Authentication Bypass

SimStudio has a second authorization flaw in the OAuth token endpoint that allows privilege escalation through crafted token requests.

The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users. [CVSS 7.5 HIGH]

The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials.

Authenticated users in wpForo Forum 2.4.14 can manipulate forum topic states by exploiting improper authorization checks in the wpforo_close_ajax handler, allowing them to close or reopen discussions they should not have permission to modify. An attacker with subscriber privileges can craft requests with valid nonces to bypass moderator permission validation and disrupt forum operations. No patch is currently available for this vulnerability.

Insufficient authorization controls in wpForo Forum 2.4.14 enable authenticated users to manipulate forum post moderation status through the wpforo_approve_ajax handler, allowing them to approve or reject posts outside their assigned permissions. The vulnerability relies on a weak nonce-only validation that fails to verify user role authorization before processing moderation actions. While patches are not currently available, this impacts forum administrators' ability to maintain content moderation integrity on affected installations.

Timepictra versions up to 11.3 is affected by missing authentication for critical function (CVSS 7.5).

Authentication bypass via unsafe extract() function in WeGIA before 3.6.5. The extract() call on user-controlled data allows overwriting authentication variables. EPSS 0.7% with PoC available.

Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.

Business logic vulnerability in Vikunja task management platform before 2.1.0 allows incomplete resource cleanup, potentially enabling unauthorized access to shared resources after user removal.

Calibre Content Server's brute-force protection can be bypassed by manipulating the X-Forwarded-For HTTP header, allowing attackers to circumvent IP-based account lockouts and conduct credential stuffing attacks. Public exploit code exists for this vulnerability, which affects Calibre versions prior to 9.4.0 and poses a significant risk to internet-exposed servers where brute-force protection is the primary authentication defense mechanism. No patch is currently available for affected versions.

Seerr prior to version 3.1.0 leaks sensitive third-party API credentials (Pushover, Pushbullet, Telegram) through the GET /api/v1/user/:id endpoint to any authenticated user regardless of privilege level. When combined with CVE-2026-27707 (unauthenticated account creation), an attacker can gain zero-prior-access to extract credentials for all users including administrators. The vulnerability is fixed in version 3.1.0.

Seerr versions 2.7.0 through 3.0.x contain an authorization bypass in push subscription API endpoints that allows authenticated users to read and modify other users' data due to missing permission checks. An attacker with valid credentials can exploit this to access sensitive information and alter configurations belonging to arbitrary accounts. The vulnerability is fixed in version 3.1.0.

Weak session identifier generation in SODOLA SL902-SWTGW124AS network switch firmware allows attackers to predict session tokens and hijack administrative sessions.

Session cookie forgery in SODOLA SL902-SWTGW124AS firmware through version 200.1.20 stems from the use of cryptographically broken MD5 hashing for session token generation, allowing unauthenticated remote attackers to forge valid session cookies and gain unauthorized device access. The vulnerability requires no user interaction and affects all default configurations, with no patch currently available. MD5's known collision vulnerabilities combined with predictable token generation significantly lower the computational barrier for successful exploitation.

Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by improper restriction of excessive authentication attempts (CVSS 6.5).

Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. [CVSS 8.2 HIGH]

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13.

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges.

Hardcoded email credentials stored as plaintext in Johnson Controls Frick Controls firmware. Sixth critical vulnerability — exposed credentials could enable account access and lateral movement.

A flaw was found in Keycloak’s WebAuthn registration component. [CVSS 3.1 LOW]

Build Of Keycloak contains a vulnerability that allows attackers to unauthorized changes to user profiles, even when the system is configured to res (CVSS 4.9).

The SmartRemote module has insufficient restrictions on loading URLs, which may lead to some information leakage. [CVSS 4.3 MEDIUM]

Code injection in OpenStack Vitrage query parser allows authenticated users to execute arbitrary Python code through crafted queries. Affects versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0. PoC available.

Unitree robotics firmware updates can be modified and executed by local attackers due to inadequate encryption of the firmware protection mechanism, allowing arbitrary code execution on affected Go1 and Go2 models. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with physical or local access could tamper with firmware packages to gain complete control over the device.

Validation bypass in OpenClaw tools.exec.safeBins allows shell command execution through GNU long-option abbreviation. Attackers can abuse the 'sort' binary whitelist entry to execute arbitrary commands via abbreviated flags. CVSS 9.9.

Multiple IpTIME router firmware versions (T5008, AX2004M, AX3000Q, AX6000M) through 15.26.8 contain an authentication bypass vulnerability that exposes sensitive information to unauthenticated remote attackers. An attacker can leverage this flaw to access confidential device data without valid credentials. No patch is currently available for affected devices.

Mobility46.Se's WebSocket implementation allows multiple connections to share predictable session identifiers, enabling attackers to intercept and hijack active charging station sessions without authentication. An attacker can impersonate legitimate stations to execute arbitrary backend commands, intercept communications, or launch denial-of-service attacks by flooding the service with valid session requests. No patch is currently available for this vulnerability.

Missing WebSocket authentication — sixth CVE in the industrial platform WebSocket family. Same pattern of unauthenticated access enabling station impersonation and data injection.

Mobility46.Se's WebSocket API fails to implement authentication rate limiting, enabling remote attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force attacks to compromise accounts. The vulnerability requires no authentication or user interaction and affects all network-accessible instances. No patch is currently available.

Ev.Energy's WebSocket implementation accepts duplicate session identifiers from multiple endpoints, allowing attackers to hijack active charging station sessions through predictable identifier prediction. An unauthenticated remote attacker can impersonate legitimate stations to intercept commands, authenticate as other users, or disrupt service by flooding the backend with spoofed session requests. No patch is currently available.

Ev.Energy charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated remote attackers to obtain access identifiers. An attacker with these credentials could potentially intercept or manipulate charging sessions and related data. No patch is currently available for this exposure.

Copeland XWEB Pro firmware versions 1.12.1 and earlier suffer from an authentication bypass vulnerability where malformed authentication responses are incorrectly validated as legitimate, allowing unauthenticated remote attackers to gain unauthorized access. The flaw affects multiple XWEB Pro models (500d, 300d, and 500b) with a CVSS score of 8.6 indicating high severity, though no patch is currently available. An attacker exploiting this vulnerability could bypass security controls and potentially access sensitive device functionality without valid credentials.

Ev.Energy's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force credential attacks without restriction. This vulnerability affects all unauthenticated network-based interactions with the affected application and has no available patch at this time.

Mobility46.Se charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated attackers to obtain sensitive authentication data. This disclosure could enable unauthorized access to charging infrastructure and associated user accounts. No patch is currently available to address this exposure.

Authentication bypass in Copeland XWEB Pro HVAC controller version 1.12.1 and prior due to weak cryptographic algorithm. CVSS 10.0 — any unauthenticated attacker can gain full system access to building automation controllers.

Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. [CVSS 6.5 MEDIUM]

Switchenergy.Com exposes charging station authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated attackers to discover and potentially intercept sensitive authentication data. This vulnerability affects users and operators relying on the platform's mapping functionality and could enable unauthorized access to charging infrastructure. No patch is currently available to address this exposure.

Missing WebSocket authentication — fifth CVE in the industrial platform WebSocket family. Same CWE-306 pattern enabling unauthenticated access and station impersonation.

Missing WebSocket authentication — fourth CVE in the industrial platform WebSocket family. Same CWE-306 root cause enabling unauthenticated station impersonation.

Session hijacking in Cloudcharge.Se's WebSocket backend allows remote attackers to impersonate legitimate charging stations by exploiting predictable session identifiers and the acceptance of duplicate connections, enabling command interception and station displacement. An attacker can authenticate as other users or trigger denial-of-service conditions by flooding the backend with valid session requests. No patch is currently available.

Ev2go.Io's WebSocket API lacks authentication rate limiting, enabling attackers to launch denial-of-service attacks that disrupt charger telemetry or conduct brute-force attacks to compromise user accounts. The vulnerability affects all users of the platform and currently has no available patch. With a CVSS score of 7.5 and low exploit prevalence, this represents a significant availability and authentication risk requiring immediate mitigation.

Missing WebSocket authentication vulnerability — same family as CVE-2026-20781 and CVE-2026-24731. Unauthenticated access to WebSocket endpoints enables station impersonation.

Session hijacking in Swtchenergy.Com's WebSocket backend allows remote attackers to impersonate legitimate charging stations and intercept backend commands by exploiting predictable and non-unique session identifiers. An attacker can authenticate as other users, redirect charging station communications, or launch denial-of-service attacks by flooding the backend with valid session requests. No patch is currently available for this vulnerability.

Chargemap.Com's WebSocket backend accepts multiple connections with identical session identifiers, allowing attackers to hijack charging station sessions and intercept backend commands through predictable identifier prediction. An unauthenticated remote attacker can impersonate legitimate charging stations, execute unauthorized operations, or disrupt service availability by flooding the backend with crafted session requests. No patch is currently available.

Cloudcharge.Se's WebSocket API fails to implement authentication rate limiting, enabling attackers to launch denial-of-service attacks against charger infrastructure or conduct brute-force credential attacks without restriction. The vulnerability affects remote, unauthenticated attackers and could result in service disruption or unauthorized system access. No patch is currently available.

Switchenergy.com's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch denial-of-service attacks against the platform's charger telemetry infrastructure or execute brute-force credential attacks. This network-accessible vulnerability requires no authentication or user interaction, making it trivial to exploit and potentially exposing the service to sustained availability disruptions or account compromise.

Missing WebSocket authentication vulnerability identical to CVE-2026-20781. Unauthenticated attackers can perform station impersonation and data injection via unprotected WebSocket endpoints.

Ev2go.Io charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated remote attackers to obtain sensitive identification data. This exposure could enable unauthorized access to charging infrastructure or facilitate further attacks against connected systems. No patch is currently available for this vulnerability.

Session hijacking in Ev2go.Io's WebSocket backend allows remote attackers to impersonate legitimate charging stations and intercept commands due to predictable session identifiers and insufficient endpoint validation. An unauthenticated attacker can establish multiple connections with the same session ID to displace legitimate stations, potentially gaining unauthorized access to charging infrastructure or disrupting service availability. No patch is currently available.

Chargemap.Com's WebSocket API lacks authentication rate limiting, enabling attackers to launch denial-of-service attacks that disrupt charger telemetry or conduct brute-force credential attacks against user accounts. The vulnerability affects all users of the platform and currently has no available patch. With a CVSS score of 7.5 and minimal exploit prerequisites (no authentication or user interaction required), this represents a significant availability risk.

Chargemap.Com exposes charging station authentication credentials through publicly accessible web-based mapping interfaces, allowing unauthenticated attackers to obtain sensitive authentication data. This vulnerability enables attackers to potentially access or manipulate charging station services, affecting users and operators who rely on the platform. No patch is currently available to remediate this exposure.

Missing WebSocket authentication in industrial/IoT device management allows unauthenticated attackers to perform station impersonation, data injection, and denial of service. One of several related CVEs affecting the same WebSocket endpoints.

Cloudcharge.Se charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated attackers to discover and potentially intercept sensitive station identifiers. This exposure could enable unauthorized access to charging infrastructure or user accounts without requiring authentication bypass techniques. No patch is currently available for this vulnerability.

Unauthenticated access to uploaded files in Initiative project management platform prior to version 0.32.2 allows remote attackers to retrieve sensitive documents by directly accessing the unprotected /uploads/ directory. The vulnerability stems from missing authentication and authorization controls on file serving, enabling disclosure of confidential project data without requiring any credentials. Initiative versions 0.32.2 and later contain patches to restrict access to uploaded documents.

SteVe is an open-source EV charging station management system. [CVSS 6.3 MEDIUM]

Manyfold versions up to 0.133.1 is affected by authorization bypass through user-controlled key (CVSS 5.3).

hoppscotch is an open source API development ecosystem. [CVSS 6.5 MEDIUM]

Wger versions up to 2.4 allow authenticated users to access other users' private nutrition plans through insecure direct object references in the nutritional_values endpoints, exposing sensitive dietary data including caloric intake and macronutrient breakdowns. The vulnerability stems from bypassing user-scoped querysets via direct primary key lookups, and public exploit code is available.

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. [CVSS 3.1 LOW]

Actual personal finance application prior to version 26.2.1 fails to enforce access controls on multi-user sync API endpoints, allowing any authenticated user to read, modify, or overwrite other users' budget files. Public exploit code exists for this vulnerability. Update to version 26.2.1 or later to remediate.

The Data Explorer plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to properly enforce access controls, allowing any authenticated user to execute arbitrary SQL queries against unprotected queries, including system-level queries. This affects all installations with the Data Explorer plugin enabled and permits authenticated attackers to access or modify sensitive data without proper authorization. No patch is currently available, though administrators can mitigate the issue by explicitly setting group permissions on queries or disabling the plugin.

Wger versions up to 2.4 expose all users' repetition configuration data to any authenticated attacker due to missing authorization checks in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet endpoints. A registered user can enumerate the complete workout structures of all other users on the platform. Public exploit code exists for this vulnerability, and a patch is available.

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in `can_export_entity?`. [CVSS 2.7 LOW]

Zulip's payment method update API endpoint in the upgrade flow lacks proper authorization checks, allowing any organization member to modify the default payment method by completing a Stripe Checkout session. This vulnerability affected Zulip Cloud users and has been patched; self-hosted deployments are not impacted and require no action.

Discourse is an open source discussion platform. [CVSS 3.8 LOW]

Discourse is an open source discussion platform. [CVSS 3.8 LOW]

The Discourse poll plugin voters endpoint fails to validate post visibility permissions, enabling unauthenticated attackers to enumerate poll voter details across any post in affected instances. This information disclosure affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, with no workaround available until patching. No patch is currently available for earlier versions.

Broken access control in OpenViking through 0.1.18 allows unauthenticated attackers to gain full system access.

Spip versions up to 4.4.10 contains a vulnerability that allows attackers to access protected information (CVSS 7.5).

Insecure Direct Object References in Discourse ReviewableNotesController allow category moderation group members to create or delete notes on any reviewable in the system regardless of moderation scope when category group moderation is enabled. This authorization bypass affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, enabling users to manipulate moderation records outside their assigned categories. No patch is currently available.

The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface.

VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploita...

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an insecure direct object reference (IDOR) in the directory items endpoint that allows unauthenticated attackers to retrieve private user field values for all directory users. The vulnerability stems from missing authorization checks on the user_field_ids parameter, enabling bulk exfiltration of sensitive user data that should be restricted by visibility settings. No patch is currently available for affected deployments.

Discourse instances with an unconfigured patreon_webhook_secret allow remote attackers to forge valid webhook signatures using an empty HMAC-MD5 key, enabling arbitrary creation, modification, or deletion of Patreon pledge data and unauthorized patron synchronization. The vulnerability affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, and currently lacks an available patch. Administrators must explicitly configure the patreon_webhook_secret setting or upgrade to patched versions to mitigate this integrity attack.

Unauthenticated attackers can submit forged webhook payloads to multiple email provider integrations in Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 when authentication tokens are not configured, allowing them to artificially inflate user bounce scores and disable legitimate user accounts. The vulnerability affects webhook endpoints for SendGrid, Mailjet, Mandrill, Postmark, and SparkPost, with Mailpace having no token validation whatsoever. Administrators should immediately configure webhook authentication tokens for all email provider integrations as a workaround until patching is available.

Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attackers with physical access to a locked device and knowledge of the approximate lock time to brute-force the 6-digit PIN within a limited search window. This vulnerability affects Fleet versions prior to 4.80.1 and requires local access and timing knowledge to exploit. No patch is currently available.

Unauthenticated attackers can bypass authentication in the WordPress User Registration & Membership plugin (versions up to 5.1.2) due to flawed logic in the user registration function, allowing them to gain unauthorized access to newly created accounts. The vulnerability requires specific conditions but poses a high risk due to the network-accessible nature of the attack and the lack of authentication requirements. No patch is currently available for affected installations.

Bitnami Sealed Secrets improperly validates user-supplied annotations during secret rotation, allowing authenticated attackers to escalate secret scope from namespace-wide or strict constraints to cluster-wide. An attacker can inject a malicious annotation into the rotation request to obtain a rotated secret accessible across any namespace, potentially enabling lateral movement and unauthorized access to sensitive credentials throughout the cluster.

Zitadel versions prior to 4.11.1 and 3.4.7 permit authenticated users to bypass email and phone verification procedures through the self-management feature, allowing them to mark contact information as verified without completing actual validation. This integrity bypass enables account compromise scenarios where attackers with valid credentials can impersonate other users or escalate privileges by falsifying verified contact details. No patch is currently available for affected deployments, though implementing action rules (v2) can mitigate the risk.

Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).

Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).

Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 7.1).

OpenEMR versions prior to 8.0.0 contain an authorization bypass in the patient portal that allows authenticated users to forge provider signatures by uploading files with admin-signature type parameters for any provider. Public exploit code exists for this vulnerability, which could enable signature forgery on medical documents, creating legal and compliance risks. Upgrade to version 8.0.0 or later to remediate this high-severity flaw.

Chia Blockchain 2.1.0's RPC Server Master Passphrase Handler lacks proper authentication in the send_transaction and get_private_key functions, allowing authenticated local attackers to bypass security controls with public exploit code available. An attacker with local access and existing privileges could manipulate these functions to gain unauthorized access to sensitive blockchain operations, though exploitation requires high complexity and the vendor considers this a user responsibility issue. A patch is not currently available.

Improper authentication in Chia Blockchain 2.1.0's RPC Credential Handler (_authenticate function) allows remote attackers to bypass credential validation with high complexity exploitation. Public exploit code exists for this vulnerability, and the vendor dismissed the report as a design choice placing responsibility on users for host security. Affected systems may experience confidentiality, integrity, and availability impacts through unauthorized RPC access.

Plane prior to version 1.2.2 allows authenticated users to modify project assets across any workspace by directly referencing asset IDs, as the asset lookup fails to verify workspace and project ownership. An attacker with guest-level credentials can enumerate asset UUIDs and alter asset attributes and upload status without authorization. The vulnerability has been patched in version 1.2.2.

OpenFUN Richie LMS's course synchronization API uses non-constant-time comparison for HMAC signature validation, allowing remote attackers to forge valid signatures through timing analysis and bypass authentication controls. This vulnerability affects the sync_course_run_from_request function and requires no user interaction, though successful exploitation demands careful timing measurements. No patch is currently available for this medium-severity issue.

Cisco Catalyst SD-WAN Controller and Manager contain a critical authentication bypass (CVE-2026-20127, CVSS 10.0) in the peering authentication mechanism that allows unauthenticated remote attackers to obtain full administrative privileges. The vulnerability exists because peering authentication does not properly validate credentials, enabling any attacker with network access to take over the SD-WAN management plane and control the entire WAN fabric.

Missing authentication in the mesh network functionality of Netgear MR9600 (1.0.4.205530) and MX4200 (1.0.13.210200) allows an attacker with physical device access to add unauthorized mesh devices and extract sensitive credentials including admin passwords and Wi-Fi keys. The vulnerability requires no user interaction and affects the confidentiality of authentication materials stored on the device. No patch is currently available for this issue.

Unrestricted file uploads in Sz Boot Parent versions up to 1.3.2-beta allow authenticated remote attackers to upload malicious files via the /api/admin/sys-file/upload API endpoint. Public exploit code exists for this vulnerability, which has been patched in version 1.3.3-beta through the addition of file extension and MIME type whitelisting controls. Immediate upgrade to the patched version is strongly recommended.