Skip to main content

Authentication Bypass

31255 CVEs technique

Monthly

CVE-2026-25119 Go HIGH PATCH GHSA This Week

Authentication bypass in Gogs (self-hosted Git service) versions <= 0.14.2 allows any remote attacker who can reach the service to forge the X-WEBAUTH-USER header and impersonate any account, including administrators, when ENABLE_REVERSE_PROXY_AUTHENTICATION is turned on. Because Gogs trusts the reverse-proxy auth header without verifying the request actually came from the proxy, an attacker can also trigger automatic admin-level account creation if auto-registration is enabled. Publicly available exploit code exists (a single curl one-liner in the advisory); it is not in CISA KEV and no EPSS score was supplied.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.9%
CVE-2024-37155 PyPI MEDIUM PATCH GHSA This Month

### Summary The regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed characters from the query. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-41047 MEDIUM PATCH This Month

Unauthenticated local access to qSnapper's D-Bus snapshot diff interface before version 1.3.3 exposes read-protected file contents to any local user on the host. The 'snapshot diff' D-Bus methods - GetFileChanges, GetFileChangesBetween, GetFileDiffBetween, and GetFileDiffAndDetails - lacked any Polkit authorization check, meaning a local unprivileged caller could invoke them directly and receive sensitive file diff data. This is one of five authentication/authorization flaws (CVE-2026-41045 through CVE-2026-41049) discovered and reported by the SUSE security team under coordinated disclosure; no public exploit is identified at time of analysis.

Authentication Bypass Qsnapper
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-8934 MEDIUM PATCH This Month

Cross-project App Engine request log leakage in Google Cloud Console's GraphQL private API exposed sensitive telemetry data to unauthenticated remote attackers. The vulnerability, classified as CWE-862 (Missing Authorization), allowed a specially crafted GraphQL request to bypass authorization controls on the App Engine section of Cloud Console, enabling read access to request logs belonging to arbitrary GCP projects. Google applied a server-side fix on 7 April 2026; no public exploit or KEV listing has been identified at time of analysis.

Authentication Bypass Google Cloud Console Uis
NVD
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-10845 HIGH PATCH This Week

Authentication bypass in IBM WebSphere Application Server 8.5 and 9.0 allows remote attackers to gain unauthorized access to JAX-WS web service applications without valid credentials. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but a vendor patch is available via IBM support advisory 7276597.

IBM Authentication Bypass Websphere Application Server
NVD VulDB
CVSS 3.1
7.3
EPSS
0.4%
CVE-2023-33854 MEDIUM PATCH This Month

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 could allow an authenticated user to bypass client-side validation and manipulate input data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

IBM Authentication Bypass Db2 On Cloud Pak For Data And Db2 Warehouse On Cloud Pak For Data
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-9610 MEDIUM PATCH This Month

Forced browsing exposure in IBM Datacap and IBM Datacap Navigator 9.1.7 through 9.1.9 allows a highly privileged local user to access application resources and functionality not surfaced in the UI by constructing direct URL requests, bypassing the intended UI-driven access control model. The impact is limited to partial confidentiality disclosure (C:L) with no integrity or availability consequence, and no exploitation has been confirmed - no public exploit code exists and this CVE is absent from the CISA KEV catalog. IBM has released a patch addressing all affected versions.

IBM Authentication Bypass Datacap Datacap Navigator
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-56104 HIGH PATCH This Week

Session hijacking in Chainlit before 2.10.1 allows remote attackers with a valid victim sessionId to inherit an authenticated user's session via the WebSocket restore_existing_session path, which fails to verify session ownership. Successful exploitation grants the attacker the victim's roles and permissions, enabling unauthorized tool invocation and access to restricted data. No public exploit identified at time of analysis; EPSS is low (0.30%) and the issue is not listed in CISA KEV.

Authentication Bypass Chainlit
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-7664 CRITICAL PATCH Act Now

Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected Model Context Protocol (MCP) project resources and invoke MCP operations through the Streamable MCP transport endpoint. The CVSS 9.8 rating reflects unauthenticated network exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

IBM Authentication Bypass Langflow Oss
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12628 CRITICAL PATCH Act Now

Authentication bypass in IBM Storage Protect Client and IBM Storage Protect Snapshot for Windows (versions 8.1.0.0 through 8.2.1.0) allows remote unauthenticated attackers to impersonate legitimate clients via hardcoded credentials embedded in the FlashCopy Manager (FCM) authentication mechanism. The flaw, classified as CWE-798 with a CVSS 9.1 critical rating, enables attackers to establish trusted sessions and access protected backup services. There is no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at 0.33% (24th percentile), but IBM has released a vendor advisory and patch.

IBM Microsoft Authentication Bypass Storage Protect Client Storage Protect Snapshot For Windows
NVD VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-8823 LOW Monitor

Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot accounts to guest status, affecting versions 11.7.0 and 10.11.17 and earlier. The root cause is missing validation of whether the target of a demotion operation is a bot account, meaning an admin who lacks full system privileges can still weaponize the standard API endpoint against bot identities. No public exploit exists and the vulnerability is not listed in CISA KEV; its real-world priority is low given the high-privilege requirement and limited blast radius.

Mattermost Authentication Bypass
NVD
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-6062 MEDIUM This Month

Subscription hijacking in Mattermost allows authenticated low-privileged users to take control of subscriptions belonging to channels they have no access to by submitting a crafted PUT request to the subscription edit endpoint. The root cause is a missing channel ownership validation check, classified as an Insecure Direct Object Reference (CWE-639), affecting versions across four active release branches (10.11.x, 11.5.x, 11.6.x, 11.7.x). No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6673 MEDIUM This Month

Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogue sharedSecret into an in-progress Jira integration setup. Affected versions span the 10.11.x, 11.5.x, 11.6.x, and 11.7.x release trains, all of which expose the POST /ac/installed endpoint without validating the caller's identity during the pending-install window. No public exploit has been identified at time of analysis, but a successful injection corrupts the integration's trust handshake, yielding high integrity and availability impact against the Jira connection. The vendor CVSS vector assigns PR:L, which conflicts with the description's 'remote unauthenticated attacker' language - this discrepancy warrants direct verification with Mattermost advisory MMSA-2026-00654.

Atlassian Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8074 LOW Monitor

{id}/active endpoint despite lacking the Integrations permission required to manage bots. The server fails to apply bot-specific permission checks at this endpoint, accepting the deactivation request based solely on user management write access. While no public exploit has been identified at time of analysis, successful abuse disrupts any automated workflows or integration pipelines dependent on the targeted bot accounts.

Mattermost Authentication Bypass
NVD VulDB
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-5139 MEDIUM This Month

The /gitlab connect slash command in Mattermost fails to enforce administrator-level authorization on the setDefaultInstance call, enabling any authenticated user to overwrite the workspace-wide default GitLab instance configuration. Affected across four concurrent release trains (11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, 10.11.x ≤ 10.11.17), this missing authorization flaw (CWE-862) is exploitable by any valid Mattermost account holder without elevated privileges. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity and low privilege requirement make this accessible to any workspace member targeting GitLab integration infrastructure.

Mattermost Gitlab Authentication Bypass
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-10561 CRITICAL PATCH Act Now

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242.

Code Injection IBM Python RCE Authentication Bypass +1
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-28381 HIGH This Week

Improper access control in the Grafana Snowflake datasource plugin (versions 1.14.7 through 1.14.12) lets any user permitted to run queries against the data source invoke Snowflake GET/PUT commands to read and write files between the local Grafana server and the connected Snowflake host. The flaw effectively turns query permissions into a file-transfer primitive that crosses the trust boundary between the Grafana host and Snowflake. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 14th percentile), and CISA SSVC marks exploitation as none, but the technical impact is rated total.

Grafana Snowflake Datasource Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-56450 MEDIUM PATCH This Month

Unlimited OTP brute-force against AIL Framework's two-factor authentication endpoint allows an attacker who already possesses a valid account password to bypass the second authentication factor entirely and gain unauthorized account access. The verify_2fa() route accepted an unbounded number of OTP submissions without incrementing a failure counter or enforcing a lockout, and the implementation uses counter-based HOTP rather than time-limited TOTP, removing the time-window throttle that would otherwise constrain brute-force speed. No public exploit code or CISA KEV listing exists at time of analysis, but the prerequisite of a valid password - obtainable via phishing or credential dumps - makes this a realistic threat against any AIL deployment where 2FA is meant to serve as a meaningful access boundary.

Authentication Bypass Ail Framework
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-56424 HIGH PATCH This Week

Cross-organization data tampering in MISP (Malware Information Sharing Platform) core allows authenticated low-privileged users to modify or delete intelligence objects belonging to other organizations by exploiting broken access-control checks across Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models. The flaw stems from authorization being performed against the wrong entity ID or being entirely absent on write paths, enabling integrity attacks on shared threat intelligence. Vendor patches are available via multiple MISP GitHub commits; no public exploit identified at time of analysis.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56423 CRITICAL PATCH Act Now

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or perm_sharing_group role flag hard-delete Event Reports and Sharing Groups belonging to other organisations across the entire instance. The flaw affects MISP threat-intelligence platform deployments and enables cross-tenant data destruction by contributor-level accounts; no public exploit identified at time of analysis, but the upstream patch commits are public and trivially reverse-engineerable.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-56422 CRITICAL PATCH Act Now

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to any one authorized object to overwrite, re-parent, or transfer ownership of objects belonging to other users or organizations by submitting crafted REST/form payloads containing attacker-chosen primary keys and ownership foreign keys. The root cause is CRUDComponent::edit() mass-assigning payload-supplied IDs (id, event_id, org_id, user_id, sharing_group_id, etc.) onto the already-loaded record, so CakePHP's save() updates a different row than the one the authorization check validated. No public exploit identified at time of analysis, but a vendor patch is available and the high CVSS 4.0 score of 9.4 reflects broad cross-tenant impact.

Authentication Bypass Misp
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2025-4994 HIGH PATCH This Week

Authentication bypass in SafeLine SL6 and SL6+ elevator emergency intercom devices allows an attacker within Bluetooth Low Energy range to reach the configuration service without credentials and gain administrative control. The flaw was disclosed by SCHUTZWERK (SA-2025-001), carries a CVSS 4.0 score of 8.7 (adjacent network, low complexity, no privileges, no user interaction), and currently has no public exploit identified at time of analysis.

Authentication Bypass Safeline Sl6 Sl6
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-7859 MEDIUM POC PATCH This Month

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.

WordPress CSRF Motors Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-11746 CRITICAL Act Now

Cluster-wide remote code execution in LY Corporation's centraldogma-server prior to 0.84.0 occurs when ZooKeeper replication is enabled without explicitly configuring replication.secret, causing the embedded ZooKeeper ensemble to authenticate using a hard-coded, publicly known fallback credential. An adjacent attacker with network reachability to the replication ports can read the entire replication log or join the quorum to issue arbitrary replicated commands. No public exploit identified at time of analysis, but the issue is a default-credential failure that is trivial to weaponize once discovered.

Central Dogma Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-56396 PHP HIGH PATCH This Week

Privilege escalation in phpMyFAQ before 4.1.4 allows authenticated non-SuperAdmin users holding the edit_user permission to promote themselves to SuperAdmin via missing authorization checks in the editUser() and updateUserRights() endpoints. The flaw lets a low-tier administrator set the is_superadmin flag or grant arbitrary rights, fully compromising the FAQ application; publicly available exploit code exists is not asserted, and at time of analysis no public exploit identified at time of analysis.

Authentication Bypass Phpmyfaq
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56385 PHP MEDIUM PATCH This Month

Authorization bypass in Craft CMS's `assets/preview-file` endpoint exposes private asset preview content to authenticated low-privileged users who lack view permission on the targeted asset. Affected installations running Craft CMS 4.0.0-RC1 through 4.17.7 or 5.0.0-RC1 through 5.9.13 with mixed-privilege users and private assets are vulnerable to unauthorized disclosure of preview HTML and private asset image routes. No public exploit or CISA KEV listing has been identified; patches are available in versions 4.17.8 and 5.9.14.

Authentication Bypass Cms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56384 PHP MEDIUM PATCH This Month

Missing authorization in the Craft CMS `assets/preview-thumb` Control Panel endpoint allows any authenticated low-privilege CP user to obtain signed transform preview URLs for private assets they are not permitted to view, by supplying an attacker-controlled `assetId`. Affected installations span the 4.x branch (4.0.0-RC1 through 4.17.7) and 5.x branch (5.0.0-RC1 through 5.9.13); patches are available in 4.17.8 and 5.9.14. No public exploit or active exploitation has been identified at time of analysis.

Authentication Bypass Cms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56299 MEDIUM PATCH This Month

Authentication bypass in Capgo's /build/upload/:jobId/* endpoint exposes all versions before 12.128.2 to unauthenticated denial of service. Remote attackers exploit HTTP OPTIONS request handling to sidestep authentication middleware entirely, forcing tusProxy to execute with invalid credentials and reliably producing HTTP 500 errors at scale. No public exploit code or CISA KEV listing exists at time of analysis, but the trivial attack mechanics - requiring no credentials, tools, or interaction - mean any internet-exposed Capgo instance is at risk of request flooding.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-56265 PyPI CRITICAL PATCH Act Now

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to forge valid JWT tokens because the signing key defaults to the hardcoded value 'mysecret' present in the public source code. Anyone aware of the default secret can mint tokens for arbitrary users and obtain full access to protected crawling, extraction, JavaScript execution, and configuration endpoints. No public exploit identified at time of analysis, but the underlying weakness is trivially reproducible from the upstream repository.

Docker Authentication Bypass Crawl4ai
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56253 HIGH PATCH This Week

Unauthenticated organization member enumeration in Capgo before 12.128.2 allows remote attackers to harvest email addresses, user IDs, roles, and pending invitations by invoking the public.get_org_members RPC with only a publishable Supabase key and a target organization UUID. The flaw, reported by VulnCheck and tracked as EUVD-2026-38169, carries a CVSS 4.0 score of 8.7 and reflects a broken access control check on a public Postgres RPC. No public exploit identified at time of analysis, but the trivial invocation makes mass scraping straightforward once an org UUID is known.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-56251 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows authenticated users holding the admin role to elevate themselves to super_admin by abusing a broken row-level security (RLS) policy on the org_users table. No public exploit identified at time of analysis, but a vendor patch is available and the flaw was disclosed by VulnCheck through a GitHub Security Advisory.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-56229 HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated API clients read build status and logs belonging to other applications by combining an authorized app_id with a job_id from a different, unauthorized app. The /build/status and /build/logs endpoints validate the app_id but fail to verify that the supplied job_id actually belongs to that application, exposing logs, metadata, and potentially embedded credentials across tenant boundaries. No public exploit identified at time of analysis, though VulnCheck has published an advisory with technical details.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-12799 LOW POC Monitor

Improper authorization in BerriAI LiteLLM versions up to 1.82.2 allows authenticated low-privilege users to access user data beyond their permitted scope via the `ui_view_users` management endpoint - an incomplete remediation of the prior CVE-2025-0628 authorization bypass in the same function. A public proof-of-concept exploit is available on GitHub (YLChen-007), confirming practical exploitability. No active exploitation is confirmed (not in CISA KEV), and the authentication requirement (CVSS 4.0 PR:L) constrains the attacker pool to those already holding valid credentials on the target proxy.

Authentication Bypass Litellm
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12797 LOW POC Monitor

Incorrect authorization in BerriAI LiteLLM's enterprise banned keywords hook allows remote low-privileged authenticated users to bypass prompt content filtering by manipulating the `prompt` argument to the `async_pre_call_hook` function in `enterprise/enterprise_hooks/banned_keywords.py`. All versions in the 1.82.x series up to and including 1.82.5 are confirmed affected. A public proof-of-concept exploit is available via GitHub Gist, materially increasing the risk for enterprise deployments that rely on the banned keywords feature as a compliance or safety enforcement boundary; no confirmed CISA KEV listing exists at time of analysis.

Authentication Bypass Litellm
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12795 MEDIUM POC This Month

Missing authentication in LiteLLM's SSO Debug Flow exposes the `json.dumps` output of the `ui_sso.py` management endpoint to unauthenticated remote attackers, enabling authentication bypass against versions up to 1.82.2. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is network-exploitable with no privileges or user interaction required. A public proof-of-concept has been disclosed on GitHub, elevating practical risk beyond the moderate base score alone; no active exploitation has been confirmed by CISA KEV at the time of analysis.

Authentication Bypass Litellm
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-12786 HIGH POC This Week

Local privilege escalation in EZB Systems UltraISO Premium Edition up to 9.76 stems from improper access controls in the bundled bootpt64.sys kernel driver, allowing an authenticated local user to abuse the driver and achieve high-integrity kernel-level impact on confidentiality, integrity, and availability. Publicly available exploit code exists, and the vendor was contacted but did not respond, leaving all currently shipped versions unpatched.

Authentication Bypass Ultraiso Premium Edition
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-12784 HIGH POC This Week

Local privilege escalation in IM-Magic Partition Resizer up to 7.9.0 stems from improper access controls in the MDA_NTDRV.sys kernel driver, allowing a low-privileged local user to gain elevated kernel-level capabilities. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, leaving all currently shipped versions (7.0 through 7.9.0) without a fix. No public exploit identified as being used in attacks (not in CISA KEV), but POC weaponization risk is elevated given the unpatched status.

Authentication Bypass Partition Resizer
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-12782 HIGH POC PATCH This Week

Local privilege escalation in EaseUS Partition Master versions 14.0 through 14.5 allows low-privileged users to abuse the EUEDKEPM.sys kernel driver due to improper access controls (CWE-284). Publicly available exploit code exists and the vendor has released a patched version, though the issue is not listed in CISA KEV. The flaw maps to authentication-bypass behavior at the kernel-driver interface, giving attackers a path from a standard user account to SYSTEM-level capabilities.

Authentication Bypass Partition Master
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-12781 HIGH POC PATCH This Week

Local privilege escalation in EaseUS Partition Master through version 14.5 stems from improper access controls in the epmntdrv.sys kernel driver, allowing a low-privileged local user to gain SYSTEM-level control over the host. Publicly available exploit code exists and the vendor has confirmed the issue was resolved in newer releases, though no specific patched version is named in the advisory.

Authentication Bypass Partition Master
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-12780 HIGH POC This Week

Local privilege escalation in AOMEI Backupper through 8.3.0 stems from improper access controls in the bundled kernel driver amwrtdrv.sys, allowing an authenticated local user to abuse driver IOCTLs and escalate privileges. Publicly available exploit code exists for this issue, and the vendor was contacted but has not responded, leaving customers without an official fix. The CVSS 4.0 base score is 7.1 with local attack vector and low privileges required, reflecting realistic post-foothold risk rather than remote compromise.

Authentication Bypass Backupper
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-12779 HIGH POC This Week

Local privilege escalation in AOMEI Dynamic Disk Manager up to version 10.10.1 stems from improper access controls in the ddmdrv.sys kernel driver, allowing a low-privileged local user to interact with privileged driver IOCTLs and gain SYSTEM-level control. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving installations unpatched. No CISA KEV listing or active exploitation has been confirmed at time of analysis.

Authentication Bypass Dynamic Disk Manager
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-12778 HIGH POC This Week

Local privilege escalation in AOMEI Partition Assistant through version 10.10.1 allows authenticated low-privileged users to abuse improper access controls in the ampa10.sys kernel driver to gain SYSTEM-level code execution. Publicly available exploit code exists per VulDB, and the vendor did not respond to coordinated disclosure attempts, leaving installations exposed; no public exploit identified at time of analysis as actively used in the wild (not in CISA KEV).

Authentication Bypass Partition Assistant
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-12773 MEDIUM POC This Month

Authentication bypass in BerriAI LiteLLM versions 1.59.0 through 1.59.8 allows unauthenticated remote attackers to circumvent the UserAPIKeyAuth function within the experimental MCP Proxy server component, gaining unauthorized access to protected LLM proxy functionality without valid credentials. A public proof-of-concept exploit is confirmed available via GitHub gist (YLChen-007), materially lowering the bar for exploitation. No CISA KEV listing is present at time of analysis, but the network-accessible, zero-authentication attack surface combined with an available PoC warrants urgent remediation prioritization for any deployment with the MCP server component exposed.

Authentication Bypass Litellm
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-12771 LOW POC Monitor

Improper authorization in LiteLLM's M2M JWT Handler (litellm/proxy/auth/user_api_key_auth.py) enables remote attackers holding low-level credentials to bypass authorization controls in versions 1.82.0 through 1.82.2. The flaw resides in the machine-to-machine JWT authentication pathway of the LiteLLM proxy layer, where manipulated JWT inputs cause the handler to make incorrect authorization decisions, potentially granting unauthorized access to proxied LLM API resources. No active exploitation has been confirmed by CISA KEV, though publicly available exploit code exists (GitHub gist by YLChen-007), and the CVSS 4.0 vector carries an E:P temporal modifier reflecting this proof-of-concept availability; overall risk is tempered by high attack complexity.

Authentication Bypass Litellm
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-12770 LOW POC Monitor

Improper authorization in BerriAI LiteLLM versions 1.63.0-1.63.1 allows any authenticated user - holding any valid API key regardless of role - to perform admin-restricted operations on other users' API keys, including blocking, unblocking, and modifying budget limits via the `/key/block`, `/key/unblock`, and `/key/update` endpoints. The root cause, confirmed by GitHub PR #23781, is the complete absence of access-control enforcement on these endpoints despite their admin-only documentation. A publicly available proof-of-concept exploit exists on GitHub; this vulnerability is not in the CISA KEV catalog at time of analysis.

Authentication Bypass Litellm
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-56346 PHP MEDIUM This Month

Unauthenticated PGP decryption exposure in AVideo through version 25.0 allows any remote attacker to submit private key material, ciphertext, and passphrases to the publicly accessible decryptMessage.json.php endpoint and receive plaintext in the server response - no credentials, session, or token required. The dual impact is confidentiality loss (private key material processed in server memory may be captured in application or web server logs) and availability degradation via unconstrained CPU consumption from repeated cryptographic operations. A publicly available proof-of-concept exists per the GHSA advisory; no vendor patch has been released as of this analysis.

Authentication Bypass Denial Of Service PHP Avideo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-56345 PHP CRITICAL Act Now

Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.

Authentication Bypass PHP File Upload Avideo
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-56341 PHP HIGH This Week

Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.

Authentication Bypass PHP Avideo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-44914 HIGH This Week

Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Restricted-annotated extension components when replacing Process Groups, despite lacking the explicit Restricted-component privilege. The flaw stems from the framework failing to enforce Restricted-annotation checks during Process Group replacement, effectively letting privileged-component installation bypass its intended authorization boundary. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Apache Authentication Bypass Nifi
NVD VulDB
CVSS 4.0
7.5
EPSS
0.3%
CVE-2026-44911 LOW Monitor

Incorrect authorization enforcement in Apache NiFi 1.15.0 through 2.9.0 allows read-privileged users to submit configuration verification requests containing arbitrary proposed properties, bypassing the write-access requirement. The nifi-web-api REST endpoints for component configuration verification accepted proposed configuration overrides from any authenticated user with read access, enabling those users to invoke predefined verification methods - such as testing connectivity, credentials, or remote service endpoints - with attacker-supplied settings. No public exploit has been identified at time of analysis, and the fix is confirmed available in Apache NiFi 2.10.0.

Apache Authentication Bypass Nifi
NVD VulDB
CVSS 4.0
2.3
EPSS
0.3%
CVE-2026-56295 MEDIUM PATCH This Month

Webhook management endpoints in Capgo before 12.128.2 expose an authorization policy bypass that allows holders of non-expiring API keys to circumvent the organization-level require_apikey_expiration policy. The checkWebhookPermission function omits the required call to apikeyHasOrgRightWithPolicy, leaving webhook operations - listing, creating, and deleting - accessible to legacy non-expiring keys even when the organization has explicitly mandated key expiration. No public exploit has been identified at time of analysis, and exploitation requires prior possession of a valid non-expiring API key, targeting organizations that believed their key-expiration policy was uniformly enforced.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56294 npm MEDIUM PATCH This Month

Authentication bypass in cap-go/capacitor-native-biometric allows an attacker with physical device access to circumvent biometric authentication by hooking the onAuthenticationSucceeded() callback via dynamic instrumentation. The root cause is that AuthActivity.java's implementation of BiometricPrompt.AuthenticationCallback never retrieves or validates the CryptoObject from the AuthenticationResult, making the entire cryptographic binding between biometric gesture and protected key material moot. All npm package versions below the patched release are affected. A proof-of-concept video is publicly available per the GHSA advisory, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Capacitor Native Biometric
NVD GitHub VulDB
CVSS 4.0
4.3
EPSS
0.2%
CVE-2026-56276 npm MEDIUM PATCH This Month

Mass assignment in Flowise's PUT /api/v1/user endpoint (all versions before 3.1.2) allows an authenticated user to overwrite their own account's password hash by supplying a crafted `credential` field in the request body, entirely bypassing the intended old-password verification, hashing enforcement, and session-invalidation workflow. An attacker who first obtains a temporary session - via XSS, token theft, or session hijacking - can exploit this to establish permanent account persistence even after the legitimate session expires, with no knowledge of the current password required. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 3.1.2.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.3%
CVE-2020-37255 HIGH POC PATCH This Week

WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Time Capsule Plugin
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2019-25763 CRITICAL POC PATCH Act Now

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google Authentication Bypass WordPress PHP Ultimate Addons For Beaver Builder
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-12673 MEDIUM POC PATCH This Month

Privilege escalation in LiquidFiles before 4.2.12 allows an authenticated Admin of a secondary (non-default) domain to elevate to full Sysadmin access by manipulating group settings within their managed secondary domain group. This broken access control flaw (CWE-285) collapses the authorization boundary between domain-scoped Admin and system-wide Sysadmin roles, granting an attacker complete platform control. No public exploitation has been confirmed in CISA KEV, but a public proof-of-concept is available from Project Black (PRJBLK), meaningfully elevating real-world risk above what the 5.9 CVSS score alone suggests.

Privilege Escalation Authentication Bypass Liquidfiles
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-48908 CRITICAL POC KEV EUVD KEV THREAT Emergency

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through 6.6.1) allows attackers to upload PHP files that execute on the server, leading to full site compromise. CVSS 4.0 base score is 10.0 with the vendor flagging exploitation as Active (E:A), and no public exploit identified at time of analysis. Given the unauthenticated network vector and direct RCE outcome, this is a critical-priority issue for any Joomla site running the extension.

PHP Authentication Bypass Sp Page Builder Extension For Joomla
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.6%
Threat
5.0
CVE-2026-48939 CRITICAL POC KEV THREAT Emergency

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the event attachment feature to upload and execute server-side code, leading to full web application compromise. The flaw affects iCagenda 1.0.0-3.9.14 and 4.0.0-4.0.7 and carries a CVSS 4.0 score of 10.0 with exploitation marked as Attacked (E:A) in the vector, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass PHP Icagenda Extension For Joomla
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.4%
Threat
5.0
CVE-2026-12119 MEDIUM This Month

Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contributors to delete, move, create folders, and download arbitrary server files by exploiting a missing authorization check on the 'frontmanage' shortcode attribute. The attack is non-trivial but fully described: an attacker creates a draft post embedding the 'eeSFL' shortcode, loads the WordPress post preview endpoint to harvest a valid nonce, then submits file operation requests to ee-list-ops-bar-process.php that bypass the intended privilege checks. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; a patch changeset (3579098) exists in the plugin repository, though the released fixed version is not independently confirmed.

Authentication Bypass WordPress PHP Simple File List
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-11912 HIGH This Week

Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. No public exploit identified at time of analysis, but the bug is reachable on default settings and was disclosed by Wordfence.

WordPress Authentication Bypass Simple File List
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-56215 HIGH PATCH This Week

Account takeover in Capgo before 12.128.12 allows authenticated low-privileged users to hijack other users' SSO identities by abusing the SSO provisioning endpoint's reliance on a user-mutable email field as an account-merge key. By updating their own public.users.email to a target's corporate SSO address before the victim's first SSO login, an attacker causes the provision-user flow to merge the victim's federated identity into the attacker-controlled account. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-56213 MEDIUM PATCH This Month

Cross-tenant metrics poisoning in Capgo before 12.128.2 allows unauthenticated remote attackers to insert arbitrary rows into the version_meta table for any tenant's app_id by invoking the PostgREST RPC endpoint using only the public anonymous key. The root cause is a missing authorization check inside a SECURITY DEFINER PostgreSQL function, which executes with elevated definer privileges while accepting caller-supplied app_id values without ownership validation. Although no public exploit code or CISA KEV listing exists at time of analysis, the attack requires no credentials beyond the public anon key - typically embedded in distributed client applications - making the practical barrier to exploitation extremely low despite the moderate CVSS 4.0 score of 6.9.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-55866 Go LOW PATCH GHSA Monitor

Authorization bypass in SpiceDB (versions 1.34.0-1.53.x) causes the permission check engine to return unconditional HAS_PERMISSION when the correct response should be CONDITIONAL_PERMISSION, due to a race condition in the dispatch result cache under concurrent API load. Deployments whose schemas combine intersection or exclusion of caveated and non-caveated relation branches are affected when LookupResources (with a context parameter) and CheckPermission or CheckBulkPermissions are issued concurrently for the same subject and resource while the dispatch cache is active. No public exploit has been identified at time of analysis, and all four triggering conditions must simultaneously hold, making this a low-probability but high-consequence authorization integrity issue for systems relying on SpiceDB as an enforcement boundary.

Authentication Bypass
NVD GitHub
CVSS 3.1
3.7
CVE-2026-55775 Go LOW PATCH GHSA Monitor

Namespace path canonicalization in OpenBao (versions 0.1.0 through 2.5.4) allows an authenticated token-holder with delegated namespace management capabilities inside a non-root namespace to operate on the containing (parent) namespace itself, rather than only its children. By passing the reserved literal string 'root' as the target namespace path to any `/sys/namespaces/*` endpoint, the path resolves to the containing namespace after canonicalization - because ACL evaluation occurs before that resolution, the access check passes on the child-scoped policy while the actual operation targets the parent. An attacker exploiting this can look up, delete, lock, or patch custom metadata on the containing namespace, with namespace deletion representing the most severe outcome: destroying all secrets, leases, and policies within it. A working public PoC is published in the GitHub Security Advisory (GHSA-mwr2-wmgp-crj6); no confirmed active exploitation in CISA KEV at time of analysis.

Authentication Bypass Hashicorp
NVD GitHub
CVE-2026-55774 Go LOW PATCH GHSA Monitor

Cross-namespace lease revocation in OpenBao allows authenticated tenants in one namespace to revoke leases belonging to any other namespace, bypassing multi-tenant ACL boundaries. Affected are all OpenBao versions from 0.1.0 through 2.5.4 (Go module pkg:go/github.com/openbao/openbao). An attacker who knows a lease identifier from a foreign namespace - for example through an intentional or accidental leak - can call sys/leases/revoke/:lease_id and force revocation of that namespace's credentials without any authorization to do so in that namespace. No public exploit has been identified at time of analysis, and this is noted as an incomplete fix of the related CVE-2026-45808.

