. The flaw stems from missing per-record realm scoping in removeAlarms() and is rated CVSS 4.0 8.6 (high); no public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path, making weaponization straightforward.

Authentication Bypass Java
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

@JsonView access-control bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows remote attackers to write values into setterless Collection/Map properties that are restricted by a @JsonView annotation, defeating view-based mass-assignment protection during deserialization. The regression was introduced when SetterlessProperty.isMerging() was changed to return true, routing these properties through an unguarded buffering branch in BeanDeserializer._deserializeUsingPropertyBased that lacked the prop.visibleInView(activeView) check applied to creator properties. No public exploit code has been identified and this is not listed in CISA KEV; however, applications relying on @JsonView for security-critical field-level access control - such as role or permission gating - are directly and completely bypassed.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Allowlist bypass in jackson-databind's BasicPolymorphicTypeValidator (PTV) allows attackers to instantiate non-allowlisted classes by wrapping them in arrays (e.g., EvilType[]), defeating a control intended to block deserialization gadget chains. Affects versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 when applications use allowIfSubTypeIsArray() alongside an explicit concrete-type allowlist. No public exploit identified at time of analysis, but the upstream fix and full root-cause writeup are public on GitHub.

Authentication Bypass Jackson Databind
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Jackson-databind's `@JsonView` authorization boundary is bypassed for constructor parameters that combine `@JsonUnwrapped` and `@JsonView` annotations, affecting versions 2.21.0-2.21.3 and 3.0.0-3.1.3. The deserialization code path in `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters without calling `prop.visibleInView(activeView)`, while the standard property path correctly enforces this check. Applications that rely on `@JsonView` as a write-side access control boundary are exposed: an attacker supplying crafted JSON can populate admin-restricted constructor fields even when the application activates a less-privileged view. No public exploit identified at time of analysis; upstream patches are confirmed in 2.21.4 and 3.1.4.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and order records belonging to other clients by abusing SQL operator precedence in list-endpoint search queries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low complexity and low-privilege requirement make it a meaningful confidentiality risk for multi-tenant deployments. The flaw was remediated in version 0.8.0 released 2026-05-28.

Authentication Bypass Fossbilling
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Credential exposure in the Ansible nexmo module (plugins/modules/nexmo.py) causes Vonage/Nexmo API keys and secrets to appear in plaintext within HTTP GET request URLs, bypassing the no_log=True protection entirely. The module affects Red Hat Enterprise Linux 8, 9, and 10 deployments, and credentials are captured passively in Ansible verbose output, network proxy logs, SIEM traffic inspection, AWX/Automation Controller debug logs, and Vonage server-side access logs. No public exploit identified at time of analysis, though exploitation requires only read access to any of these log sources.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in RestrictedPython (zopefoundation/RestrictedPython, GHSA-ffg3-p8fm-mjx2) allows an authenticated attacker who can execute code within the restricted Python environment to break out of that sandbox and execute arbitrary Python on the underlying host. This affects Plone deployments that rely on RestrictedPython to safely run through-the-web (TTW) Python Scripts and TALES expressions. Disclosed June 2026 as part of a coordinated Plone security release; no public exploit code or CISA KEV listing identified at time of analysis, but the 8.3 high severity and scope-changing nature make it a meaningful risk for any Zope/Plone installation where untrusted or semi-trusted users can author Python scripts.

Authentication Bypass Python
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versions 0.6.21 through 0.7.2 to link tickets to orders owned by other clients by manipulating the rel_id parameter. The ticketCreateForClient() method omits ownership verification for non-upgrade ticket relations, enabling cross-client order association. While no automated harm occurs, staff can be deceived into acting on the wrong client's order - such as processing unauthorised cancellation or upgrade requests - with minimal order ID disclosure as a secondary confidentiality concern. No public exploit is identified at time of analysis; the issue is patched in version 0.8.0.

Authentication Bypass Information Disclosure Fossbilling
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take over active administrative sessions by reusing leaked session IDs that the server caches without re-validating authentication tokens. Because session IDs are written to standard logs, any user with log read access can replay them to gain administrative control and pivot to infrastructure-wide code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Authentication Bypass Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Credential disclosure in Red Hat Ansible Automation Platform 2.5 and 2.6 allows any authenticated user to retrieve plaintext OAuth tokens, vault passwords, and SSH keys by sending forged Worker messages to the Event-Driven Ansible websocket endpoint. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions on activation_id values, enabling lateral credential theft across tenants. No public exploit identified at time of analysis, but the low attack complexity and scope-changed CVSS of 9.6 make this a high-priority patch.

Hashicorp Authentication Bypass Red Hat Ansible Automation Platform 2 5 +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Authorization bypass in rtk (rtk-ai) prior to 0.42.2 allows hidden command execution to slip past the permission splitter that gates the Claude Code permission hook. Because the splitter fails to handle Bash command-execution boundary constructs (such as command substitution and chained operators) inside an allowlisted prefix like git, rtk rewrite returns exit code 0 and the hook emits permissionDecision: "allow", causing the secondary command to execute without the user confirmation the policy was supposed to require. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Rtk
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated remote action execution in motionEye (pip/motioneye < 0.44.0) exposes every camera action endpoint - snapshots, recording start/stop, and administrator-configured shell scripts - to any attacker who can reach port 8765, due to a missing @BaseHandler.auth() decorator on ActionHandler.post(). Dynamically confirmed on v0.43.1 in a Docker lab environment; exploitation requires only a single HTTP POST with no credentials, headers, or user interaction. Beyond the CVSS 5.3 Medium rating, real-world impact extends to physical security bypass (PTZ, alarms, lighting controls) if action scripts are configured, and SSRF via remote camera triggering - no public exploit or CISA KEV listing is identified at time of analysis.

Docker Authentication Bypass Python +1
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Authentication bypass in Daytona prior to 0.184.0 allows attackers to join organizations via pending invitations using unverified email addresses. The invitation accept and decline paths failed to enforce email verification (unlike organization creation), so on OIDC identity providers permitting self-service signup with pre-verification sessions, an attacker registering an email matching a pending invite can claim it and inherit the assigned role - up to Owner. No public exploit identified at time of analysis, but the path to full Owner-level organization takeover makes this a high-priority fix.

Elastic RCE Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.

Google Authentication Bypass Core
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Improper authorization in Gogs (self-hosted Git service) versions before 0.14.3 lets a read-only user write to repositories they should only be able to fetch from. The Git Smart HTTP handler derives the access policy from the client-supplied ?service= query parameter rather than the actual RPC path, so a POST to /repo.git/git-receive-pack carrying ?service=git-upload-pack is authorized as a read while the receive-pack (push) code path still executes. A working PoC is published in the GHSA advisory, so publicly available exploit code exists; it is not listed in CISA KEV and no active exploitation has been reported.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their own trackers to advertising campaigns owned by other managers on the same instance via campaign-trackers.php. The flaw enables unauthorized manipulation of campaign-tracker ownership relationships, corrupting attribution data and potentially introducing unauthorized tracking into other managers' campaigns. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

PHP Authentication Bypass Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID against the XML-RPC API, which is normally restricted to admin-level users. This authentication bypass (CWE-287) grants unauthorized API access, enabling the attacker to chain this foothold with additional API-level vulnerabilities to escalate impact beyond the base CVSS score suggests. No public exploit code and no CISA KEV listing have been identified at time of analysis; the issue was disclosed via HackerOne and a fix was implemented by recording session context alongside session data.

Authentication Bypass Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or deactivate banner ads regardless of whether those permissions were explicitly granted. The banner-edit.php script evaluated banner status changes based solely on banner edit permissions, treating status modification as implicitly authorized whenever edit access existed. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it straightforward for any credentialed advertiser to abuse.

PHP Authentication Bypass Adserver
NVD
EPSS 0%
NONE Awaiting Data

Revive Adserver's XML-RPC API addUser method contains a validation bypass regression introduced by the patch for CVE-2025-55129, allowing authenticated API users to register usernames containing malicious payloads that enable impersonation of other accounts or deliver stored cross-site scripting attacks against administrative users. Reported via HackerOne (report #3680090), this vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis. The provided CVSS vector is a null placeholder with all impact metrics rated N, which directly contradicts the described integrity and confidentiality impacts of stored XSS and account impersonation, and must not be used for risk prioritization.

XSS Authentication Bypass Adserver
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing access control on XML-RPC API modify methods in Revive Adserver 6.0.6 and earlier permits authenticated low-privileged users to reassign entities to arbitrary parent entities, corrupting ownership relationships across campaigns, zones, or banners. This flaw is not independently exploitable - it requires chaining with CVE-2026-34917 or the presence of third-party API extensions that expose modify methods to low-privileged users, materially narrowing real-world risk. A vendor fix adding parent-entity access validation has been issued; no public exploit has been identified at time of analysis.

Authentication Bypass Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Revive Adserver 6.0.6 and earlier fails to enforce ownership validation when linking banners or campaigns to ad zones via the zone-include.php script or the platform API, allowing any authenticated low-privileged user to associate their zones with advertising assets owned by other managers on the same installation. This breaks the intended multi-tenant ownership isolation, producing inconsistent cross-account zone-to-banner and zone-to-campaign relationships that disrupt legitimate advertiser operations. No public exploit has been identified and there is no CISA KEV listing; however, the low attack complexity and network accessibility via both the web interface and API make exploitation straightforward for any authenticated platform user.

PHP Authentication Bypass Adserver
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Tenable Identity Exposure versions prior to 3.93.5 allows remote attackers to retrieve cleartext LDAP credentials, SAML configuration, user accounts, and directory settings via API endpoints under /w/api/*. The flaw is compounded by Cache-Control: public response headers that lack a Vary: Cookie directive, allowing reverse proxies and CDNs to cache and re-serve the sensitive data to other unauthenticated requesters. No public exploit identified at time of analysis, but the issue was disclosed by the vendor itself.

Authentication Bypass Information Disclosure Tenable Identity Exposure
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Remote prompt injection in OpenHarness allows low-privileged messaging channel participants to persistently corrupt AI agent system prompts by exploiting unguarded /issue and /pr_comments slash commands. Any authenticated member of a connected remote channel (e.g., Slack via the ohmo gateway) can write arbitrary attacker-controlled Markdown into .openharness/issue.md and .openharness/pr_comments.md, which are subsequently injected into the agent's runtime system prompt on every subsequent invocation. No public exploit or CISA KEV listing exists at time of analysis, but the upstream patch (PR #272, commit 27bb93b) confirms the vulnerability and its mechanism.

Authentication Bypass Openharness
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-session information disclosure in HKUDS OpenHarness ohmo gateway allows admitted remote senders to invoke /resume and /summary slash commands, which were incorrectly registered with remote_invocable=True by default, to enumerate and load arbitrary saved session snapshots by ID. Successful exploitation exposes another user's private prompts, credentials, tool outputs, and file paths exchanged through shared gateway channels (e.g. Slack threads). No public exploit identified at time of analysis, but a vendor patch and detailed test cases (PR #276) make the issue easy to weaponize.

Authentication Bypass Openharness
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Privilege escalation in NanoClaw before 2.1.0 lets scoped admins cross agent-group authorization boundaries by submitting forged or stale connect callback values during the channel-registration approval flow. The `handleChannelApprovalResponse` function accepted any `connect:ag-X` callback value without verifying that the approver held admin privileges over the target agent group, allowing a scoped admin to wire messaging channels into groups they do not govern. No active exploitation has been confirmed (not listed in CISA KEV), and an upstream fix is available in commit 0eef8fafdd7c475ab5fd8d37ea566a81e74cd834 (PR #2566).

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in NanoClaw before 2.1.17 lets remote attackers with a valid questionId approve or reject privileged actions (such as package installation) by submitting crafted approval response payloads. The handleApprovalsResponse function dispatches sensitive handlers without verifying the responder holds an owner/admin role, turning approval callbacks into an authorization bypass. Publicly available exploit code exists via the upstream patch diff, but no active exploitation is currently confirmed.

Authentication Bypass Privilege Escalation Nanoclaw
NVD GitHub
EPSS 0% CVSS 3.5
LOW Monitor

HCL Connections exposes a broken access control flaw that permits a low-privileged, authenticated user to view data they should not be authorized to access, but only under one specific scenario. Classified under CWE-284 (Improper Access Control), the vulnerability requires network access, low privileges, and user interaction, limiting its real-world exploitation surface considerably. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 3.5 reflects a genuinely low-severity finding.

Authentication Bypass Connections
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Authorization bypass in Pega Platform versions 8.3.0 through Infinity 25.1.2 allows authenticated users to access additional data they should not be permitted to view by submitting crafted URLs. The flaw is a CWE-639 authorization key manipulation issue affecting Pega Infinity deployments, with no public exploit identified at time of analysis and high confidentiality impact per the vendor-provided CVSS 4.0 vector.

Authentication Bypass Pega Infinity
NVD
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Authentication bypass in NetComm NF20MESH routers (firmware R6B031 and earlier) allows unauthenticated remote attackers to forge valid encrypted session cookies using a hardcoded AES-256 key embedded in the firmware, granting full administrative control of the web management interface. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): because the same static AES-256 key is shared across all devices, any attacker who extracts it from firmware can impersonate any session. Exploitation requires an active administrator session and network reachability to the management interface; no KEV listing or confirmed public exploit exists at time of analysis, though the hardcoded-key nature makes the attack highly automatable once the key is disclosed.

Authentication Bypass Nf20Mesh
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Privilege escalation via ServiceAccount token exfiltration affects the OpenShift Cluster Logging Operator, allowing a user with delegated editor-level access to the ClusterLogForwarder resource to harvest SA tokens they were never authorized to use. The operator creates ServiceAccount tokens and forwards them to configured log output destinations without verifying whether the ClusterLogForwarder creator holds permission to consume those credentials. An attacker who has obtained an editor role within the logging namespace can weaponize this design gap to exfiltrate high-privilege SA tokens and escalate to broader cluster access. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Logging Subsystem For Red Hat Openshift
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-tenant alarm destruction in OpenRemote Manager before 1.24.2 lets any authenticated user in one realm permanently delete alarms belonging to other tenants by submitting arbitrary alarm IDs to the bulk removeAlarms() endpoint. The flaw is reported by VulnCheck with a CVSS 4.0 score of 8.6 and a proof-of-concept exists per the SSVC assessment, but there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because alarm IDs are sequential auto-increment values, enumeration and mass deletion of safety-critical and security alerts across tenants is trivial.

Authentication Bypass Openremote
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authentication bypass in Capgo before 12.128.2 allows authenticated attackers to defeat the org-level hashed-API-key control by submitting plaintext API keys via the capgkey header directly to the PostgREST/RLS plane. Despite the enforce_hashed_api_keys setting being toggled on, the data plane fails to honor that policy, granting access to protected resources. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 allows organization administrators to attach role bindings to applications owned by other organizations via the POST /private/role_bindings endpoint, which validates org membership but not app_id ownership. Successful exploitation grants unauthorized read and modification access to victim applications across tenant boundaries. No public exploit identified at time of analysis, but a vendor advisory (GHSA-5r52-m8r9-7f8x) and VulnCheck disclosure confirm the issue.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Missing authentication in AKIN Software's CafePlus versions 12.05.03 through 12.05.04 allows adjacent-network attackers to access privileged functionality without credentials. The flaw enables full compromise of confidentiality, integrity, and availability over an adjacent network vector, with no public exploit identified at time of analysis. Reported by Turkey's national CERT (TR-CERT), the issue stems from critical functions lacking proper ACL enforcement.

Authentication Bypass Cafeplus
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site request forgery in Gogs 0.14.1 lets a remote attacker escalate to organization owner by tricking a logged-in owner into loading a crafted URL. The `/teams/:team/action/:action` route accepts GET requests and the global CSRF check only fires on POST, so an `add` action against the Owners team executes without a token. No public exploit is identified at time of analysis beyond the advisory's reproduction steps, and the issue is not listed in CISA KEV.

Authentication Bypass CSRF
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Gogs 0.14.1 (and all versions ≤ 0.14.2) allows unauthenticated remote attackers who know or guess an attachment UUID to download files attached to issues, comments, and releases in private repositories. The `/attachments/:uuid` endpoint performs no repository-level authorization check, so private-repo attachments - credentials, keys, internal documents, unpublished source - leak when `REQUIRE_SIGNIN_VIEW = false`. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-p9f5-h3rx-j5qw includes a full proof-of-concept reproduction.

Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthenticated S3 pre-signed URL minting in Budibase (npm @budibase/server before 3.39.0) lets anonymous attackers abuse the route POST /api/attachments/:datasourceId/url, which was registered with only a recaptcha middleware and no authorized() gate. An attacker who knows or enumerates a workspace id (app_...) and an S3 datasource id (ds_...) receives a 15-minute AWS SigV4 pre-signed PutObjectCommand URL minted on the victim's stored IAM credentials, and because the bucket is caller-controlled they can write to any bucket those credentials permit. Publicly available exploit code exists (a self-contained Node.js PoC is published in the advisory); this is not listed in CISA KEV and no EPSS score was provided.

Canonical Authentication Bypass Node.js
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated arbitrary S3 object write in Budibase server (npm/@budibase/server before 3.39.2) lets any remote caller who learns a workspace ID and S3 datasource ID obtain attacker-chosen PutObject presigned URLs signed with the workspace's stored AWS credentials. The /api/attachments/:datasourceId/url route is gated only by reCAPTCHA - no authentication, builder role, or datasource permission check - so an unauthenticated attacker can write arbitrary objects to any bucket the stored credentials can reach. No public exploit identified at time of analysis, though the advisory publishes a step-by-step non-destructive PoC.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.

Open Redirect Redis Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Missing authorization on the GET /secret/:name endpoint in @actual-app/sync-server allows any authenticated non-admin BASIC user in OpenID multi-user deployments to enumerate which admin-managed bank-sync integrations are configured - specifically GoCardless, SimpleFIN, and Pluggy AI credential names. The disclosure is existence-only (HTTP 204 vs 404); actual secret values are not returned. No active exploitation is confirmed (not in CISA KEV), but a working PoC is included in the GHSA advisory, and the attack is trivially scriptable for any valid session holder.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Unauthenticated arbitrary file upload in Filament (Laravel component framework) versions 3.0.0 through 3.3.51, 4.x through 4.11.4, and 5.x through 5.6.4 allows remote attackers without any credentials to write files to the application's temporary storage. Filament indiscriminately applies Livewire's WithFileUploads trait to every Livewire component embedding a schema - including the panel login form, which has no legitimate file upload need - exposing the upload endpoint publicly. The practical impact is storage exhaustion or inflated cloud storage costs; no public exploit has been identified at time of analysis.

File Upload Authentication Bypass Filament
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python +3
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Webhook forgery in n8n's GitHub Webhook Trigger node allows unauthenticated remote attackers to spoof GitHub events and trigger arbitrary workflow execution by sending unsigned POST requests to any known webhook URL. The root cause is a complete absence of HMAC-SHA256 signature verification - the cryptographic control GitHub provides specifically to authenticate webhook deliveries - meaning n8n accepted all inbound POST traffic without validation. Affected versions span the v1 branch (below 1.123.15) and v2 branch (2.0.0 through 2.5.0); no public exploit code or CISA KEV listing exists at time of analysis, but the attack is trivially executable by any party possessing the webhook URL.

Authentication Bypass N8n
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo's Supabase edge function backend (versions before 12.128.2) inconsistently applies global authentication middleware across HTTP methods on the /private/role_bindings/:org_id endpoint - GET requests reach the handler unauthenticated while POST and DELETE are gated by middleware. The handler currently performs its own authorization check and rejects unauthenticated callers, so no data is exposed in the current implementation. This is a CWE-306 defense-in-depth failure: the middleware gap creates latent risk that any future relaxation of handler-level logic could silently permit unauthenticated access to organization role binding data, with no public exploit identified at time of analysis.

Authentication Bypass Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated cross-tenant information disclosure in Capgo before 12.128.2 exposes billing plan metadata for arbitrary organizations via an improperly authorized Supabase RPC function. Any network-accessible attacker possessing only the public Supabase anon key can call the `public.get_current_plan_max_org` endpoint with any organization UUID to retrieve MAU limits, bandwidth, storage, and build time plan data belonging to unrelated tenants. No active exploitation is confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Subkey permission bypass in Capgo before 12.128.2 allows authenticated API users to escalate from restricted subkey scope to full main API key privileges by sending malformed x-limited-key-id header values. The parsing flaw - triggered by submitting zero, NaN-coercible, or duplicate header values - causes the subkey scoping enforcement to evaluate to falsy, silently falling through to the unrestricted main API key context. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the bypass is mechanically straightforward for any holder of a valid subkey credential.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege inversion in Cap-go (Capgo) before 12.128.2 lets holders of read-only API keys cancel running native builds by abusing the GET /build/logs/:jobId SSE endpoint. On client disconnect the server invokes cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY, bypassing the app.build_native permission enforced on POST /build/cancel/:jobId. No public exploit identified at time of analysis, but the issue is trivially reproducible against any deployment exposing the log stream.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-workspace chatflow configuration disclosure in Flowise before 3.1.2 allows any holder of a valid API key for one workspace to read the full configuration of unprotected chatflows belonging to all other workspaces in the same instance. The `/api/v1/chatflows/apikey/:apikey` endpoint's database query omits a workspace scope filter when the `keyonly` parameter is absent (the default), causing it to return every chatflow system-wide where `apikeyid` is NULL or empty - including `flowData`, system prompts, `chatbotConfig`, `apiConfig`, and credential IDs from unrelated tenants. No public exploit code or CISA KEV listing has been identified at time of analysis, but the vulnerability is trivially reproducible given the disclosed source code and standard HTTP tooling.

Authentication Bypass Information Disclosure Flowise
NVD GitHub
CRITICAL PATCH Act Now

Authentication bypass in motionEye versions prior to 0.44.0 allows remote attackers to impersonate any user, including the administrator, by setting the client-controlled cookies meye_password_hash and meye_username without ever knowing the plaintext password. The server treats these attacker-controlled values as sufficient authentication material, and because the admin hash is stored in a world-readable file (/etc/motioneye/motion.conf), any local shell user can trivially escalate to admin via the web UI. Publicly available exploit code exists in the GitHub Security Advisory GHSA-r3cw-c95m-wfh9, but there is no public exploit identified beyond the PoC and the issue is not in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 5.4
MEDIUM PATCH This Month

Broken object level authorization (BOLA) in Paymenter's ticket creation endpoint allows any authenticated customer to reference another account's service by substituting the service ID in the HTTP request, causing support personnel to inadvertently review that third-party service. The flaw affects all Paymenter installations running versions prior to 1.5.0 (pkg:composer/paymenter/paymenter). No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the attack requires only a valid customer account and basic HTTP manipulation, making real-world abuse accessible to low-sophistication actors.

Authentication Bypass
NVD GitHub
CVSS 4.3
MEDIUM PATCH This Month

Email verification bypass in Paymenter allows authenticated users to retain verified account status after changing their email to an address they do not own or control. The email update function fails to reset the verification column, meaning a user who initially verifies with a legitimate address can subsequently substitute any arbitrary email and keep the verified flag intact. No public exploit has been identified at time of analysis; the vendor-confirmed fix is available in version 1.5.0.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated SQL injection (CWE-89) in Dell Wyse Management Suite (WMS) before version 2605 lets a low-privileged remote user inject crafted SQL into application queries, yielding unauthorized read/write access to the management database with high impact to confidentiality, integrity, and availability. Tracked as EUVD-2026-38345 and disclosed by Dell in advisory DSA-2026-247, it carries CVSS 3.1 8.8 but has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), with CISA SSVC reporting no known exploitation.

SQLi Authentication Bypass Dell +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in Dell Wyse Management Suite (WMS) versions prior to 2605 allows authenticated low-privileged remote attackers to manipulate backend database queries, leading to unauthorized data access and potential integrity or availability impact. The CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability under low attack complexity, though no public exploit identified at time of analysis. The flaw is tagged with 'Authentication Bypass' implications, suggesting the SQLi could be leveraged to escalate beyond the attacker's initial low-privilege context.

SQLi Authentication Bypass Dell +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-bound symlink abuse in Dell Wyse Management Suite (WMS) versions prior to 2605 allows a low-privileged local user to gain unauthorized access to files or resources they should not reach. The flaw is rooted in improper link resolution before file access (CWE-59), and while no public exploit has been identified at time of analysis, the CVSS 7.8 score reflects full confidentiality, integrity, and availability impact once the local prerequisite is met.

Authentication Bypass Dell Wyse Management Suite Wms
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated privilege escalation in AVideo (composer/wwbn/avideo) versions below 29.0 allows any user who can solve a CAPTCHA to self-grant upload, streaming, meeting-creation, and email-verified status during account registration. The root cause is that `set_api_signUp` in `plugin/API/API.php` applies admin-controlled permission parameters (`emailVerified`, `canUpload`, `canStream`, `canCreateMeet`) unconditionally across both its authenticated (APISecret) and anonymous (CAPTCHA) code paths, bypassing the `isAPISecretValid()` guard that correctly protects equivalent admin operations elsewhere in the codebase. A working proof-of-concept curl sequence is publicly documented in the GitHub security advisory GHSA-8j8m-p79x-g4jm; no active exploitation has been confirmed by CISA KEV at time of analysis.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 3% CVSS 5.5
MEDIUM PATCH This Month

World-readable configuration file permissions in motionEye <= 0.43.1b4 expose the admin SHA1 password hash to any local user account on the host. The flaw affects both supported installation methods (manual and motioneye_init), making it a software default rather than a deployment error. Proof-of-concept code is publicly available in the vendor's GitHub Security Advisory; when chained with GHSA-45h7-499j-7ww3 (hash-as-signing-key authentication bypass) and CVE-2025-60787 (OS command injection requiring admin auth), a local unprivileged attacker can escalate to the Motion daemon user - often root - without any elevated privileges. No active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection Authentication Bypass Information Disclosure +1
NVD GitHub
Prev Page 16 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy