Authentication Bypass

HPE Aruba Networking 5G Core API error handling leaks sensitive information including user accounts, roles, and system configuration to unauthenticated remote attackers. Exposed internal service details can be leveraged to identify attack vectors for privilege escalation and unauthorized access. A patch is available.

Unauthenticated attackers can bypass API authentication in Aruba Networking Private 5G Core to create unauthorized administrative accounts, enabling full system compromise. Successful exploitation grants attackers administrative privileges to modify configurations and access sensitive data within affected deployments.

Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contains hardcoded credentials (CVE-2026-22769, CVSS 10.0) that allow unauthenticated remote attackers with knowledge of the credentials to gain root-level access to the underlying operating system. KEV-listed, this vulnerability exposes disaster recovery infrastructure to complete compromise, potentially affecting the integrity of backup and replication data.

Hard-coded credentials in the Beetel 777VR1 Web Management Interface allow unauthenticated attackers on the local network to gain full administrative access with high integrity and confidentiality impact. Public exploit code is available and actively used, with no patch currently available from the vendor. Affected organizations should immediately implement network segmentation and access controls to restrict management interface exposure.

Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70. [CVSS 6.5 MEDIUM]

Missing Authorization vulnerability in Paul Custom Content by Country (by Shield Security) custom-content-by-country.This issue affects Custom Content by Country (by Shield Security): from n/a through 3.1.2. [CVSS 6.5 MEDIUM]

from 3.0.0 to 3.3.1 versions up to 3.5.0. is affected by missing authentication for critical function (CVSS 6.1).

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation.

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561 [CVSS 3.8 LOW]

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. [CVSS 4.3 MEDIUM]

ipTIME A6004MX router has an access control vulnerability in VPN client configuration enabling unauthorized network access.

Mattermost Server versions 11.1.x through 11.1.2, 10.11.x through 10.11.9, and 11.2.x through 11.2.1 inadequately enforce login method restrictions, permitting authenticated users to circumvent SSO-only requirements by authenticating with a userID instead. This allows an attacker with valid credentials to gain unauthorized access to accounts restricted to single sign-on authentication. No patch is currently available for this vulnerability.

eNet Smart Home server versions 2.2.1 and 2.3.1 allow authenticated users to delete arbitrary user accounts through an authorization bypass in the deleteUserAccount JSON-RPC method. Any low-privileged user can submit a crafted request to remove other accounts without elevated permissions, and public exploit code exists for this vulnerability. The impact includes unauthorized account deletion and potential denial of service, with no patch currently available.

The Micca KE700 system relies on a 6-bit portion of an identifier for authentication within rolling codes, providing only 64 possible combinations. This low entropy allows an attacker to perform a brute-force attack against one component of the rolling code.

The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence.

The Linux kernel netfilter connection tracking module fails to properly manage garbage collection timing, allowing an attacker with local access to bypass cleanup operations and cause unbounded memory consumption on affected systems. By maintaining a sufficiently high packet rate, an attacker can prevent the garbage collector from executing, causing the connection tracking list to grow indefinitely and potentially lead to denial of service. No patch is currently available for this vulnerability.

Privilege escalation in the Magic Login Mail or QR Code WordPress plugin (versions up to 2.05) allows unauthenticated attackers to hijack any user account, including administrator accounts, by exploiting a race condition in QR code file handling. The plugin creates QR code login images with predictable filenames in the public uploads directory and fails to delete them immediately after email transmission, enabling attackers to intercept the encoded login URLs. An attacker can trigger login requests for arbitrary users and extract valid authentication tokens during the window before file cleanup occurs.

Unauthenticated attackers can forge IPN payment notifications in the BlueSnap Payment Gateway for WooCommerce plugin by spoofing whitelisted IP addresses through header manipulation, allowing them to arbitrarily modify order statuses without authorization. The vulnerability stems from improper IP validation in all versions up to 3.3.0, affecting WordPress installations with this payment plugin active. No patch is currently available.

Caido versions prior to 0.55.0 can be bypassed using a crafted X-Forwarded-Host header to circumvent domain whitelist restrictions, allowing unauthenticated remote attackers to reach non-whitelisted domains through port 8080. This vulnerability affects all users of the web security auditing toolkit and could enable attackers to exfiltrate data or attack internal systems. No patch is currently available for affected versions.

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. [CVSS 8.8 HIGH]

Unauthenticated API access in Milvus vector database before 2.5.27/2.6.10. TCP port 9091 exposed by default without authentication. EPSS 0.32% with PoC and patch available.

Kanboard versions prior to 1.2.50 allow authenticated users to duplicate tasks into projects they lack access permissions for due to insufficient validation in the TaskCreationController endpoint. This privilege escalation vulnerability enables users to move sensitive tasks across project boundaries they should not be able to access. Public exploit code exists for this incomplete fix of a prior authorization bypass vulnerability.

Flexcity versions up to 1.0.36. is affected by authorization bypass through user-controlled key (CVSS 8.3).

Flexcity versions before 1.0.36 contain an authentication bypass vulnerability that allows authenticated users to escalate their privileges through an alternate access path. An attacker with valid credentials can exploit this flaw to gain unauthorized elevated access to the system. No patch is currently available.

PRO-7070 Hazır Profesyonel Web Sitesi version 1.0 contains an authentication bypass vulnerability in the administration panel login page. Attackers can bypass authentication by using '=' 'or' as both username and password to gain unauthorized access to the administrative interface. [CVSS 7.5 HIGH]

Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. [CVSS 8.2 HIGH]

Heatmiser Netmonitor 3.03 contains a hardcoded credentials vulnerability in the networkSetup.htm page with predictable admin login credentials. Attackers can access the device by using the hard-coded username 'admin' and password 'admin' in the hidden form input fields. [CVSS 7.5 HIGH]

E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. [CVSS 6.5 MEDIUM]

Unauthenticated webhook endpoints in Yoke's Air Traffic Controller component allow any pod within a Kubernetes cluster to submit AdmissionReview requests and execute WASM modules in the controller's context without authorization. This affects Yoke versions 0.19.0 and earlier, enabling attackers with cluster access to bypass API Server authentication and potentially compromise the infrastructure-as-code deployment pipeline. No patch is currently available.

authentik is an open-source identity provider. [CVSS 8.8 HIGH]

Authenticated users in LavinMQ versions before 2.6.6 can read sensitive broker metadata they lack permissions to access, resulting in information disclosure. This vulnerability requires valid credentials but poses a risk in multi-tenant deployments where access controls should be strictly enforced. A patch is available in version 2.6.6.

Authenticated users holding the Policymaker tag in LavinMQ prior to version 2.6.8 can create shovels that bypass access controls, allowing them to read from or publish messages to unauthorized virtual hosts. This privilege escalation vulnerability affects multi-tenant deployments where access segregation is critical. A patch is available in version 2.6.8 and later.

Authentik Proxy Provider allows authentication bypass through malformed cookies when deployed with Traefik or Caddy as a reverse proxy, enabling attackers to access protected applications by circumventing forward authentication checks. The vulnerability stems from improper cookie validation that prevents the setting of required authentik-specific X-Authentik-* headers, potentially granting unauthorized access depending on the backend application's configuration. Affected versions prior to 2025.10.4 and 2025.12.4 are vulnerable; patches are available in the specified releases.

thesystem App 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the username parameter. Attackers can inject malicious SQL code like ' or '1=1 to the username field to gain unauthorized access to user accounts. [CVSS 7.5 HIGH]

TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information. [CVSS 7.5 HIGH]

Hardcoded admin credentials in newbee-mall e-commerce platform database initialization script. PoC available.

Improper Access Control in an on-chip debug interface could allow a privileged attacker to enable a debug interface and potentially compromise data confidentiality or integrity.

An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL. [CVSS 4.3 MEDIUM]

Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables.This issue affects E-Commerce Package: through 27112025. [CVSS 6.3 MEDIUM]

Missing certificate validation in SolaX solar inverter MQTT connections to Alibaba Cloud. Devices accept any server certificate, enabling MITM attacks on solar energy infrastructure.

Authentication bypass in AdForest WordPress theme (all versions through 6.0.12) allows unauthenticated attackers to take over any user account.

Race condition in Apple macOS/iOS symlink handling allows privilege escalation. Fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5.

iOS and iPadOS devices with physical access vulnerabilities allow attackers to bypass authorization controls and access sensitive user information on locked devices through improper state management. The flaw affects multiple iOS versions including 18.7.5 and earlier, requiring only physical access to the device with no user interaction or elevated privileges. Apple has issued patches in iOS 26.3 and iPadOS 26.3, though updates for earlier versions (iOS 18.7.5 and iPadOS 18.7.5) are also available.

A logic issue was addressed with improved validation. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, Safari 26.3, macOS Tahoe 26.3. [CVSS 3.3 LOW]

Sensitive information disclosure in Apple iOS and iPadOS results from improper state management in authorization checks, allowing an attacker with physical access to a locked device to view confidential user data. The vulnerability affects multiple iOS and iPadOS versions and currently lacks an available patch. Local privilege or device access is required, making this a risk primarily to users whose devices may be physically compromised.

Sandbox escape vulnerability in Apple's macOS, iOS, tvOS, and related platforms (CVE-2026-20628) permits malicious applications to break out of their sandbox restrictions through a permissions bypass. A local attacker with user interaction can achieve high-impact confidentiality and integrity violations by exploiting this weakness. Patches are available across multiple OS versions including macOS Tahoe 26.3, iOS 18.7.5, tvOS 26.3, and others.

Privilege escalation vulnerability in Apple's macOS, iOS, iPadOS, and visionOS allows a malicious application to obtain root-level access through insufficient authorization checks. Local attackers with the ability to install or execute an app can exploit this to gain complete system control. No patch is currently available for this high-severity vulnerability affecting multiple Apple platforms.

Improper input validation in macOS Sequoia, Tahoe, and Sonoma allows local applications to access sensitive user data through an injection attack that requires user interaction. An attacker with a malicious app could exploit this vulnerability to read confidential information on affected systems. No patch is currently available for this medium-severity issue.

Code replay attack on PF-50 keyfob of PGST PG107 Alarm System 1.25.05.hf. Physical security system vulnerable to replay of wireless signals.

Frappe Learning Management System versions prior to 2.44.0 contain an information disclosure vulnerability that allows unauthenticated attackers to enumerate enrolled student email addresses from course batches. The flaw stems from improper access controls (CWE-863) that fail to restrict visibility of sensitive enrollment data to authorized users only. An attacker can exploit this over the network without authentication to obtain a complete roster of student contact information.

Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls and retrieve all ciphers within their organization through the /ciphers/organization-details endpoint. An attacker with regular member privileges can access sensitive credentials and encrypted data they should not have permission to view. No patch is currently available for affected deployments.

Vulnerabilities in the File Download and Get File handler components in CIPPlanner CIPAce before 9.17 allow attackers to download unauthorized files. An authenticated user can easily change the file id parameter or pass the physical file path in the URL query string to retrieve the files. [CVSS 7.5 HIGH]

Outline is a service that allows for collaborative documentation. [CVSS 5.3 MEDIUM]

login.php contains a vulnerability that allows attackers to access the dashboard without valid credentials (CVSS 6.5).

Cipace versions up to 9.17 contains a vulnerability that allows attackers to bypass a protection mechanism (CVSS 4.3).

Authentication bypass in ZLAN5143D by directly accessing internal URLs. Access controls enforced only at the frontend, bypassed by direct API calls.

Unauthenticated device password change API in industrial/IoT device. Remote attackers can change the device password without any authentication.

The Product Options and Price Calculation Formulas for WooCommerce - Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. [CVSS 5.8 MEDIUM]

Authentication bypass via path traversal in ZBT WE2001 router's check_token function. EPSS 0.69% — crafted requests bypass authentication entirely. CVSS 10.0.

Unauthenticated web shell in METIS DFS devices (versions <= oscore 2.1.234-r18). Same vulnerability as CVE-2026-2248 but on DFS product line.

Unauthenticated web shell in METIS WIC devices (versions <= oscore 2.1.234-r18). The /console endpoint provides shell access without authentication. First of two related METIS CVEs.

Missing authentication for critical functions in Dinosoft ERP. Unauthenticated access to business functionality.

The Invoct PDF Invoices & Billing for WooCommerce plugin through version 1.6 fails to enforce capability checks, allowing authenticated Subscriber-level users to access sensitive data including invoice details, client information, and WordPress user email addresses. This privilege escalation vulnerability affects all WordPress installations using the affected plugin versions and has no available patch.

Saastech Cleaning and Internet Services Inc. TemizlikYolda is affected by authorization bypass through user-controlled key (CVSS 5.4).

The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. [CVSS 6.5 MEDIUM]

Unprivileged users with Event Log Reader privileges can extract proxy server credentials and URLs from PI to CONNECT event logs, potentially enabling unauthorized proxy access. This local information disclosure affects systems where such log access is granted to low-privileged accounts. No patch is currently available.

Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an ASID in the range meant for SEV-SNP guests potentially resulting in a partial loss of confidentiality.

Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.

Improper access control in AMD Secure Encrypted Virtualization (SEV) firmware could allow a malicious hypervisor to bypass RMP protections, potentially resulting in a loss of SEV-SNP guest memory integrity.

Improper access control in secure encrypted virtualization (SEV) could allow a privileged attacker to write to the reverse map page (RMP) during secure nested paging (SNP) initialization, potentially resulting in a loss of guest memory confidentiality and integrity.

MongoDB's profile command fails to properly validate requests that modify the 'filter' parameter, incorrectly classifying write operations as read-only and bypassing authorization controls. An authenticated attacker could exploit this to modify database filters without proper access restrictions, potentially altering query behavior and data visibility. No patch is currently available.

MSHTML Framework contains a protection mechanism failure (CVE-2026-21513, CVSS 8.8) allowing remote attackers to bypass security features over a network. KEV-listed, this vulnerability in the legacy HTML rendering engine (still used by many Windows applications and email clients) enables execution of malicious content by circumventing the browser's security sandbox and content restrictions.

Guest users on TP-Link Tapo C260 v1 cameras can modify protected device settings by exploiting inadequate access controls on synchronization endpoints. Authenticated attackers with limited privileges can bypass restrictions to change sensitive configuration parameters without authorization. No patch is currently available for this vulnerability.

Kanboard versions up to 1.2.50 is affected by authorization bypass through user-controlled key (CVSS 4.3).

Fortios versions up to 7.6.4 contains a vulnerability that allows attackers to an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FS (CVSS 8.1).

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthenticated remote attackers to leak stored credential data. KEV-listed with EPSS 43.9%, this vulnerability exposes credentials stored in the endpoint management platform — potentially including service accounts, deployment credentials, and other secrets used to manage the entire endpoint fleet.

Dinibh Puzzle Software Solutions Dinibh Patrol Tracking System is affected by authorization bypass through user-controlled key (CVSS 8.8).

Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS contains a security vulnerability (CVSS 8.7).

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific prerequisites are met.

A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF07). The affected application does not encrypt the passwords properly. [CVSS 5.3 MEDIUM]

Missing authentication in Flowring Agentflow allows unauthenticated attackers to read, modify, and delete data. Second auth bypass CVE.

Authentication bypass in Flowring Agentflow workflow system allows unauthenticated remote attackers to exploit specific functions. EPSS 0.63%.

An insecure direct object reference allowed a non-admin user to modify or remove certain data objects without having the appropriate permissions. [CVSS 5.7 MEDIUM]

FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerability.

FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unauthenticated access to industrial controls.

Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictions by injecting multiple slashes into request URLs, enabling unauthorized access to files designated as restricted. The vulnerability exploits a mismatch between the authorization validation logic and filesystem path resolution, affecting users running vulnerable versions. Public exploit code exists for this high-severity issue.

Unauthenticated message injection in PolarLearn 0-PRERELEASE-16 and earlier allows remote attackers to send persistent messages to arbitrary group chats via the WebSocket API without credentials. Public exploit code exists for this vulnerability, which affects all users of vulnerable versions by enabling spam and potential information manipulation within group communications.

PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.

PlaciPy has an incorrect authorization vulnerability — fifth of seven critical flaws.

Hollo versions prior to 0.6.20 and 0.7.2 improperly expose direct messages and followers-only posts through the ActivityPub outbox endpoint, allowing unauthenticated remote attackers to access sensitive user communications. Public exploit code exists for this authorization bypass vulnerability, enabling attackers to enumerate and retrieve private content intended for restricted audiences. Patched versions 0.6.20 and 0.7.2 are available to remediate the exposure.