Authentication Bypass
NVD GitHub VulDB
CVE-2026-56082 HIGH PATCH This Week

Cross-tenant billing log tampering in Capgo (Cap-go/capgo) before 12.128.2 allows unauthenticated attackers holding only the public Supabase publishable anon key to insert or overwrite build_logs rows for arbitrary organizations via the SECURITY DEFINER PostgREST RPC public.record_build_time. Because the function is granted to the anon role and uses ON CONFLICT (build_id, org_id) DO UPDATE, attackers can inflate or alter another tenant's billable build time, producing financial-impact denial of service. No public exploit identified at time of analysis, though the vendor advisory (GHSA-42xj-3h9w-26h5) and a VulnCheck write-up describe the attack path in detail.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-56080 MEDIUM PATCH This Month

Capgo's Enforce Password Policy feature in versions before 12.128.2 permanently locks Super Admins out of their organization through a backend state management flaw, constituting a targeted denial-of-service against administrative access. When a Super Admin enables the password policy and successfully changes their password to a policy-compliant value, the backend fails to mark the account compliant, trapping the account in an infinite forced-password-reset loop and severing all organization management access. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.9 reflects the high-privilege prerequisite and pure availability impact with no confidentiality or integrity consequence.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56073 CRITICAL PATCH Act Now

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering with HTTP responses returned to the client, which the application trusts to decide whether verification succeeded. Successful exploitation enables fraudulent 2FA enrollment and account takeover, and no public exploit has been identified at time of analysis though VulnCheck has published an advisory describing the response-manipulation technique.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-48582 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Exchange Online allows an authenticated remote attacker to elevate privileges across a tenant or organizational boundary due to missing authorization checks. The flaw carries a CVSS 3.1 score of 9.6 with scope change, indicating impact beyond the initially authorized security context, though no public exploit identified at time of analysis. As a cloud-hosted service, mitigation is largely Microsoft-managed rather than a customer-applied patch.

Authentication Bypass Microsoft Exchange Online
NVD VulDB
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-45480 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Azure Active Directory allows unauthenticated remote attackers to bypass authentication controls and gain elevated access across tenant boundaries. With a maximum CVSS score of 10.0 and a scope-changing impact, successful exploitation could compromise identity, access, and resources federated through Azure AD. No public exploit identified at time of analysis, but the trivial attack complexity and network-reachable vector make this a top-priority issue for any organization relying on Azure AD for identity.

Authentication Bypass Microsoft Azure Active Directory
NVD VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2026-55255 PyPI HIGH POC KEV PATCH THREAT NEWS GHSA Act Now

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing the victim's flow UUID as the `model` value to the `/api/v1/responses` endpoint, exposing data the victim's flow processes and consuming their resources. The flaw is an Insecure Direct Object Reference (CWE-639) in the `get_flow_by_id_or_endpoint_name` helper, which skipped ownership checks on the UUID lookup path. Publicly available exploit code exists (a working curl PoC), and the input lists it as confirmed actively exploited (CISA KEV), though the SSVC exploitation status of 'poc' and a low 0.24% EPSS complicate that claim (see risk_assessment).

Python Authentication Bypass Information Disclosure Oracle
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.2%
Threat
4.7
CVE-2026-55837 PyPI MEDIUM PATCH GHSA This Month

Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.

Python CSRF Information Disclosure Docker Authentication Bypass
NVD GitHub
CVSS 3.1
6.8
CVE-2026-54911 PyPI MEDIUM PATCH GHSA This Month

Silent UTF-8 rewriting in UltraJSON (ujson) versions up to and including 5.12.1 allows input validation bypass and data integrity corruption when the reject_bytes=False encoding option is used. Malformed or truncated byte sequences - including invalid continuation bytes and over-read sequences - are silently transformed into different, syntactically valid Unicode characters rather than triggering an error, meaning data that exits ujson.dumps() differs from data that entered it. This creates a validation bypass window for any application that validates raw bytes before serialization, and no public exploit has been identified at time of analysis, though the flaw is fully described with reproducible examples in the GHSA advisory.

Python Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54782 NuGet CRITICAL PATCH GHSA Act Now

Authentication bypass in CoreWCF (NuGet CoreWCF.Primitives) versions prior to 1.8.1 and 1.9.0-1.9.1 allows remote unauthenticated attackers to forge SAML 1.1 and SAML 2.0 assertions and impersonate any principal - including administrative identities - that the trusted STS could issue tokens for. The flaw stems from improper SAML token signature validation (CWE-290) in FederatedSecurityTokenManager, and only the trusted STS's public certificate (discoverable by design) is required. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the CVSS 10.0 score with scope change reflects severe trust-boundary impact.

Authentication Bypass
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-54781 NuGet HIGH PATCH GHSA This Week

Authentication bypass in CoreWCF (SAML 1.1 federation) allows remote attackers to be authenticated as the subject of a signed SAML assertion without proving holder-of-key possession or without a standard SubjectConfirmation method being enforced. Affects CoreWCF.Primitives versions before 1.8.1 and 1.9.0 through 1.9.1 when services consume SAML 1.1 tokens via WS2007FederationHttpBinding, WSFederationHttpBinding, or custom IssuedSecurityTokenParameters bindings. No public exploit identified at time of analysis, but the bypass directly defeats per-method authorization policies that federated services rely on.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-54776 NuGet MEDIUM PATCH GHSA This Month

Authentication bypass in CoreWCF.UnixDomainSocket (NuGet) allows local OS users to invoke service operations without completing the required POSIX identity security upgrade, rendering framing-layer identity checks ineffective. Services using UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and ClientCredentialType = PosixIdentity are affected - the server dispatches messages before the application/unixposix stream upgrade is performed, meaning the caller's identity resolves as anonymous or unintended. No public exploit code has been identified and this is not listed in CISA KEV; however, the flaw is a complete bypass of the sole authentication mechanism for this binding configuration.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-50559 HIGH PATCH This Week

Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. No public exploit identified at time of analysis, though the issue is a documented bypass of the prior CVE-2026-39852 fix.

Authentication Bypass Java Quarkus
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-48794 Go LOW PATCH GHSA Monitor

Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.

Authentication Bypass Authelia
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.3%
CVE-2026-54297 Ruby HIGH POC PATCH GHSA This Week

Denial of service in the Faraday Ruby HTTP client library (versions up to and including 2.14.2) allows remote attackers to crash worker threads by submitting query strings with deeply nested bracket-notation parameters. The Faraday::NestedParamsEncoder recursively walks attacker-controlled nested Hash structures without a depth ceiling, raising an uncaught SystemStackError at roughly 3,000+ levels of nesting (~9.4 KB payload). Publicly available exploit code exists in the GHSA-98m9-hrrm-r99r advisory itself; no public exploit identified at time of analysis in the active-exploitation sense, and impact is limited to availability - no RCE, auth bypass, or data disclosure, despite the input tags listing those categories.

Denial Of Service Authentication Bypass Information Disclosure RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-48772 CRITICAL PATCH Act Now

Source-address spoofing in ProxySQL 2.0.0 through 3.0.8 lets any TCP peer that can reach the MySQL frontend port forge the client IP seen by the query-rule engine, bypassing routing and ACL controls. The flaw stems from incorrect parsing of the HAProxy PROXY protocol v1 `UNKNOWN` token, whose address fields the specification requires receivers to ignore. No public exploit identified at time of analysis, but the vendor advisory describes the attack mechanics in detail and version 3.0.9 ships the fix.

PostgreSQL Authentication Bypass Proxysql
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-49338 Go HIGH POC PATCH GHSA This Week

Broken authorization in gonic music streaming server prior to version 0.21.0 allows any authenticated user to delete or read other users' playlists via the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view. Because playlist IDs are base64url-encoded paths containing a small integer user ID and a guessable filename, low-privileged users can enumerate IDs to wipe an administrator's curated playlists or exfiltrate the contents of any private playlist. No public exploit identified at time of analysis, and the issue is patched in commit 6dd71e6 included in version 0.21.0.

Authentication Bypass Gonic
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-12238 MEDIUM This Month

Authorization bypass in the WP Go Maps WordPress plugin (all versions up to and including 10.1.01) permits unauthenticated remote attackers to insert arbitrary records into plugin-managed database tables - maps, markers, circles, polygons, polylines, rectangles, and point labels - by exploiting a race condition between namespace validation and query execution in the plugin's REST API. The flaw exists because the WPGMZA prefix check in the phpClass parameter validation passes for legitimate plugin classes such as WPGMZA\Map and WPGMZA\Marker, which trigger a SQL INSERT into the corresponding table before the route rejects the request. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated network vector and low attack complexity make it trivially abusable against the wide WordPress install base.

Authentication Bypass WordPress Wp Go Maps Google Map Openstreetmap Leaflet Map
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49291 PyPI HIGH POC PATCH GHSA This Week

Authorization bypass in doobidoo mcp-memory-service prior to 10.65.3 lets OAuth clients with only the read scope invoke mutating MCP tools such as store_memory and delete_memory via the /mcp JSON-RPC endpoint, despite the equivalent REST endpoints correctly enforcing the write scope. Authenticated read-only clients can therefore tamper with or destroy memory entries used by downstream AI applications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Mcp Memory Service
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-55689 Go HIGH PATCH GHSA This Week

Authentication bypass in OpenFGA versions 1.17.1 and earlier allows a validly-signed JWT issued for an unrelated service to authenticate to OpenFGA, because the OIDC authenticator silently skipped JWT audience (aud) validation whenever authn.oidc.audience was left unset. Any deployment using authn.method=oidc with a configured issuer but no configured audience trusts every token minted by that issuer, so an attacker holding a legitimate token for a different service behind the same identity provider gains full access to OpenFGA's authorization data. There is no public exploit identified at time of analysis and EPSS is low (0.30%, 22nd percentile), but the CVSS 8.1 rating reflects the high confidentiality and integrity impact on a system that governs fine-grained authorization decisions.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-55414 Maven MEDIUM PATCH GHSA This Month

Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.

Authentication Bypass Deserialization Java SSRF
NVD GitHub
CVSS 3.1
5.3
CVE-2026-55884 Go CRITICAL PATCH GHSA Act Now

Missing authentication in the Tilt HUD HTTP server (Go package github.com/tilt-dev/tilt, versions 0.20.8 through 0.37.3) lets an unauthenticated network attacker trigger developer-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state including the session token, and proxy authenticated calls into the Tilt apiserver. Exploitation is only possible when Tilt is bound to a non-loopback address (via 'tilt up --host 0.0.0.0' or TILT_HOST), not in the safe default loopback configuration. No public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch exists in v0.37.4.

Authentication Bypass
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-9142 CRITICAL Act Now

Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS configuration and bound to a non-loopback interface, exposing instrument control services to anyone on the local network. The flaw stems from insecure default credentials behavior and aligns with CWE-306 (missing authentication for a critical function). No public exploit identified at time of analysis, though the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact under default-prone deployments.

Authentication Bypass Grpc Device Instrumentstudio
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-49872 MEDIUM This Month

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentials from an alternate CAS (Central Authentication Service) source to authenticate against routes protected by the cas-auth plugin, circumventing intended access controls on protected backend APIs. The flaw, rooted in insufficient credential-origin validation within the cas-auth plugin (CWE-287), enables a credential confusion attack across identity sources - potentially granting unauthorized access to downstream systems the gateway is meant to protect. No public exploit code or CISA KEV listing exists at time of analysis; Apache has released version 3.17.0 as the confirmed fix.

Authentication Bypass Apache Apache Apisix
NVD VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-47341 MEDIUM This Month

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hmac-auth signed token to reuse that token indefinitely, entirely bypassing expiry enforcement under certain plugin configurations. The CVSS 4.0 vector (6.3, AT:P) confirms exploitation depends on a specific hmac-auth configuration condition, limiting blanket exposure but posing significant risk to affected deployments where tokens can be intercepted. No public exploit code or CISA KEV listing has been identified at time of analysis; the fix is available in version 3.17.0 per the Apache security advisory.

Apache Authentication Bypass Apache Apisix
NVD VulDB
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-4027 HIGH This Week

Unauthorized attachment file access in Flexera FlexNet Manager Suite 2025 R1 and R2 allows authenticated low-privileged users to retrieve attachment files belonging to other tenants or users due to insufficient access control enforcement. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list, but the CVSS 4.0 base score of 7.1 reflects meaningful confidentiality impact over the network with low privileges required. Organizations using FNMS for software asset management and license compliance should review the Flexera Community advisory and apply vendor guidance.

Authentication Bypass Flexnet Manager Suite
NVD VulDB
CVSS 4.0
7.1
EPSS
0.2%
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Authentication bypass in Gogs (self-hosted Git service) versions <= 0.14.2 allows any remote attacker who can reach the service to forge the X-WEBAUTH-USER header and impersonate any account, including administrators, when ENABLE_REVERSE_PROXY_AUTHENTICATION is turned on. Because Gogs trusts the reverse-proxy auth header without verifying the request actually came from the proxy, an attacker can also trigger automatic admin-level account creation if auto-registration is enabled. Publicly available exploit code exists (a single curl one-liner in the advisory); it is not in CISA KEV and no EPSS score was supplied.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

### Summary The regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed characters from the query. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated local access to qSnapper's D-Bus snapshot diff interface before version 1.3.3 exposes read-protected file contents to any local user on the host. The 'snapshot diff' D-Bus methods - GetFileChanges, GetFileChangesBetween, GetFileDiffBetween, and GetFileDiffAndDetails - lacked any Polkit authorization check, meaning a local unprivileged caller could invoke them directly and receive sensitive file diff data. This is one of five authentication/authorization flaws (CVE-2026-41045 through CVE-2026-41049) discovered and reported by the SUSE security team under coordinated disclosure; no public exploit is identified at time of analysis.

Authentication Bypass Qsnapper
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-project App Engine request log leakage in Google Cloud Console's GraphQL private API exposed sensitive telemetry data to unauthenticated remote attackers. The vulnerability, classified as CWE-862 (Missing Authorization), allowed a specially crafted GraphQL request to bypass authorization controls on the App Engine section of Cloud Console, enabling read access to request logs belonging to arbitrary GCP projects. Google applied a server-side fix on 7 April 2026; no public exploit or KEV listing has been identified at time of analysis.

Authentication Bypass Google Cloud Console Uis
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Authentication bypass in IBM WebSphere Application Server 8.5 and 9.0 allows remote attackers to gain unauthorized access to JAX-WS web service applications without valid credentials. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but a vendor patch is available via IBM support advisory 7276597.

IBM Authentication Bypass Websphere Application Server
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8, 5.0, 5.1, 5.2, and 5.3 could allow an authenticated user to bypass client-side validation and manipulate input data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

IBM Authentication Bypass Db2 On Cloud Pak For Data And Db2 Warehouse On Cloud Pak For Data
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Forced browsing exposure in IBM Datacap and IBM Datacap Navigator 9.1.7 through 9.1.9 allows a highly privileged local user to access application resources and functionality not surfaced in the UI by constructing direct URL requests, bypassing the intended UI-driven access control model. The impact is limited to partial confidentiality disclosure (C:L) with no integrity or availability consequence, and no exploitation has been confirmed - no public exploit code exists and this CVE is absent from the CISA KEV catalog. IBM has released a patch addressing all affected versions.

IBM Authentication Bypass Datacap +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Session hijacking in Chainlit before 2.10.1 allows remote attackers with a valid victim sessionId to inherit an authenticated user's session via the WebSocket restore_existing_session path, which fails to verify session ownership. Successful exploitation grants the attacker the victim's roles and permissions, enabling unauthorized tool invocation and access to restricted data. No public exploit identified at time of analysis; EPSS is low (0.30%) and the issue is not listed in CISA KEV.

Authentication Bypass Chainlit
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected Model Context Protocol (MCP) project resources and invoke MCP operations through the Streamable MCP transport endpoint. The CVSS 9.8 rating reflects unauthenticated network exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

IBM Authentication Bypass Langflow Oss
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in IBM Storage Protect Client and IBM Storage Protect Snapshot for Windows (versions 8.1.0.0 through 8.2.1.0) allows remote unauthenticated attackers to impersonate legitimate clients via hardcoded credentials embedded in the FlashCopy Manager (FCM) authentication mechanism. The flaw, classified as CWE-798 with a CVSS 9.1 critical rating, enables attackers to establish trusted sessions and access protected backup services. There is no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at 0.33% (24th percentile), but IBM has released a vendor advisory and patch.

IBM Microsoft Authentication Bypass +2
NVD VulDB
EPSS 0% CVSS 3.8
LOW Monitor

Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot accounts to guest status, affecting versions 11.7.0 and 10.11.17 and earlier. The root cause is missing validation of whether the target of a demotion operation is a bot account, meaning an admin who lacks full system privileges can still weaponize the standard API endpoint against bot identities. No public exploit exists and the vulnerability is not listed in CISA KEV; its real-world priority is low given the high-privilege requirement and limited blast radius.

Mattermost Authentication Bypass
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Subscription hijacking in Mattermost allows authenticated low-privileged users to take control of subscriptions belonging to channels they have no access to by submitting a crafted PUT request to the subscription edit endpoint. The root cause is a missing channel ownership validation check, classified as an Insecure Direct Object Reference (CWE-639), affecting versions across four active release branches (10.11.x, 11.5.x, 11.6.x, 11.7.x). No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogue sharedSecret into an in-progress Jira integration setup. Affected versions span the 10.11.x, 11.5.x, 11.6.x, and 11.7.x release trains, all of which expose the POST /ac/installed endpoint without validating the caller's identity during the pending-install window. No public exploit has been identified at time of analysis, but a successful injection corrupts the integration's trust handshake, yielding high integrity and availability impact against the Jira connection. The vendor CVSS vector assigns PR:L, which conflicts with the description's 'remote unauthenticated attacker' language - this discrepancy warrants direct verification with Mattermost advisory MMSA-2026-00654.

Atlassian Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 3.8
LOW Monitor

{id}/active endpoint despite lacking the Integrations permission required to manage bots. The server fails to apply bot-specific permission checks at this endpoint, accepting the deactivation request based solely on user management write access. While no public exploit has been identified at time of analysis, successful abuse disrupts any automated workflows or integration pipelines dependent on the targeted bot accounts.

Mattermost Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

The /gitlab connect slash command in Mattermost fails to enforce administrator-level authorization on the setDefaultInstance call, enabling any authenticated user to overwrite the workspace-wide default GitLab instance configuration. Affected across four concurrent release trains (11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, 10.11.x ≤ 10.11.17), this missing authorization flaw (CWE-862) is exploitable by any valid Mattermost account holder without elevated privileges. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity and low privilege requirement make this accessible to any workspace member targeting GitLab integration infrastructure.

Mattermost Gitlab Authentication Bypass
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242.

Code Injection IBM Python +3
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Improper access control in the Grafana Snowflake datasource plugin (versions 1.14.7 through 1.14.12) lets any user permitted to run queries against the data source invoke Snowflake GET/PUT commands to read and write files between the local Grafana server and the connected Snowflake host. The flaw effectively turns query permissions into a file-transfer primitive that crosses the trust boundary between the Grafana host and Snowflake. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 14th percentile), and CISA SSVC marks exploitation as none, but the technical impact is rated total.

Grafana Snowflake Datasource Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Unlimited OTP brute-force against AIL Framework's two-factor authentication endpoint allows an attacker who already possesses a valid account password to bypass the second authentication factor entirely and gain unauthorized account access. The verify_2fa() route accepted an unbounded number of OTP submissions without incrementing a failure counter or enforcing a lockout, and the implementation uses counter-based HOTP rather than time-limited TOTP, removing the time-window throttle that would otherwise constrain brute-force speed. No public exploit code or CISA KEV listing exists at time of analysis, but the prerequisite of a valid password - obtainable via phishing or credential dumps - makes this a realistic threat against any AIL deployment where 2FA is meant to serve as a meaningful access boundary.

Authentication Bypass Ail Framework
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-organization data tampering in MISP (Malware Information Sharing Platform) core allows authenticated low-privileged users to modify or delete intelligence objects belonging to other organizations by exploiting broken access-control checks across Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models. The flaw stems from authorization being performed against the wrong entity ID or being entirely absent on write paths, enabling integrity attacks on shared threat intelligence. Vendor patches are available via multiple MISP GitHub commits; no public exploit identified at time of analysis.

Authentication Bypass Misp
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or perm_sharing_group role flag hard-delete Event Reports and Sharing Groups belonging to other organisations across the entire instance. The flaw affects MISP threat-intelligence platform deployments and enables cross-tenant data destruction by contributor-level accounts; no public exploit identified at time of analysis, but the upstream patch commits are public and trivially reverse-engineerable.

Authentication Bypass Misp
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to any one authorized object to overwrite, re-parent, or transfer ownership of objects belonging to other users or organizations by submitting crafted REST/form payloads containing attacker-chosen primary keys and ownership foreign keys. The root cause is CRUDComponent::edit() mass-assigning payload-supplied IDs (id, event_id, org_id, user_id, sharing_group_id, etc.) onto the already-loaded record, so CakePHP's save() updates a different row than the one the authorization check validated. No public exploit identified at time of analysis, but a vendor patch is available and the high CVSS 4.0 score of 9.4 reflects broad cross-tenant impact.

Authentication Bypass Misp
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in SafeLine SL6 and SL6+ elevator emergency intercom devices allows an attacker within Bluetooth Low Energy range to reach the configuration service without credentials and gain administrative control. The flaw was disclosed by SCHUTZWERK (SA-2025-001), carries a CVSS 4.0 score of 8.7 (adjacent network, low complexity, no privileges, no user interaction), and currently has no public exploit identified at time of analysis.

Authentication Bypass Safeline Sl6 Sl6
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.

WordPress CSRF Motors +1
NVD WPScan VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Cluster-wide remote code execution in LY Corporation's centraldogma-server prior to 0.84.0 occurs when ZooKeeper replication is enabled without explicitly configuring replication.secret, causing the embedded ZooKeeper ensemble to authenticate using a hard-coded, publicly known fallback credential. An adjacent attacker with network reachability to the replication ports can read the entire replication log or join the quorum to issue arbitrary replicated commands. No public exploit identified at time of analysis, but the issue is a default-credential failure that is trivial to weaponize once discovered.

Central Dogma Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in phpMyFAQ before 4.1.4 allows authenticated non-SuperAdmin users holding the edit_user permission to promote themselves to SuperAdmin via missing authorization checks in the editUser() and updateUserRights() endpoints. The flaw lets a low-tier administrator set the is_superadmin flag or grant arbitrary rights, fully compromising the FAQ application; publicly available exploit code exists is not asserted, and at time of analysis no public exploit identified at time of analysis.

Authentication Bypass Phpmyfaq
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Craft CMS's `assets/preview-file` endpoint exposes private asset preview content to authenticated low-privileged users who lack view permission on the targeted asset. Affected installations running Craft CMS 4.0.0-RC1 through 4.17.7 or 5.0.0-RC1 through 5.9.13 with mixed-privilege users and private assets are vulnerable to unauthorized disclosure of preview HTML and private asset image routes. No public exploit or CISA KEV listing has been identified; patches are available in versions 4.17.8 and 5.9.14.

Authentication Bypass Cms
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization in the Craft CMS `assets/preview-thumb` Control Panel endpoint allows any authenticated low-privilege CP user to obtain signed transform preview URLs for private assets they are not permitted to view, by supplying an attacker-controlled `assetId`. Affected installations span the 4.x branch (4.0.0-RC1 through 4.17.7) and 5.x branch (5.0.0-RC1 through 5.9.13); patches are available in 4.17.8 and 5.9.14. No public exploit or active exploitation has been identified at time of analysis.

Authentication Bypass Cms
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authentication bypass in Capgo's /build/upload/:jobId/* endpoint exposes all versions before 12.128.2 to unauthenticated denial of service. Remote attackers exploit HTTP OPTIONS request handling to sidestep authentication middleware entirely, forcing tusProxy to execute with invalid credentials and reliably producing HTTP 500 errors at scale. No public exploit code or CISA KEV listing exists at time of analysis, but the trivial attack mechanics - requiring no credentials, tools, or interaction - mean any internet-exposed Capgo instance is at risk of request flooding.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to forge valid JWT tokens because the signing key defaults to the hardcoded value 'mysecret' present in the public source code. Anyone aware of the default secret can mint tokens for arbitrary users and obtain full access to protected crawling, extraction, JavaScript execution, and configuration endpoints. No public exploit identified at time of analysis, but the underlying weakness is trivially reproducible from the upstream repository.

Docker Authentication Bypass Crawl4ai
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated organization member enumeration in Capgo before 12.128.2 allows remote attackers to harvest email addresses, user IDs, roles, and pending invitations by invoking the public.get_org_members RPC with only a publishable Supabase key and a target organization UUID. The flaw, reported by VulnCheck and tracked as EUVD-2026-38169, carries a CVSS 4.0 score of 8.7 and reflects a broken access control check on a public Postgres RPC. No public exploit identified at time of analysis, but the trivial invocation makes mass scraping straightforward once an org UUID is known.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows authenticated users holding the admin role to elevate themselves to super_admin by abusing a broken row-level security (RLS) policy on the org_users table. No public exploit identified at time of analysis, but a vendor patch is available and the flaw was disclosed by VulnCheck through a GitHub Security Advisory.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated API clients read build status and logs belonging to other applications by combining an authorized app_id with a job_id from a different, unauthorized app. The /build/status and /build/logs endpoints validate the app_id but fail to verify that the supplied job_id actually belongs to that application, exposing logs, metadata, and potentially embedded credentials across tenant boundaries. No public exploit identified at time of analysis, though VulnCheck has published an advisory with technical details.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in BerriAI LiteLLM versions up to 1.82.2 allows authenticated low-privilege users to access user data beyond their permitted scope via the `ui_view_users` management endpoint - an incomplete remediation of the prior CVE-2025-0628 authorization bypass in the same function. A public proof-of-concept exploit is available on GitHub (YLChen-007), confirming practical exploitability. No active exploitation is confirmed (not in CISA KEV), and the authentication requirement (CVSS 4.0 PR:L) constrains the attacker pool to those already holding valid credentials on the target proxy.

Authentication Bypass Litellm
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Incorrect authorization in BerriAI LiteLLM's enterprise banned keywords hook allows remote low-privileged authenticated users to bypass prompt content filtering by manipulating the `prompt` argument to the `async_pre_call_hook` function in `enterprise/enterprise_hooks/banned_keywords.py`. All versions in the 1.82.x series up to and including 1.82.5 are confirmed affected. A public proof-of-concept exploit is available via GitHub Gist, materially increasing the risk for enterprise deployments that rely on the banned keywords feature as a compliance or safety enforcement boundary; no confirmed CISA KEV listing exists at time of analysis.

Authentication Bypass Litellm
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Missing authentication in LiteLLM's SSO Debug Flow exposes the `json.dumps` output of the `ui_sso.py` management endpoint to unauthenticated remote attackers, enabling authentication bypass against versions up to 1.82.2. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is network-exploitable with no privileges or user interaction required. A public proof-of-concept has been disclosed on GitHub, elevating practical risk beyond the moderate base score alone; no active exploitation has been confirmed by CISA KEV at the time of analysis.

Authentication Bypass Litellm
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

Local privilege escalation in EZB Systems UltraISO Premium Edition up to 9.76 stems from improper access controls in the bundled bootpt64.sys kernel driver, allowing an authenticated local user to abuse the driver and achieve high-integrity kernel-level impact on confidentiality, integrity, and availability. Publicly available exploit code exists, and the vendor was contacted but did not respond, leaving all currently shipped versions unpatched.

Authentication Bypass Ultraiso Premium Edition
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Local privilege escalation in IM-Magic Partition Resizer up to 7.9.0 stems from improper access controls in the MDA_NTDRV.sys kernel driver, allowing a low-privileged local user to gain elevated kernel-level capabilities. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, leaving all currently shipped versions (7.0 through 7.9.0) without a fix. No public exploit identified as being used in attacks (not in CISA KEV), but POC weaponization risk is elevated given the unpatched status.

Authentication Bypass Partition Resizer
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Local privilege escalation in EaseUS Partition Master versions 14.0 through 14.5 allows low-privileged users to abuse the EUEDKEPM.sys kernel driver due to improper access controls (CWE-284). Publicly available exploit code exists and the vendor has released a patched version, though the issue is not listed in CISA KEV. The flaw maps to authentication-bypass behavior at the kernel-driver interface, giving attackers a path from a standard user account to SYSTEM-level capabilities.

Authentication Bypass Partition Master
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Local privilege escalation in EaseUS Partition Master through version 14.5 stems from improper access controls in the epmntdrv.sys kernel driver, allowing a low-privileged local user to gain SYSTEM-level control over the host. Publicly available exploit code exists and the vendor has confirmed the issue was resolved in newer releases, though no specific patched version is named in the advisory.

Authentication Bypass Partition Master
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Local privilege escalation in AOMEI Backupper through 8.3.0 stems from improper access controls in the bundled kernel driver amwrtdrv.sys, allowing an authenticated local user to abuse driver IOCTLs and escalate privileges. Publicly available exploit code exists for this issue, and the vendor was contacted but has not responded, leaving customers without an official fix. The CVSS 4.0 base score is 7.1 with local attack vector and low privileges required, reflecting realistic post-foothold risk rather than remote compromise.

Authentication Bypass Backupper
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Local privilege escalation in AOMEI Dynamic Disk Manager up to version 10.10.1 stems from improper access controls in the ddmdrv.sys kernel driver, allowing a low-privileged local user to interact with privileged driver IOCTLs and gain SYSTEM-level control. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving installations unpatched. No CISA KEV listing or active exploitation has been confirmed at time of analysis.

Authentication Bypass Dynamic Disk Manager
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

Local privilege escalation in AOMEI Partition Assistant through version 10.10.1 allows authenticated low-privileged users to abuse improper access controls in the ampa10.sys kernel driver to gain SYSTEM-level code execution. Publicly available exploit code exists per VulDB, and the vendor did not respond to coordinated disclosure attempts, leaving installations exposed; no public exploit identified at time of analysis as actively used in the wild (not in CISA KEV).

Authentication Bypass Partition Assistant
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in BerriAI LiteLLM versions 1.59.0 through 1.59.8 allows unauthenticated remote attackers to circumvent the UserAPIKeyAuth function within the experimental MCP Proxy server component, gaining unauthorized access to protected LLM proxy functionality without valid credentials. A public proof-of-concept exploit is confirmed available via GitHub gist (YLChen-007), materially lowering the bar for exploitation. No CISA KEV listing is present at time of analysis, but the network-accessible, zero-authentication attack surface combined with an available PoC warrants urgent remediation prioritization for any deployment with the MCP server component exposed.

Authentication Bypass Litellm
NVD VulDB GitHub
EPSS 0% CVSS 1.3
LOW POC Monitor

Improper authorization in LiteLLM's M2M JWT Handler (litellm/proxy/auth/user_api_key_auth.py) enables remote attackers holding low-level credentials to bypass authorization controls in versions 1.82.0 through 1.82.2. The flaw resides in the machine-to-machine JWT authentication pathway of the LiteLLM proxy layer, where manipulated JWT inputs cause the handler to make incorrect authorization decisions, potentially granting unauthorized access to proxied LLM API resources. No active exploitation has been confirmed by CISA KEV, though publicly available exploit code exists (GitHub gist by YLChen-007), and the CVSS 4.0 vector carries an E:P temporal modifier reflecting this proof-of-concept availability; overall risk is tempered by high attack complexity.

Authentication Bypass Litellm
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in BerriAI LiteLLM versions 1.63.0-1.63.1 allows any authenticated user - holding any valid API key regardless of role - to perform admin-restricted operations on other users' API keys, including blocking, unblocking, and modifying budget limits via the `/key/block`, `/key/unblock`, and `/key/update` endpoints. The root cause, confirmed by GitHub PR #23781, is the complete absence of access-control enforcement on these endpoints despite their admin-only documentation. A publicly available proof-of-concept exploit exists on GitHub; this vulnerability is not in the CISA KEV catalog at time of analysis.

Authentication Bypass Litellm
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Unauthenticated PGP decryption exposure in AVideo through version 25.0 allows any remote attacker to submit private key material, ciphertext, and passphrases to the publicly accessible decryptMessage.json.php endpoint and receive plaintext in the server response - no credentials, session, or token required. The dual impact is confidentiality loss (private key material processed in server memory may be captured in application or web server logs) and availability degradation via unconstrained CPU consumption from repeated cryptographic operations. A publicly available proof-of-concept exists per the GHSA advisory; no vendor patch has been released as of this analysis.

Authentication Bypass Denial Of Service PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL Act Now

Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.

Authentication Bypass PHP Avideo
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Restricted-annotated extension components when replacing Process Groups, despite lacking the explicit Restricted-component privilege. The flaw stems from the framework failing to enforce Restricted-annotation checks during Process Group replacement, effectively letting privileged-component installation bypass its intended authorization boundary. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Apache Authentication Bypass Nifi
NVD VulDB
EPSS 0% CVSS 2.3
LOW Monitor

Incorrect authorization enforcement in Apache NiFi 1.15.0 through 2.9.0 allows read-privileged users to submit configuration verification requests containing arbitrary proposed properties, bypassing the write-access requirement. The nifi-web-api REST endpoints for component configuration verification accepted proposed configuration overrides from any authenticated user with read access, enabling those users to invoke predefined verification methods - such as testing connectivity, credentials, or remote service endpoints - with attacker-supplied settings. No public exploit has been identified at time of analysis, and the fix is confirmed available in Apache NiFi 2.10.0.

Apache Authentication Bypass Nifi
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Webhook management endpoints in Capgo before 12.128.2 expose an authorization policy bypass that allows holders of non-expiring API keys to circumvent the organization-level require_apikey_expiration policy. The checkWebhookPermission function omits the required call to apikeyHasOrgRightWithPolicy, leaving webhook operations - listing, creating, and deleting - accessible to legacy non-expiring keys even when the organization has explicitly mandated key expiration. No public exploit has been identified at time of analysis, and exploitation requires prior possession of a valid non-expiring API key, targeting organizations that believed their key-expiration policy was uniformly enforced.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authentication bypass in cap-go/capacitor-native-biometric allows an attacker with physical device access to circumvent biometric authentication by hooking the onAuthenticationSucceeded() callback via dynamic instrumentation. The root cause is that AuthActivity.java's implementation of BiometricPrompt.AuthenticationCallback never retrieves or validates the CryptoObject from the AuthenticationResult, making the entire cryptographic binding between biometric gesture and protected key material moot. All npm package versions below the patched release are affected. A proof-of-concept video is publicly available per the GHSA advisory, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Capacitor Native Biometric
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Mass assignment in Flowise's PUT /api/v1/user endpoint (all versions before 3.1.2) allows an authenticated user to overwrite their own account's password hash by supplying a crafted `credential` field in the request body, entirely bypassing the intended old-password verification, hashing enforcement, and session-invalidation workflow. An attacker who first obtains a temporary session - via XSS, token theft, or session hijacking - can exploit this to establish permanent account persistence even after the legitimate session expires, with no knowledge of the current password required. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 3.1.2.

Authentication Bypass Flowise
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Time Capsule Plugin
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google Authentication Bypass WordPress +2
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Privilege escalation in LiquidFiles before 4.2.12 allows an authenticated Admin of a secondary (non-default) domain to elevate to full Sysadmin access by manipulating group settings within their managed secondary domain group. This broken access control flaw (CWE-285) collapses the authorization boundary between domain-scoped Admin and system-wide Sysadmin roles, granting an attacker complete platform control. No public exploitation has been confirmed in CISA KEV, but a public proof-of-concept is available from Project Black (PRJBLK), meaningfully elevating real-world risk above what the 5.9 CVSS score alone suggests.

Privilege Escalation Authentication Bypass Liquidfiles
NVD VulDB
EPSS 1% 5.0 CVSS 10.0
CRITICAL POC KEV EUVD KEV THREAT Emergency

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through 6.6.1) allows attackers to upload PHP files that execute on the server, leading to full site compromise. CVSS 4.0 base score is 10.0 with the vendor flagging exploitation as Active (E:A), and no public exploit identified at time of analysis. Given the unauthenticated network vector and direct RCE outcome, this is a critical-priority issue for any Joomla site running the extension.

PHP Authentication Bypass Sp Page Builder Extension For Joomla
NVD VulDB GitHub
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV THREAT Emergency

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the event attachment feature to upload and execute server-side code, leading to full web application compromise. The flaw affects iCagenda 1.0.0-3.9.14 and 4.0.0-4.0.7 and carries a CVSS 4.0 score of 10.0 with exploitation marked as Attacked (E:A) in the vector, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass PHP Icagenda Extension For Joomla
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contributors to delete, move, create folders, and download arbitrary server files by exploiting a missing authorization check on the 'frontmanage' shortcode attribute. The attack is non-trivial but fully described: an attacker creates a draft post embedding the 'eeSFL' shortcode, loads the WordPress post preview endpoint to harvest a valid nonce, then submits file operation requests to ee-list-ops-bar-process.php that bypass the intended privilege checks. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; a patch changeset (3579098) exists in the plugin repository, though the released fixed version is not independently confirmed.

Authentication Bypass WordPress PHP +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. No public exploit identified at time of analysis, but the bug is reachable on default settings and was disclosed by Wordfence.

WordPress Authentication Bypass Simple File List
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Account takeover in Capgo before 12.128.12 allows authenticated low-privileged users to hijack other users' SSO identities by abusing the SSO provisioning endpoint's reliance on a user-mutable email field as an account-merge key. By updating their own public.users.email to a target's corporate SSO address before the victim's first SSO login, an attacker causes the provision-user flow to merge the victim's federated identity into the attacker-controlled account. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-tenant metrics poisoning in Capgo before 12.128.2 allows unauthenticated remote attackers to insert arbitrary rows into the version_meta table for any tenant's app_id by invoking the PostgREST RPC endpoint using only the public anonymous key. The root cause is a missing authorization check inside a SECURITY DEFINER PostgreSQL function, which executes with elevated definer privileges while accepting caller-supplied app_id values without ownership validation. Although no public exploit code or CISA KEV listing exists at time of analysis, the attack requires no credentials beyond the public anon key - typically embedded in distributed client applications - making the practical barrier to exploitation extremely low despite the moderate CVSS 4.0 score of 6.9.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 3.7
LOW PATCH Monitor

Authorization bypass in SpiceDB (versions 1.34.0-1.53.x) causes the permission check engine to return unconditional HAS_PERMISSION when the correct response should be CONDITIONAL_PERMISSION, due to a race condition in the dispatch result cache under concurrent API load. Deployments whose schemas combine intersection or exclusion of caveated and non-caveated relation branches are affected when LookupResources (with a context parameter) and CheckPermission or CheckBulkPermissions are issued concurrently for the same subject and resource while the dispatch cache is active. No public exploit has been identified at time of analysis, and all four triggering conditions must simultaneously hold, making this a low-probability but high-consequence authorization integrity issue for systems relying on SpiceDB as an enforcement boundary.

Authentication Bypass
NVD GitHub
LOW PATCH Monitor

Namespace path canonicalization in OpenBao (versions 0.1.0 through 2.5.4) allows an authenticated token-holder with delegated namespace management capabilities inside a non-root namespace to operate on the containing (parent) namespace itself, rather than only its children. By passing the reserved literal string 'root' as the target namespace path to any `/sys/namespaces/*` endpoint, the path resolves to the containing namespace after canonicalization - because ACL evaluation occurs before that resolution, the access check passes on the child-scoped policy while the actual operation targets the parent. An attacker exploiting this can look up, delete, lock, or patch custom metadata on the containing namespace, with namespace deletion representing the most severe outcome: destroying all secrets, leases, and policies within it. A working public PoC is published in the GitHub Security Advisory (GHSA-mwr2-wmgp-crj6); no confirmed active exploitation in CISA KEV at time of analysis.

Authentication Bypass Hashicorp
NVD GitHub
LOW PATCH Monitor

Cross-namespace lease revocation in OpenBao allows authenticated tenants in one namespace to revoke leases belonging to any other namespace, bypassing multi-tenant ACL boundaries. Affected are all OpenBao versions from 0.1.0 through 2.5.4 (Go module pkg:go/github.com/openbao/openbao). An attacker who knows a lease identifier from a foreign namespace - for example through an intentional or accidental leak - can call sys/leases/revoke/:lease_id and force revocation of that namespace's credentials without any authorization to do so in that namespace. No public exploit has been identified at time of analysis, and this is noted as an incomplete fix of the related CVE-2026-45808.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant billing log tampering in Capgo (Cap-go/capgo) before 12.128.2 allows unauthenticated attackers holding only the public Supabase publishable anon key to insert or overwrite build_logs rows for arbitrary organizations via the SECURITY DEFINER PostgREST RPC public.record_build_time. Because the function is granted to the anon role and uses ON CONFLICT (build_id, org_id) DO UPDATE, attackers can inflate or alter another tenant's billable build time, producing financial-impact denial of service. No public exploit identified at time of analysis, though the vendor advisory (GHSA-42xj-3h9w-26h5) and a VulnCheck write-up describe the attack path in detail.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Capgo's Enforce Password Policy feature in versions before 12.128.2 permanently locks Super Admins out of their organization through a backend state management flaw, constituting a targeted denial-of-service against administrative access. When a Super Admin enables the password policy and successfully changes their password to a policy-compliant value, the backend fails to mark the account compliant, trapping the account in an infinite forced-password-reset loop and severing all organization management access. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.9 reflects the high-privilege prerequisite and pure availability impact with no confidentiality or integrity consequence.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering with HTTP responses returned to the client, which the application trusts to decide whether verification succeeded. Successful exploitation enables fraudulent 2FA enrollment and account takeover, and no public exploit has been identified at time of analysis though VulnCheck has published an advisory describing the response-manipulation technique.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Exchange Online allows an authenticated remote attacker to elevate privileges across a tenant or organizational boundary due to missing authorization checks. The flaw carries a CVSS 3.1 score of 9.6 with scope change, indicating impact beyond the initially authorized security context, though no public exploit identified at time of analysis. As a cloud-hosted service, mitigation is largely Microsoft-managed rather than a customer-applied patch.

Authentication Bypass Microsoft Exchange Online
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Azure Active Directory allows unauthenticated remote attackers to bypass authentication controls and gain elevated access across tenant boundaries. With a maximum CVSS score of 10.0 and a scope-changing impact, successful exploitation could compromise identity, access, and resources federated through Azure AD. No public exploit identified at time of analysis, but the trivial attack complexity and network-reachable vector make this a top-priority issue for any organization relying on Azure AD for identity.

Authentication Bypass Microsoft Azure Active Directory
NVD VulDB
EPSS 0% 4.7 CVSS 8.4
HIGH POC KEV PATCH THREAT Act Now

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing the victim's flow UUID as the `model` value to the `/api/v1/responses` endpoint, exposing data the victim's flow processes and consuming their resources. The flaw is an Insecure Direct Object Reference (CWE-639) in the `get_flow_by_id_or_endpoint_name` helper, which skipped ownership checks on the UUID lookup path. Publicly available exploit code exists (a working curl PoC), and the input lists it as confirmed actively exploited (CISA KEV), though the SSVC exploitation status of 'poc' and a low 0.24% EPSS complicate that claim (see risk_assessment).

Python Authentication Bypass Information Disclosure +1
NVD GitHub VulDB
CVSS 6.8
MEDIUM PATCH This Month

Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.

Python CSRF Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Silent UTF-8 rewriting in UltraJSON (ujson) versions up to and including 5.12.1 allows input validation bypass and data integrity corruption when the reject_bytes=False encoding option is used. Malformed or truncated byte sequences - including invalid continuation bytes and over-read sequences - are silently transformed into different, syntactically valid Unicode characters rather than triggering an error, meaning data that exits ujson.dumps() differs from data that entered it. This creates a validation bypass window for any application that validates raw bytes before serialization, and no public exploit has been identified at time of analysis, though the flaw is fully described with reproducible examples in the GHSA advisory.

Python Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authentication bypass in CoreWCF (NuGet CoreWCF.Primitives) versions prior to 1.8.1 and 1.9.0-1.9.1 allows remote unauthenticated attackers to forge SAML 1.1 and SAML 2.0 assertions and impersonate any principal - including administrative identities - that the trusted STS could issue tokens for. The flaw stems from improper SAML token signature validation (CWE-290) in FederatedSecurityTokenManager, and only the trusted STS's public certificate (discoverable by design) is required. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the CVSS 10.0 score with scope change reflects severe trust-boundary impact.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authentication bypass in CoreWCF (SAML 1.1 federation) allows remote attackers to be authenticated as the subject of a signed SAML assertion without proving holder-of-key possession or without a standard SubjectConfirmation method being enforced. Affects CoreWCF.Primitives versions before 1.8.1 and 1.9.0 through 1.9.1 when services consume SAML 1.1 tokens via WS2007FederationHttpBinding, WSFederationHttpBinding, or custom IssuedSecurityTokenParameters bindings. No public exploit identified at time of analysis, but the bypass directly defeats per-method authorization policies that federated services rely on.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Authentication bypass in CoreWCF.UnixDomainSocket (NuGet) allows local OS users to invoke service operations without completing the required POSIX identity security upgrade, rendering framing-layer identity checks ineffective. Services using UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and ClientCredentialType = PosixIdentity are affected - the server dispatches messages before the application/unixposix stream upgrade is performed, meaning the caller's identity resolves as anonymous or unintended. No public exploit code has been identified and this is not listed in CISA KEV; however, the flaw is a complete bypass of the sole authentication mechanism for this binding configuration.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. No public exploit identified at time of analysis, though the issue is a documented bypass of the prior CVE-2026-39852 fix.

Authentication Bypass Java Quarkus
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW PATCH Monitor

Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.

Authentication Bypass Authelia
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in the Faraday Ruby HTTP client library (versions up to and including 2.14.2) allows remote attackers to crash worker threads by submitting query strings with deeply nested bracket-notation parameters. The Faraday::NestedParamsEncoder recursively walks attacker-controlled nested Hash structures without a depth ceiling, raising an uncaught SystemStackError at roughly 3,000+ levels of nesting (~9.4 KB payload). Publicly available exploit code exists in the GHSA-98m9-hrrm-r99r advisory itself; no public exploit identified at time of analysis in the active-exploitation sense, and impact is limited to availability - no RCE, auth bypass, or data disclosure, despite the input tags listing those categories.

Denial Of Service Authentication Bypass Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Source-address spoofing in ProxySQL 2.0.0 through 3.0.8 lets any TCP peer that can reach the MySQL frontend port forge the client IP seen by the query-rule engine, bypassing routing and ACL controls. The flaw stems from incorrect parsing of the HAProxy PROXY protocol v1 `UNKNOWN` token, whose address fields the specification requires receivers to ignore. No public exploit identified at time of analysis, but the vendor advisory describes the attack mechanics in detail and version 3.0.9 ships the fix.

PostgreSQL Authentication Bypass Proxysql
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Broken authorization in gonic music streaming server prior to version 0.21.0 allows any authenticated user to delete or read other users' playlists via the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view. Because playlist IDs are base64url-encoded paths containing a small integer user ID and a guessable filename, low-privileged users can enumerate IDs to wipe an administrator's curated playlists or exfiltrate the contents of any private playlist. No public exploit identified at time of analysis, and the issue is patched in commit 6dd71e6 included in version 0.21.0.

Authentication Bypass Gonic
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the WP Go Maps WordPress plugin (all versions up to and including 10.1.01) permits unauthenticated remote attackers to insert arbitrary records into plugin-managed database tables - maps, markers, circles, polygons, polylines, rectangles, and point labels - by exploiting a race condition between namespace validation and query execution in the plugin's REST API. The flaw exists because the WPGMZA prefix check in the phpClass parameter validation passes for legitimate plugin classes such as WPGMZA\Map and WPGMZA\Marker, which trigger a SQL INSERT into the corresponding table before the route rejects the request. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated network vector and low attack complexity make it trivially abusable against the wide WordPress install base.

Authentication Bypass WordPress Wp Go Maps Google Map Openstreetmap Leaflet Map
NVD VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Authorization bypass in doobidoo mcp-memory-service prior to 10.65.3 lets OAuth clients with only the read scope invoke mutating MCP tools such as store_memory and delete_memory via the /mcp JSON-RPC endpoint, despite the equivalent REST endpoints correctly enforcing the write scope. Authenticated read-only clients can therefore tamper with or destroy memory entries used by downstream AI applications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Mcp Memory Service
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in OpenFGA versions 1.17.1 and earlier allows a validly-signed JWT issued for an unrelated service to authenticate to OpenFGA, because the OIDC authenticator silently skipped JWT audience (aud) validation whenever authn.oidc.audience was left unset. Any deployment using authn.method=oidc with a configured issuer but no configured audience trusts every token minted by that issuer, so an attacker holding a legitimate token for a different service behind the same identity provider gains full access to OpenFGA's authorization data. There is no public exploit identified at time of analysis and EPSS is low (0.30%, 22nd percentile), but the CVSS 8.1 rating reflects the high confidentiality and integrity impact on a system that governs fine-grained authorization decisions.

Authentication Bypass
NVD GitHub VulDB
CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.

Authentication Bypass Deserialization Java +1
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Missing authentication in the Tilt HUD HTTP server (Go package github.com/tilt-dev/tilt, versions 0.20.8 through 0.37.3) lets an unauthenticated network attacker trigger developer-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state including the session token, and proxy authenticated calls into the Tilt apiserver. Exploitation is only possible when Tilt is bound to a non-loopback address (via 'tilt up --host 0.0.0.0' or TILT_HOST), not in the safe default loopback configuration. No public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch exists in v0.37.4.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS configuration and bound to a non-loopback interface, exposing instrument control services to anyone on the local network. The flaw stems from insecure default credentials behavior and aligns with CWE-306 (missing authentication for a critical function). No public exploit identified at time of analysis, though the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact under default-prone deployments.

Authentication Bypass Grpc Device Instrumentstudio
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentials from an alternate CAS (Central Authentication Service) source to authenticate against routes protected by the cas-auth plugin, circumventing intended access controls on protected backend APIs. The flaw, rooted in insufficient credential-origin validation within the cas-auth plugin (CWE-287), enables a credential confusion attack across identity sources - potentially granting unauthorized access to downstream systems the gateway is meant to protect. No public exploit code or CISA KEV listing exists at time of analysis; Apache has released version 3.17.0 as the confirmed fix.

Authentication Bypass Apache Apache Apisix
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hmac-auth signed token to reuse that token indefinitely, entirely bypassing expiry enforcement under certain plugin configurations. The CVSS 4.0 vector (6.3, AT:P) confirms exploitation depends on a specific hmac-auth configuration condition, limiting blanket exposure but posing significant risk to affected deployments where tokens can be intercepted. No public exploit code or CISA KEV listing has been identified at time of analysis; the fix is available in version 3.17.0 per the Apache security advisory.

Apache Authentication Bypass Apache Apisix
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Unauthorized attachment file access in Flexera FlexNet Manager Suite 2025 R1 and R2 allows authenticated low-privileged users to retrieve attachment files belonging to other tenants or users due to insufficient access control enforcement. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list, but the CVSS 4.0 base score of 7.1 reflects meaningful confidentiality impact over the network with low privileges required. Organizations using FNMS for software asset management and license compliance should review the Flexera Community advisory and apply vendor guidance.

Authentication Bypass Flexnet Manager Suite
NVD VulDB
Prev Page 17 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy