Skip to main content

Authentication Bypass

31154 CVEs technique

Monthly

CVE-2026-50338 HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft Azure Spring Apps allows an already-authenticated, low-privileged network attacker to gain higher privileges by abusing an improper authentication weakness (CWE-287) in the managed platform. Because the CVSS scope is marked as changed (S:C), a successful attack can reach resources beyond the attacker's originally authorized boundary, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has published an advisory and a patch is available server-side.

Java Authentication Bypass Microsoft Azure Spring Apps
NVD
CVSS 3.1
8.2
EPSS
0.5%
CVE-2026-54999 HIGH PATCH NEWS Exploit Unlikely This Week

Remote code execution in the Microsoft Windows TCP/IP networking stack allows an unauthenticated attacker on the same physical or logical network segment to win a race condition and run arbitrary code on the target. The flaw spans a broad range of desktop and server builds from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. There is no public exploit identified at time of analysis, but Microsoft has confirmed the issue and shipped a patch, and the high CVSS (8.8) plus network-facing kernel component make it a priority to remediate.

Authentication Bypass Microsoft Race Condition Windows 10 Version 1607 Windows 10 Version 1809 +16
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-54982 HIGH PATCH NEWS Exploit Unlikely This Week

Remote code execution in the Windows Reliable Multicast Transport Driver (RMCAST) lets an unauthenticated attacker on the same network segment run arbitrary code by triggering an integer underflow (CWE-191) during multicast message processing. All supported Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1 are affected. There is no public exploit identified at time of analysis, but the CVSS 8.8 adjacent-network unauthenticated profile and Microsoft's own reporting make this a high-priority patch.

Authentication Bypass Integer Overflow Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-49174 MEDIUM PATCH This Month

Missing authentication for critical function in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.

Authentication Bypass Microsoft Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +8
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-42900 HIGH PATCH This Week

Privilege elevation in the Windows App Store component affects a broad range of Microsoft Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025), where a race condition (CWE-362) lets an unauthorized attacker win a timing window to gain elevated privileges over a network. The CVSS 3.1 score is 8.1 with a network vector and no authentication (PR:N), but high attack complexity (AC:H) reflects the difficulty of reliably winning the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available from Microsoft.

Authentication Bypass Microsoft Race Condition Windows 10 Version 1607 Windows 10 Version 1809 +12
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-59888 MEDIUM PATCH This Month

Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.

Authentication Bypass Java Jackson Databind
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-62644 MEDIUM PATCH This Month

Username spoofing via session data in Roundcube Webmail's password plugin allows an authenticated attacker to manipulate session state so that the plugin operates on a victim's account rather than the attacker's own, enabling password changes on the target account and full account takeover. All 1.6.x versions prior to 1.6.17 and all 1.7.x versions prior to 1.7.2 are affected when the password plugin is enabled. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the high integrity and confidentiality impact ratings reflect genuine account hijacking potential in shared hosting environments.

Authentication Bypass Webmail
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-14504 HIGH PATCH This Week

Authorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository push arbitrary artifacts, defeating the intended write-permission check (CWE-862). The flaw affects the specific upload paths for these three formats and enables unauthorized artifact publishing that can poison downstream builds. No public exploit identified at time of analysis; Sonatype has shipped a fix in release 3.94.0.

Hashicorp Authentication Bypass Nexus Repository 3
NVD
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-60119 MEDIUM PATCH This Month

Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.

Authentication Bypass XSS Hi Events
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-60118 MEDIUM PATCH This Month

Hidden ticket purchase bypass in Hi.Events through v1.10.0-beta allows unauthenticated remote attackers to acquire VIP, invite-only, or discounted tickets withheld from public sale by referencing hidden ticket and price IDs directly in order creation API requests. The server fails to enforce ticket visibility rules at the API layer, relying only on UI-level concealment, and sequential integer ticket IDs allow systematic enumeration from observed visible IDs. No public exploit or active exploitation (KEV) has been identified at time of analysis, but the unauthenticated network vector and low complexity make opportunistic exploitation straightforward following disclosure.

Authentication Bypass Hi Events
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-11403 HIGH PATCH This Week

Improper API key generation in Sonatype Nexus Repository Manager lets a remote attacker impersonate a targeted user and perform repository operations on their behalf. The flaw stems from insufficient entropy (CWE-331) in format-specific API key realms, so an attacker who can predict or reconstruct a victim's key gains their access without credentials. The vendor (Sonatype) reported and patched the issue in release 3.93.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Docker Authentication Bypass Node.js Nexus Repository Manager
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-52841 LOW PATCH Monitor

OAuth provider rebinding in Easy!Appointments prior to version 1.6.0 allows any authenticated backend user - including low-privilege secretary and provider roles - to silently hijack a peer provider's Google Calendar integration by supplying an arbitrary provider_id to the OAuth initiation endpoint. The attacker completes a legitimate Google OAuth flow with their own Google account, which the application then binds to the victim provider's database row without verifying ownership. From that point forward, every appointment on the victim's schedule syncs to the attacker's Google Calendar, leaking customer names and email addresses as attendee data. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Google Authentication Bypass PHP Easyappointments
NVD GitHub
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-52839 LOW PATCH Monitor

Horizontal privilege escalation in Easy!Appointments prior to 1.6.0 permits any authenticated provider to inject appointments into a peer provider's calendar or reassign existing appointments across provider boundaries by supplying an arbitrary `id_users_provider` value to the `store` and `update` API endpoints. The asymmetry is stark: the `search` endpoint correctly enforces provider-scoped filtering, confirming the isolation boundary was intentionally designed - making this an incomplete implementation rather than a missing feature. An additional write-before-crash defect on the `store` path means the unauthorized database row is silently persisted even when the attacker receives an HTTP error response. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass Easyappointments
NVD GitHub
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-9636 HIGH This Week

Certificate revocation bypass in Rockwell Automation ControlLogix 5580, CompactLogix 5380, GuardLogix 5580, Compact GuardLogix 5380, and 1756-EN4TR (EN4) communication modules allows a network-based attacker to establish a CIP Security connection using a certificate whose issuing intermediate CA has been revoked. Because the controller does not honor the Certificate Revocation List (CRL) for a revoked intermediate, an attacker holding such a certificate can present it as trusted and bypass CIP Security authentication. No public exploit identified at time of analysis; the vendor rates it CVSS 4.0 8.2 (High).

Authentication Bypass Controllogix 5580 Compactlogix 5380 Guardlogix 5580 Compact Guardlogix 5380 1756 En4Tr
NVD
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-9127 HIGH This Week

Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation is gated by high attack complexity, a specific attack requirement, and required victim interaction (CVSS 4.0 base 7.3).

Authentication Bypass RCE Studio 5000 Logix Designer
NVD
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-55954 CRITICAL PATCH Act Now

Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. No public exploit identified at time of analysis, but the vendor-confirmed fix (0.6.2) and a clear replay path make this a high-priority auth flaw; EPSS and KEV data were not provided.

Apple Authentication Bypass Ueberauth Apple
NVD GitHub
CVSS 4.0
9.1
EPSS
0.4%
CVE-2026-10714 HIGH This Week

Authentication bypass in Rockwell Automation FactoryTalk Services Platform (FTSP) lets an authenticated low-privilege user forge JWT tokens during Okta Web Authentication because the application fails to enforce the RSA signing algorithm, permitting the classic 'alg:none' attack. A successful attacker can impersonate any authorized user, reaching system configuration and granting permissions to other systems that FTSP protects. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the alg:none technique is well documented and trivially reproducible once access is obtained.

Authentication Bypass Factorytalk Services Platform
NVD
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-10577 CRITICAL CISA Act Now

Unauthenticated remote command execution on Rockwell Automation's 1715-AENTR EtherNet/IP Adapter arises from a network-accessible debug port that enforces no privilege controls, exposing intrusive CLI commands to any attacker who can reach the device. An unauthenticated remote actor can read and delete files, halt tasks, modify memory, and manipulate physical I/O states, giving full control over device confidentiality, integrity, and availability. Rated CVSS 4.0 10.0 (Critical) with subsequent-system impact; no public exploit has been identified at time of analysis.

Authentication Bypass
NVD VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-9341 MEDIUM This Month

Insecure Direct Object Reference in the Academy LMS WordPress plugin (all versions through 3.8.0) allows authenticated attackers with Subscriber-level access to read, overwrite, or delete the private lesson notes of any user - including administrators - and to falsify lesson-completion records for arbitrary accounts. Three AJAX handlers (save_lesson_note, get_lesson_note, complete_lesson_video) perform no ownership validation on a user-controlled key, making cross-user data manipulation trivially achievable by any registered site user. No public exploit identified at time of analysis, but the attack surface is fully described via Wordfence's public threat-intelligence entry and source-level code references.

Authentication Bypass WordPress Academy Lms
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-62422 CRITICAL PATCH Act Now

Authentication bypass in JetBrains YouTrack allows attackers to obtain full administrative access by leveraging a direct-database-access code path, per CWE-306 (missing authentication for a critical function). All self-hosted YouTrack builds prior to the 2026.1.13757 / 2025.3.148033 / 2025.2.148048 / 2025.1.148120 / 2024.3.148430 / 2024.2.148429 fix trains are affected, and JetBrains rates it CVSS 10.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the maximal severity score and administrative impact make prompt patching essential.

Authentication Bypass Youtrack
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-15389 HIGH This Week

Broken object-level authorization in the Sesame Time web application and its REST v3 API lets remote attackers hijack another user's session by presenting a valid session identifier (USID), because the platform treats the USID as a bearer credential and never verifies that it belongs to the requester. Any attacker who obtains a valid USID can read a victim's confidential data - emails, user IDs, roles and corporate information - and the weakness is compounded by session sprawl, since new logins mint additional USIDs without invalidating prior ones. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Sesame Time
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56451 CRITICAL Act Now

Authentication bypass in Siemens Opcenter X (all versions before V2604) lets an unauthenticated remote attacker forge JSON Web Tokens by exploiting improper validation of the algorithm field in the JWT header. Because the application trusts the attacker-controlled 'alg' value, an attacker can craft tokens that impersonate any user - including administrators - yielding full unauthorized access to the manufacturing operations platform. Rated CVSS 10.0 with a scope-changing critical impact; no public exploit identified at time of analysis and it is not currently in CISA KEV.

Authentication Bypass Jwt Attack Opcenter X
NVD
CVSS 4.0
10.0
EPSS
0.4%
CVE-2026-15416 HIGH PATCH This Week

Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.

Authentication Bypass Red Hat RCE Kubernetes Argo Helm +3
NVD GitHub VulDB
CVSS 3.1
8.9
EPSS
0.3%
CVE-2026-15183 CRITICAL PATCH Act Now

SQL injection and input-validation weaknesses in the Snowflake Spark Connector (spark-snowflake) before version 3.2.1 let attackers exfiltrate OAuth client credentials, run arbitrary SQL under the connector's Snowflake role, and redirect COPY data-loading operations to attacker-controlled storage. Reported by Snowflake, the flaws are most dangerous in shared/multi-tenant Spark clusters where injected SQL executes with the cluster admin's JDBC credentials, enabling credential theft and privilege escalation. Rated CVSS 4.0 9.2 (Critical); no public exploit identified at time of analysis.

Authentication Bypass SQLi Privilege Escalation Snowflake Spark Connector
NVD VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-59083 CRITICAL Act Now

Security constraint bypass in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.119, 10.1.0-M1-10.1.56, 11.0.0-M1-11.0.23) lets remote attackers reach protected resources by abusing improperly handled hex URL encoding in the RewriteValve, defeating URL-pattern security constraints. Because the flaw resides in the rewrite valve, only deployments that use the RewriteValve together with security constraints are exposed, but where present an unauthenticated attacker (per CVSS PR:N) can access or manipulate resources meant to be restricted. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Apache Tomcat Apache Tomcat
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-12988 MEDIUM POC PATCH This Month

Account takeover in the WP 2FA WordPress plugin (all versions before 3.1.1.2) is achievable by any attacker who has obtained a valid user's credentials. The plugin fails to verify that the email address submitted during two-factor authentication enrollment belongs to the authenticated account (CWE-862: Missing Authorization), allowing the attacker to redirect the setup verification code to an attacker-controlled inbox and complete 2FA enrollment on behalf of the victim. A publicly available proof-of-concept exists per WPScan; this vulnerability is not currently listed in the CISA KEV catalog, but the combination of a PoC, medium-prevalence deployment, and account-takeover impact warrants prompt patching.

Authentication Bypass WordPress Wp 2Fa
NVD WPScan
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-62393 MEDIUM This Month

Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The `JobController.getJobList` and `JobController.getJobDetail` endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. Apache Kylin versions 4 through 5.0.3 are affected; no public exploit code or active exploitation has been identified at time of analysis.

Apache Authentication Bypass Kylin
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-58319 CRITICAL PATCH Act Now

Missing authentication on Apache Doris Frontend (FE) HTTP REST administrative APIs allows any unauthenticated attacker with network reach to the FE HTTP service to invoke privileged administrative operations, degrading cluster integrity and availability up to full denial of service. All Apache Doris releases before 3.1.0 (per EUVD, the 2.1.0 through pre-3.1.0 line) are affected, and a fixed release exists in 3.1.0. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the 9.1 Critical CVSS reflects the trivial unauthenticated network exploitability rather than confirmed in-the-wild use.

Apache Authentication Bypass Denial Of Service Doris
NVD VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-11802 MEDIUM This Month

Unauthorized account self-registration in the FoodBook Lite WordPress plugin through version 1.5.6 allows unauthenticated remote attackers to create 'customer'-role accounts and obtain valid WordPress authentication cookies, even when the site administrator has explicitly disabled user registration. The flaw exists because the plugin's registration() function is registered on the publicly accessible wp_ajax_nopriv_registration_action AJAX hook and calls wp_insert_user() without performing nonce verification, capability checks, or consulting the users_can_register site option. No public exploit has been identified at time of analysis and no KEV listing exists; Wordfence reported the issue with a confirmed fix in version 1.5.7.

Authentication Bypass WordPress Foodbook Lite Online Food Ordering System
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-15622 MEDIUM POC PATCH This Month

Unauthenticated authorization bypass in poco-ai/poco-claw's Workspace API allows remote attackers to access arbitrary users' workspace files by manipulating the user_id parameter in the get_workspace_file function. All versions through 0.5.4 are affected, with the executor manager's control-plane routes completely lacking token-based authentication before the fix. Publicly available exploit code exists (POC confirmed via GitHub issue #133 and PR #135); no CISA KEV listing at time of analysis.

Authentication Bypass Poco Claw
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-52828 PHP MEDIUM PATCH GHSA This Month

Privilege escalation in Kimai time-tracking software (<=2.57.0) allows authenticated TEAMLEAD users to create and modify global export templates that are intended to be administrator-only resources. The web controller routes `createExportTemplate` and `editExportTemplate` in `ExportController` inherit only the class-level `create_export` permission - granted to ROLE_TEAMLEAD - while the API endpoints and UI correctly enforce the stricter `create_export_template` permission restricted to ROLE_ADMIN and ROLE_SUPER_ADMIN. Because ExportTemplate entities have no per-user or per-team scoping, a TEAMLEAD can silently alter organization-wide export configurations affecting all users including administrators. No public exploit is confirmed at time of analysis, though a private PoC was submitted to the vendor and subsequently removed.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52827 PHP HIGH PATCH GHSA This Week

Two-factor authentication bypass in Kimai (open-source time-tracking) before 2.59.0 lets an attacker with only a victim's password reach every authenticated REST API endpoint without completing TOTP. The KIMAI_SESSION cookie returned by the password-only login response - issued before the 2FA step - is already treated as authenticated by /api/*, so it can be replayed to act fully as the user while the browser is still pinned to the 2FA screen. No public exploit identified at time of analysis (a PoC existed but was redacted by the reporter); not listed in CISA KEV.

Authentication Bypass CSRF
NVD GitHub
CVE-2026-44767 MEDIUM PATCH This Month

CSS stylesheet injection in SAP @ui5/webcomponents-base allows unauthenticated remote attackers to load arbitrary cross-origin stylesheets into victim pages by bypassing the sap-allowed-theme-origins allowlist enforcement inside setThemeRoot(). The ?sap-themeRoot URL query parameter is a direct delivery vector, making socially-engineered exploitation trivial - no authentication is required from the attacker (CVSS PR:N), only a victim page load (UI:R). Successful exploitation enables UI redressing, clickjacking, phishing overlays, visual defacement, and limited CSS attribute-selector-based data exfiltration; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SAP Authentication Bypass Ui5 Webcomponents Base
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-44771 MEDIUM This Month

Privilege escalation in SAP S/4HANA's Draft Operation component allows authenticated restricted users to read entity data beyond their authorized scope due to missing authorization checks. The flaw, classified under CWE-862, is exploitable over the network without elevated privileges, resulting in low confidentiality impact with no effect on integrity or availability. No public exploit code or active exploitation has been identified at time of analysis, keeping real-world risk bounded despite the network-accessible attack vector.

SAP Authentication Bypass Sap S 4Hana Draft Operation
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44770 MEDIUM This Month

Missing authorization in SAP S/4HANA's Create Single Payment function exposes restricted entity set keys to authenticated but low-privileged users. The flaw (CWE-862) allows a restricted user to query specific payment-related entity sets beyond their intended access scope, resulting in low-impact confidentiality leakage with no effect on data integrity or system availability. No public exploit code exists and this vulnerability is not listed in CISA KEV; EPSS data was not provided, but the CVSS 4.3 medium score and limited impact scope suggest low exploitation urgency.

SAP Authentication Bypass Sap S 4 Hana Create Single Payment
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44745 HIGH PATCH This Week

Unauthorized access in SAP Approuter arises because the component fails to validate incoming request headers during the OAuth2 login flow under certain configurations (CWE-601, open redirect). An unauthenticated remote attacker who lures a victim into clicking a crafted link can hijack the authentication flow to gain high-confidentiality and high-integrity access to the application. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the network-reachable, low-complexity nature (CVSS 8.1) makes it a meaningful patch priority for SAP BTP/Cloud Foundry environments.

SAP Authentication Bypass Open Redirect Sap Approuter
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-52826 PHP MEDIUM PATCH GHSA This Month

Cross-scope billing rate manipulation in Kimai 2.56.0 allows authenticated users with edit access to any single project, customer, or activity to tamper with rate configurations belonging to entirely different organizational units they are not authorized to access. The root cause is missing parent-child consistency validation in three Web admin rate-editing endpoints, where the controller validates the authenticated user's access to the parent object but never verifies that the child rate record actually belongs to that same parent. A PoC was privately submitted and subsequently removed from the advisory before public disclosure; no public exploit code is circulating and no CISA KEV active-exploitation listing exists at time of analysis.

Authentication Bypass
NVD GitHub
CVE-2026-52825 PHP MEDIUM PATCH GHSA This Month

Improper authorization in Kimai's Team API endpoints allows an authenticated Teamlead to add users and activities to their team that fall outside their intended management scope, bypassing the access boundaries enforced by the frontend. Affected versions are Kimai <= 2.57.0 (composer package kimai/kimai). A proof-of-concept was reportedly created but withheld; no public exploit code is currently available and this vulnerability is not listed in CISA KEV. Once a Teamlead writes an out-of-scope team relation, downstream authorization logic may treat those relations as legitimate, silently expanding access to time entries, project visibility, and reporting for the affected users and activities.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52822 PHP MEDIUM PATCH GHSA This Month

Permission revocation bypass in Kimai's timesheet restart and duplicate workflows allows authenticated users to create new database-persisted time entries under projects they no longer have access to. Affecting Kimai up to and including version 2.57.0, the flaw exists because `TimesheetVoter.php` evaluates the `*_own_timesheet` ownership branch before team-based access checks, meaning a historical timesheet entry acts as a durable capability token that survives administrative revocation. No public exploit is available - a PoC was reportedly submitted to the project and then redacted - and this vulnerability is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52821 PHP MEDIUM PATCH GHSA This Month

Improper object-level authorization in Kimai 2.56.0 allows any authenticated user holding the generic `create_activity` permission to inject Activity records into projects outside their authorized scope by directly invoking the preset-project creation routes with an arbitrary project ID. The controllers in `ActivityController.php` and `ProjectController.php` validate only the global capability (can the user create activities at all?) without performing a secondary check that the user also has edit rights on the specific target project. No public exploit exists at time of analysis, though a PoC was privately shared with the vendor and subsequently removed; the vendor has released a fix in version 2.57.0.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52820 PHP MEDIUM PATCH GHSA This Month

Broken object-level authorization in Kimai's Timesheet API (versions <= 2.56.0) allows any authenticated user with the default ROLE_USER permission to reassign their own timesheet entries to arbitrary project IDs in the database - including projects belonging to teams or customers they have no membership in. The root cause is an unconditional OR branch in the Symfony EntityType query_builder that matches any submitted project ID before team-ACL predicates are evaluated; the TimesheetVoter further compounds this by checking only timesheet ownership, never the destination project's access controls. A proof-of-concept was disclosed with the advisory (later redacted); no active exploitation has been confirmed via CISA KEV.

PHP Authentication Bypass
NVD GitHub
CVE-2026-52819 PHP MEDIUM PATCH GHSA This Month

{id}` correctly enforces teamlead validation through `TimesheetVoter`, but the collection endpoint `GET /api/timesheets?user=<id>` omits this check entirely, creating an inconsistent authorization model (CWE-863) that allows horizontal privilege escalation within the application. A private proof-of-concept was confirmed during responsible disclosure but has not been made public; the vendor-released fix is Kimai 2.57.0.

PHP Authentication Bypass
NVD GitHub
CVE-2026-47677 PHP CRITICAL POC PATCH GHSA Act Now

Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.

PHP Python Authentication Bypass CSRF
NVD GitHub
CVE-2026-57855 HIGH PATCH This Week

Broken access control in Cockpit CMS's Bucket file storage API (/system/buckets/api) lets any authenticated user, regardless of assigned role, execute all bucket file operations (list, upload, delete, rename, create folder) against any named bucket - including admin-only buckets. VulnCheck reported the flaw and publicly available exploit code exists (proof-of-concept gist), but there is no evidence of active exploitation. With a CVSS 4.0 score of 8.7 and full confidentiality/integrity/availability impact on stored files, it enables privilege escalation of file-storage capabilities across tenant boundaries within the CMS.

PHP Authentication Bypass Cockpit Cms
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-58488 MEDIUM This Month

Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.

Authentication Bypass Hedgedoc
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-62328 npm HIGH This Week

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read every user's AI request logs and full conversation histories by querying the /api/usage/request-logs and /api/usage/request-details endpoints, which ship without authentication middleware. Exposed data includes system prompts, user and assistant messages, tool calls, and user email addresses, and the linked GHSA advisory shows the same missing-auth flaw class also leaks plaintext provider API keys via /api/usage/stats and permits unauthenticated CRUD on /api/providers. This is a network-reachable, no-privilege flaw (CVSS 4.0 8.7) with no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-62327 npm CRITICAL Act Now

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote attacker retrieve full plaintext API keys for every connected AI provider by issuing a single GET to the /api/usage/stats endpoint, which lacks authentication middleware. The same missing-auth flaw class extends to unauthenticated CRUD on /api/providers and exposure of full conversation histories, so an attacker can harvest credentials, hijack provider accounts, and commit billing fraud or quota exhaustion. Reported by VulnCheck with a critical CVSS 4.0 base of 9.3; no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-62198 MEDIUM This Month

Authorization bypass in OpenClaw's native web search component allows authenticated lower-trust callers to invoke operations normally gated behind stronger policy checks. Versions 2026.5.28 through 2026.6.5 are affected, with exploitation requiring crafted input paths targeting misconfigured authorization logic - no special tooling needed given the low attack complexity. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable attack surface and low complexity reduce the barrier for abuse by compromised or malicious low-privilege accounts.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-62196 HIGH This Week

Authorization bypass in OpenClaw (versions 2026.3.22 up to but not including 2026.6.6) lets a lower-trust WhatsApp sender satisfy elevated sender allowlists because WhatsApp group IDs are accepted as if they were privileged individual sender identities. An authenticated but low-privilege attacker can therefore invoke actions gated behind stronger authorization, effectively escalating privilege within the messaging integration. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (high); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-62195 HIGH This Week

Authorization bypass in OpenClaw 2026.5.20 through 2026.6.5 lets a low-privilege caller invoke owner-only tools through the MCP loopback feature, escalating beyond intended permissions to execute or persist privileged actions. The flaw stems from incorrect permission enforcement (CWE-732) on configured input paths reachable over the network. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-62193 MEDIUM This Month

Authorization bypass in OpenClaw's plugin install wrappers (versions 2026.6.5 through 2026.6.8) allows a lower-trust authenticated caller to skip the install policy check, executing or persisting plugin actions beyond their intended authorization scope. The impact is bounded by operator configuration - deployments where the plugin install feature is disabled or unreachable are not affected. No public exploit code has been identified and the vulnerability does not appear in CISA KEV; vendor-released fix is available in version 2026.6.9.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-62192 HIGH This Week

Privilege-boundary bypass in OpenClaw's Discord guild-action handling (versions 2026.6.6 up to but not including 2026.6.9) lets a low-privilege authenticated caller invoke operations that should require stronger authorization. By abusing misconfigured input paths, the attacker skips the cross-provider requester authorization step and executes restricted guild operations. No public exploit identified at time of analysis; the CVSS 4.0 score of 7.2 reflects high integrity and availability impact with no confidentiality exposure.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-62191 HIGH This Week

Privilege escalation via authorization bypass in OpenClaw 2026.6.6 through 2026.6.8 allows a low-privileged, authenticated caller to invoke message-mutation operations that should require stronger authorization, letting them execute privileged actions. The flaw is a missing authorization check (CWE-862) on mutation input paths and requires the affected feature to be enabled and reachable. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-62190 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.9 lets a lower-trust caller escape the exec-approval trust boundary through the flock wrapper, executing or persisting privileged actions the caller was never authorized to perform. The CVSS 4.0 vector (PR:L) indicates an authenticated but low-privilege actor can achieve high confidentiality, integrity, and availability impact when the affected feature is enabled. Reported by VulnCheck with a vendor GitHub Security Advisory (GHSA-3fp5-v549-9v66); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62189 HIGH This Week

Authorization bypass via symlink following in OpenClaw's mirror sync feature (versions before 2026.6.9) lets a lower-privilege caller escalate into actions that should require stronger authorization. By planting or referencing symlink parents on a remote mirror target, an authenticated attacker can trick the sync logic into resolving links that cross policy and trust boundaries, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no CISA KEV listing; no EPSS score was supplied.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.6
EPSS
0.3%
CVE-2026-62188 HIGH This Week

Privilege escalation via broken authorization in the OpenClaw @openclaw/feishu integration (versions 2026.6.6 and earlier) allows a lower-trust, already-authenticated caller to invoke Feishu permission tools that should have been blocked by per-account disablement settings. Because the enforcement gap lets a low-privilege actor perform actions requiring stronger authorization, the flaw carries high confidentiality and integrity impact (CVSS 4.0 base 8.6). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Feishu
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-62187 HIGH This Week

Authorization bypass in the @openclaw/feishu npm package (versions <= 2026.6.6) allows a lower-trust caller - or attacker-influenced input reaching a configured input path - to perform Feishu (Lark) actions that should have required stronger authorization, because per-account disablement can be ignored. Authenticated remote attackers can trigger unauthorized operations affecting confidentiality and integrity; no public exploit has been identified at time of analysis, and the flaw is fixed in version 2026.6.9. Real-world impact is gated by the operator's configuration and whether untrusted input can reach the affected feature.

Authentication Bypass Node.js Feishu
NVD GitHub
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-62186 HIGH This Week

Privilege escalation in OpenClaw before 2026.6.8 lets a lower-trust, already-authenticated caller invoke admin-restricted operations by abusing OpenAI-compatible HTTP model-override input paths, bypassing the authorization checks that should gate those actions. The flaw was reported by VulnCheck and stems from missing authorization (CWE-862) on override-driven request handling. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-59801 npm CRITICAL POC Act Now

Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credentials enumerate, create, modify, and delete provider connections via the Next.js routes under src/app/api/providers/*. Because the /api/providers endpoints ship without authentication middleware, attackers can harvest partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled providers, or wipe all connections for a full denial of service; the companion /api/usage/stats endpoint further leaks full plaintext API keys. Rated CVSS 4.0 9.3 (critical); no public exploit identified at time of analysis, though the trivial access makes exploitation straightforward.

Authentication Bypass Denial Of Service 9Router
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-58410 HIGH This Week

Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access read and modify other congregations' family records by supplying a different family's familyId to family-scoped endpoints. Because the backend loads the family entity by the attacker-controlled ID without ownership verification, a user who also holds the Notes permission can additionally create notes on unrelated families' records, breaking the intended self-service scope. No public exploit identified at time of analysis, though the flaw is trivially reproducible by manipulating a request parameter.

Authentication Bypass Crm
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-15594 LOW POC Monitor

Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. No vendor patch has been issued as of analysis time; a public exploit exists via a GitHub issue report (POC), though high attack complexity (AC:H) constrains opportunistic exploitation. This vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-58408 MEDIUM This Month

Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.

PHP Authentication Bypass Crm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59955 Maven HIGH PATCH GHSA This Week

{appId}/{clusterName}/{namespace} endpoint as the literal string 'raw', so no matching secret is found and the signature check is skipped for the real target app. No public exploit identified at time of analysis; the flaw is fixed in Apollo 2.5.2.

Canonical Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
CVE-2026-59954 Maven HIGH PATCH GHSA This Week

Authentication bypass in Apollo (Ctrip apolloconfig) ConfigService allows an unauthenticated remote attacker to read protected configuration data from /configs and /configfiles endpoints even when AccessKey/management-key authentication is enabled. The flaw stems from ConfigService accepting a non-canonical appId variant (e.g. accented or trailing-space forms) that misses the AccessKey secret cache lookup - causing signature verification to be skipped - while the downstream release lookup still resolves the value to the real, protected app under equivalence-treating database collations. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the confidentiality-only impact drives the CVSS 7.5 (High) rating.

Canonical Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
CVE-2026-45415 Ruby MEDIUM PATCH GHSA This Month

Improper authorization in Decidim's CSV census admin controller allows participant managers to read, create, update, and delete CSV census rows they are not permitted to access. The `/admin/csv_census/census_logs` endpoint family in `decidim-verifications` fails to call `enforce_permission_to` before rendering or mutating `Decidim::Verifications::CsvDatum`, granting participant managers the same data-mutation capability as full administrators. Exploitation corrupts the verification dataset that drives Decidim's authorization workflows, potentially invalidating or fabricating eligibility records for all participants. No public exploit code has been identified at time of analysis, but detailed reproduction steps are included in the public security advisory.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.0
CVE-2026-45414 Ruby HIGH PATCH GHSA This Week

Cross-tenant authentication bypass in Decidim (the Ruby-on-Rails participatory-democracy platform) lets a JWT issued in one organization (tenant) be replayed against a second organization's GraphQL API by simply changing the HTTP Host header. An authenticated Org 1 principal (admin or API user) can then read Org 2's admin-only participantDetails field, harvest Org 2 participant personal data, and reach Org 2's proposal.answer mutation path. Rated CVSS 8.5 with a scope change; the vendor advisory publishes step-by-step reproduction, but no CISA KEV listing and no EPSS score were provided, so widespread active exploitation is not established.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.5
CVE-2026-45086 Ruby MEDIUM PATCH GHSA This Month

Unauthorized access to the demographics questionnaire admin editor in Decidim's decidim-demographics module allows any authenticated participant to reach and interact with the `/admin/demographics/questions/edit_questions` route without admin privileges. Affected versions span 0.31.0-0.31.4 and 0.32.0.rc1, with fixes released in 0.31.5 and 0.32.0. The vulnerability is not listed in CISA KEV and no separate public exploit code has been identified; however, the advisory published by Decidim includes step-by-step reproduction instructions, lowering the barrier for exploitation by any registered platform user.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
CVE-2025-32781 Maven MEDIUM PATCH GHSA This Month

{env}/releases/{releaseId}` endpoint fetches and returns a release payload without invoking `UserPermissionValidator.shouldHideConfigToCurrentUser(...)`, meaning a low-privileged user who supplies a valid release ID belonging to a restricted application receives the full configuration - potentially including embedded credentials, database connection strings, and service endpoints. No public exploit has been identified at time of analysis, and exploitation is gated by a non-default configuration setting (`configView.memberOnly.envs`), but the practical data sensitivity of Apollo configuration stores makes this a meaningful confidentiality risk.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
CVE-2026-6847 CRITICAL Act Now

Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass File Upload RCE PHP Themisnetpanel
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-62147 MEDIUM This Month

Tenant data leakage in the Tempo Operator gateway component (Red Hat OpenShift Distributed Tracing 3) allows an authenticated low-privileged user to read span attributes from namespaces belonging to other tenants. The flaw exists because namespace-scoped redaction is inconsistently applied across certain query API response paths when query RBAC is enabled, meaning the authorization control exists but is not uniformly enforced. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the high confidentiality impact and low attack complexity make it a meaningful risk in shared multi-tenant tracing deployments.

Authentication Bypass Red Hat Openshift Distributed Tracing 3
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-6541 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Mattermost's Playbooks feature permits any authenticated team member to overwrite another user's playbook metric configuration by supplying a foreign metric ID in a crafted import or update request. Affected branches are 11.7.x through 11.7.1, 11.6.x through 11.6.4, and 10.11.x through 10.11.19, where the server authorizes metric writes based on team membership alone rather than verifying that the referenced metric ID belongs to the playbook being saved. No public exploit code has been identified and this vulnerability does not appear in CISA KEV at time of analysis.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9820 LOW Monitor

Insufficient sanitization of team objects in Mattermost's scheme teams API endpoint allows an authenticated user holding the User Manager role to extract invite links for private teams from API responses and use those links to join or redistribute access to those teams. Affected versions are 11.7.x through 11.7.2 and 10.11.x through 10.11.19. No public exploit identified at time of analysis and exploitation has not been confirmed by CISA KEV, but the low attack complexity (AC:L) means a malicious User Manager could reliably reproduce this without trial and error.

Authentication Bypass Mattermost
NVD
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-9824 MEDIUM This Month

Missing authorization in Mattermost's /share-channel slash command autocomplete handler allows any authenticated user to enumerate remote cluster connection metadata, regardless of whether they hold the manage_shared_channels permission. Affects three active release lines (11.7.x, 11.6.x, 10.11.x) and is classified under CWE-862 (Missing Authorization). No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; exploitation is constrained to authenticated users, limiting realistic blast radius to insider threat or compromised-account scenarios.

Authentication Bypass Mattermost
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14934 CRITICAL PATCH Act Now

Cross-tenant privilege escalation in the repository creation functionality shared by Google Cloud BigQuery, Dataform, and Colab Enterprise allowed an authenticated GCP user to take over repositories belonging to other tenants. Rated CVSS 4.0 9.4 (critical) with a scope-changing cross-tenant impact, the flaw was a Missing Authorization (CWE-862) issue affecting the managed services between October 2025 and 10 May 2026. Google reports no public exploit identified at time of analysis; the defect was fixed server-side on 10 May 2026 with no customer action required.

Authentication Bypass Google Bigquery Dataform Colab Enterprise
NVD VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-15557 MEDIUM POC This Month

Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. A publicly available exploit (POC) exists via GitHub issue #200; the vendor has not yet responded to the disclosure, and no patch has been released.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-22099 HIGH PATCH This Week

Bluetooth authentication bypass in the Evbee DC-80 DC EV charging station lets an attacker within radio range issue privileged commands without any credentials, enabling sensitive information disclosure, forced reboots, and - most dangerously - the ability to push an arbitrary firmware update URL to the device. Reported by DIVD (DIVD-2026-00001), it carries CVSS 4.0 base 8.7 (High). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Dc 80
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-22096 CRITICAL PATCH Act Now

Missing authentication on the evbee DC-80 EV charging station exposes an administrative web server on TCP port 8090 that requires no login, allowing remote unauthenticated attackers to read sensitive data such as configured passwords and to upload arbitrary files via multiple endpoints. Reported through the DIVD CSIRT coordinated-disclosure program (DIVD-2026-00001), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable, no-privilege vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Dc 80
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-61985 MEDIUM This Month

Missing authorization controls in the Car Rental Manager WordPress plugin (≤1.3.7) allow unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited integrity impact. The CVSS vector (PR:N/UI:N) confirms exploitation requires no credentials or user interaction against any publicly reachable WordPress site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, keeping real-world risk at a moderate level despite the trivial exploitation conditions.

Authentication Bypass Car Rental Manager
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-61983 MEDIUM This Month

Missing authorization in the Church Admin WordPress plugin (versions through 5.0.30) allows unauthenticated remote attackers to invoke plugin endpoints and perform unauthorized write operations without authentication. The root cause is incorrectly configured access control security levels (CWE-862), where certain plugin actions omit the required capability or nonce checks. No public exploit code or active exploitation has been identified at time of analysis, though the zero-barrier CVSS vector (PR:N, AC:L, AV:N) means opportunistic abuse is technically straightforward for any attacker who can reach the WordPress instance.

Authentication Bypass Church Admin
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-61971 LOW Monitor

Insecure Direct Object Reference (IDOR) in Cozmoslabs User Profile Picture WordPress plugin (versions through 2.6.3) allows a high-privileged authenticated attacker to modify the profile picture of arbitrary users by manipulating a user-controlled object key in requests. The flaw stems from CWE-639 - the plugin fails to validate that the authenticated user is authorized to modify the target user's resource before processing the change. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, consistent with its low CVSS score of 2.7.

Authentication Bypass User Profile Picture
NVD
CVSS 3.1
2.7
EPSS
0.3%
CVE-2026-61968 MEDIUM This Month

Missing Authorization in the myCred WordPress plugin (all versions through 3.1.2) allows authenticated low-privileged users to exploit incorrectly configured access control levels, resulting in unauthorized integrity and availability impacts against the plugin's loyalty points system. The root cause (CWE-862) indicates the plugin performs sensitive operations without verifying that the requesting user holds the requisite permission level. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Mycred
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-61958 MEDIUM This Month

Missing authorization in the License Manager for WooCommerce WordPress plugin (versions through 3.0.17) allows authenticated low-privilege users to perform arbitrary content deletion without proper permission checks. The flaw stems from CWE-862, where sensitive plugin actions are accessible to any authenticated user regardless of their assigned role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress License Manager For Woocommerce
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-59523 MEDIUM This Month

Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows unauthenticated network attackers to bypass access control security levels, yielding limited confidentiality and integrity impact against affected WordPress sites. Reported by Patchstack under CWE-862, the flaw is automatable per CISA's SSVC framework, meaning it can be exploited at scale without human interaction. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis, but the unauthenticated, low-complexity attack surface warrants prompt patching.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-61952 MEDIUM This Month

Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.

Authentication Bypass WordPress Woocommerce Bulk Edit Products Wp Sheet Editor
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-57812 MEDIUM This Month

Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57797 MEDIUM This Month

Broken access control in ThemeMove's EduMall WordPress theme (versions through 4.5.1) permits authenticated low-privileged users to invoke restricted functionality without proper authorization checks. An attacker with any valid WordPress account can bypass the intended access control tiers and trigger actions that degrade site availability. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a contained, low-severity impact limited to availability.

Authentication Bypass Edumall
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-57786 HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-57782 MEDIUM This Month

Universal Clocks WordPress plugin (≤1.2.0) by PressTigers exposes unauthorized action endpoints due to missing authorization checks, enabling unauthenticated remote attackers to perform integrity-impacting operations without valid credentials. Reported by Patchstack under CWE-862, the flaw stems from incorrectly configured access control security levels that fail to validate caller permissions before executing plugin functionality. No public exploit code or active exploitation (CISA KEV listing) has been identified at time of analysis.

Authentication Bypass Universal Clocks
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57781 MEDIUM This Month

Missing authorization in the MeetingHub WordPress plugin (versions through 1.25.10) allows unauthenticated remote attackers to exploit incorrectly configured access control and perform unauthorized integrity-affecting actions. The CVSS vector (PR:N/AV:N/AC:L/UI:N) confirms no authentication or user interaction is required, making any WordPress installation running an affected version directly exposed from the network. No active exploitation has been confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis.

Authentication Bypass Meetinghub
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57779 MEDIUM This Month

Unauthenticated broken access control in the Fascinate WordPress theme by themebeez (versions through 1.1.5) permits remote attackers to exploit incorrectly configured capability checks, resulting in unauthorized write-level actions on affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, with impact limited to integrity (I:L). No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Fascinate
NVD
CVSS 3.1
5.3
EPSS
0.3%
EPSS 0% CVSS 8.2
HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft Azure Spring Apps allows an already-authenticated, low-privileged network attacker to gain higher privileges by abusing an improper authentication weakness (CWE-287) in the managed platform. Because the CVSS scope is marked as changed (S:C), a successful attack can reach resources beyond the attacker's originally authorized boundary, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has published an advisory and a patch is available server-side.

Java Authentication Bypass Microsoft +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Remote code execution in the Microsoft Windows TCP/IP networking stack allows an unauthenticated attacker on the same physical or logical network segment to win a race condition and run arbitrary code on the target. The flaw spans a broad range of desktop and server builds from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. There is no public exploit identified at time of analysis, but Microsoft has confirmed the issue and shipped a patch, and the high CVSS (8.8) plus network-facing kernel component make it a priority to remediate.

Authentication Bypass Microsoft Race Condition +18
NVD
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Remote code execution in the Windows Reliable Multicast Transport Driver (RMCAST) lets an unauthenticated attacker on the same network segment run arbitrary code by triggering an integer underflow (CWE-191) during multicast message processing. All supported Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1 are affected. There is no public exploit identified at time of analysis, but the CVSS 8.8 adjacent-network unauthenticated profile and Microsoft's own reporting make this a high-priority patch.

Authentication Bypass Integer Overflow Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Missing authentication for critical function in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.

Authentication Bypass Microsoft Windows 10 Version 1809 +10
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege elevation in the Windows App Store component affects a broad range of Microsoft Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025), where a race condition (CWE-362) lets an unauthorized attacker win a timing window to gain elevated privileges over a network. The CVSS 3.1 score is 8.1 with a network vector and no authentication (PR:N), but high attack complexity (AC:H) reflects the difficulty of reliably winning the race. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available from Microsoft.

Authentication Bypass Microsoft Race Condition +14
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.

Authentication Bypass Java Jackson Databind
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Username spoofing via session data in Roundcube Webmail's password plugin allows an authenticated attacker to manipulate session state so that the plugin operates on a victim's account rather than the attacker's own, enabling password changes on the target account and full account takeover. All 1.6.x versions prior to 1.6.17 and all 1.7.x versions prior to 1.7.2 are affected when the password plugin is enabled. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the high integrity and confidentiality impact ratings reflect genuine account hijacking potential in shared hosting environments.

Authentication Bypass Webmail
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository push arbitrary artifacts, defeating the intended write-permission check (CWE-862). The flaw affects the specific upload paths for these three formats and enables unauthorized artifact publishing that can poison downstream builds. No public exploit identified at time of analysis; Sonatype has shipped a fix in release 3.94.0.

Hashicorp Authentication Bypass Nexus Repository 3
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.

Authentication Bypass XSS Hi Events
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hidden ticket purchase bypass in Hi.Events through v1.10.0-beta allows unauthenticated remote attackers to acquire VIP, invite-only, or discounted tickets withheld from public sale by referencing hidden ticket and price IDs directly in order creation API requests. The server fails to enforce ticket visibility rules at the API layer, relying only on UI-level concealment, and sequential integer ticket IDs allow systematic enumeration from observed visible IDs. No public exploit or active exploitation (KEV) has been identified at time of analysis, but the unauthenticated network vector and low complexity make opportunistic exploitation straightforward following disclosure.

Authentication Bypass Hi Events
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Improper API key generation in Sonatype Nexus Repository Manager lets a remote attacker impersonate a targeted user and perform repository operations on their behalf. The flaw stems from insufficient entropy (CWE-331) in format-specific API key realms, so an attacker who can predict or reconstruct a victim's key gains their access without credentials. The vendor (Sonatype) reported and patched the issue in release 3.93.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Docker Authentication Bypass Node.js +1
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

OAuth provider rebinding in Easy!Appointments prior to version 1.6.0 allows any authenticated backend user - including low-privilege secretary and provider roles - to silently hijack a peer provider's Google Calendar integration by supplying an arbitrary provider_id to the OAuth initiation endpoint. The attacker completes a legitimate Google OAuth flow with their own Google account, which the application then binds to the victim provider's database row without verifying ownership. From that point forward, every appointment on the victim's schedule syncs to the attacker's Google Calendar, leaking customer names and email addresses as attendee data. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Google Authentication Bypass PHP +1
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Horizontal privilege escalation in Easy!Appointments prior to 1.6.0 permits any authenticated provider to inject appointments into a peer provider's calendar or reassign existing appointments across provider boundaries by supplying an arbitrary `id_users_provider` value to the `store` and `update` API endpoints. The asymmetry is stark: the `search` endpoint correctly enforces provider-scoped filtering, confirming the isolation boundary was intentionally designed - making this an incomplete implementation rather than a missing feature. An additional write-before-crash defect on the `store` path means the unauthorized database row is silently persisted even when the attacker receives an HTTP error response. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass Easyappointments
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Certificate revocation bypass in Rockwell Automation ControlLogix 5580, CompactLogix 5380, GuardLogix 5580, Compact GuardLogix 5380, and 1756-EN4TR (EN4) communication modules allows a network-based attacker to establish a CIP Security connection using a certificate whose issuing intermediate CA has been revoked. Because the controller does not honor the Certificate Revocation List (CRL) for a revoked intermediate, an attacker holding such a certificate can present it as trusted and bypass CIP Security authentication. No public exploit identified at time of analysis; the vendor rates it CVSS 4.0 8.2 (High).

Authentication Bypass Controllogix 5580 Compactlogix 5380 Guardlogix 5580 Compact Guardlogix 5380 1756 En4Tr
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation is gated by high attack complexity, a specific attack requirement, and required victim interaction (CVSS 4.0 base 7.3).

Authentication Bypass RCE Studio 5000 Logix Designer
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. No public exploit identified at time of analysis, but the vendor-confirmed fix (0.6.2) and a clear replay path make this a high-priority auth flaw; EPSS and KEV data were not provided.

Apple Authentication Bypass Ueberauth Apple
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in Rockwell Automation FactoryTalk Services Platform (FTSP) lets an authenticated low-privilege user forge JWT tokens during Okta Web Authentication because the application fails to enforce the RSA signing algorithm, permitting the classic 'alg:none' attack. A successful attacker can impersonate any authorized user, reaching system configuration and granting permissions to other systems that FTSP protects. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the alg:none technique is well documented and trivially reproducible once access is obtained.

Authentication Bypass Factorytalk Services Platform
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote command execution on Rockwell Automation's 1715-AENTR EtherNet/IP Adapter arises from a network-accessible debug port that enforces no privilege controls, exposing intrusive CLI commands to any attacker who can reach the device. An unauthenticated remote actor can read and delete files, halt tasks, modify memory, and manipulate physical I/O states, giving full control over device confidentiality, integrity, and availability. Rated CVSS 4.0 10.0 (Critical) with subsequent-system impact; no public exploit has been identified at time of analysis.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Academy LMS WordPress plugin (all versions through 3.8.0) allows authenticated attackers with Subscriber-level access to read, overwrite, or delete the private lesson notes of any user - including administrators - and to falsify lesson-completion records for arbitrary accounts. Three AJAX handlers (save_lesson_note, get_lesson_note, complete_lesson_video) perform no ownership validation on a user-controlled key, making cross-user data manipulation trivially achievable by any registered site user. No public exploit identified at time of analysis, but the attack surface is fully described via Wordfence's public threat-intelligence entry and source-level code references.

Authentication Bypass WordPress Academy Lms
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authentication bypass in JetBrains YouTrack allows attackers to obtain full administrative access by leveraging a direct-database-access code path, per CWE-306 (missing authentication for a critical function). All self-hosted YouTrack builds prior to the 2026.1.13757 / 2025.3.148033 / 2025.2.148048 / 2025.1.148120 / 2024.3.148430 / 2024.2.148429 fix trains are affected, and JetBrains rates it CVSS 10.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the maximal severity score and administrative impact make prompt patching essential.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Broken object-level authorization in the Sesame Time web application and its REST v3 API lets remote attackers hijack another user's session by presenting a valid session identifier (USID), because the platform treats the USID as a bearer credential and never verifies that it belongs to the requester. Any attacker who obtains a valid USID can read a victim's confidential data - emails, user IDs, roles and corporate information - and the weakness is compounded by session sprawl, since new logins mint additional USIDs without invalidating prior ones. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Sesame Time
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Authentication bypass in Siemens Opcenter X (all versions before V2604) lets an unauthenticated remote attacker forge JSON Web Tokens by exploiting improper validation of the algorithm field in the JWT header. Because the application trusts the attacker-controlled 'alg' value, an attacker can craft tokens that impersonate any user - including administrators - yielding full unauthorized access to the manufacturing operations platform. Rated CVSS 10.0 with a scope-changing critical impact; no public exploit identified at time of analysis and it is not currently in CISA KEV.

Authentication Bypass Jwt Attack Opcenter X
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.

Authentication Bypass Red Hat RCE +5
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

SQL injection and input-validation weaknesses in the Snowflake Spark Connector (spark-snowflake) before version 3.2.1 let attackers exfiltrate OAuth client credentials, run arbitrary SQL under the connector's Snowflake role, and redirect COPY data-loading operations to attacker-controlled storage. Reported by Snowflake, the flaws are most dangerous in shared/multi-tenant Spark clusters where injected SQL executes with the cluster admin's JDBC credentials, enabling credential theft and privilege escalation. Rated CVSS 4.0 9.2 (Critical); no public exploit identified at time of analysis.

Authentication Bypass SQLi Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Security constraint bypass in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.119, 10.1.0-M1-10.1.56, 11.0.0-M1-11.0.23) lets remote attackers reach protected resources by abusing improperly handled hex URL encoding in the RewriteValve, defeating URL-pattern security constraints. Because the flaw resides in the rewrite valve, only deployments that use the RewriteValve together with security constraints are exposed, but where present an unauthenticated attacker (per CVSS PR:N) can access or manipulate resources meant to be restricted. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Apache Tomcat +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

Account takeover in the WP 2FA WordPress plugin (all versions before 3.1.1.2) is achievable by any attacker who has obtained a valid user's credentials. The plugin fails to verify that the email address submitted during two-factor authentication enrollment belongs to the authenticated account (CWE-862: Missing Authorization), allowing the attacker to redirect the setup verification code to an attacker-controlled inbox and complete 2FA enrollment on behalf of the victim. A publicly available proof-of-concept exists per WPScan; this vulnerability is not currently listed in the CISA KEV catalog, but the combination of a PoC, medium-prevalence deployment, and account-takeover impact warrants prompt patching.

Authentication Bypass WordPress Wp 2Fa
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The `JobController.getJobList` and `JobController.getJobDetail` endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. Apache Kylin versions 4 through 5.0.3 are affected; no public exploit code or active exploitation has been identified at time of analysis.

Apache Authentication Bypass Kylin
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Missing authentication on Apache Doris Frontend (FE) HTTP REST administrative APIs allows any unauthenticated attacker with network reach to the FE HTTP service to invoke privileged administrative operations, degrading cluster integrity and availability up to full denial of service. All Apache Doris releases before 3.1.0 (per EUVD, the 2.1.0 through pre-3.1.0 line) are affected, and a fixed release exists in 3.1.0. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the 9.1 Critical CVSS reflects the trivial unauthenticated network exploitability rather than confirmed in-the-wild use.

Apache Authentication Bypass Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthorized account self-registration in the FoodBook Lite WordPress plugin through version 1.5.6 allows unauthenticated remote attackers to create 'customer'-role accounts and obtain valid WordPress authentication cookies, even when the site administrator has explicitly disabled user registration. The flaw exists because the plugin's registration() function is registered on the publicly accessible wp_ajax_nopriv_registration_action AJAX hook and calls wp_insert_user() without performing nonce verification, capability checks, or consulting the users_can_register site option. No public exploit has been identified at time of analysis and no KEV listing exists; Wordfence reported the issue with a confirmed fix in version 1.5.7.

Authentication Bypass WordPress Foodbook Lite Online Food Ordering System
NVD
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Unauthenticated authorization bypass in poco-ai/poco-claw's Workspace API allows remote attackers to access arbitrary users' workspace files by manipulating the user_id parameter in the get_workspace_file function. All versions through 0.5.4 are affected, with the executor manager's control-plane routes completely lacking token-based authentication before the fix. Publicly available exploit code exists (POC confirmed via GitHub issue #133 and PR #135); no CISA KEV listing at time of analysis.

Authentication Bypass Poco Claw
NVD VulDB GitHub
MEDIUM PATCH This Month

Privilege escalation in Kimai time-tracking software (<=2.57.0) allows authenticated TEAMLEAD users to create and modify global export templates that are intended to be administrator-only resources. The web controller routes `createExportTemplate` and `editExportTemplate` in `ExportController` inherit only the class-level `create_export` permission - granted to ROLE_TEAMLEAD - while the API endpoints and UI correctly enforce the stricter `create_export_template` permission restricted to ROLE_ADMIN and ROLE_SUPER_ADMIN. Because ExportTemplate entities have no per-user or per-team scoping, a TEAMLEAD can silently alter organization-wide export configurations affecting all users including administrators. No public exploit is confirmed at time of analysis, though a private PoC was submitted to the vendor and subsequently removed.

PHP Authentication Bypass
NVD GitHub
HIGH PATCH This Week

Two-factor authentication bypass in Kimai (open-source time-tracking) before 2.59.0 lets an attacker with only a victim's password reach every authenticated REST API endpoint without completing TOTP. The KIMAI_SESSION cookie returned by the password-only login response - issued before the 2FA step - is already treated as authenticated by /api/*, so it can be replayed to act fully as the user while the browser is still pinned to the 2FA screen. No public exploit identified at time of analysis (a PoC existed but was redacted by the reporter); not listed in CISA KEV.

Authentication Bypass CSRF
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

CSS stylesheet injection in SAP @ui5/webcomponents-base allows unauthenticated remote attackers to load arbitrary cross-origin stylesheets into victim pages by bypassing the sap-allowed-theme-origins allowlist enforcement inside setThemeRoot(). The ?sap-themeRoot URL query parameter is a direct delivery vector, making socially-engineered exploitation trivial - no authentication is required from the attacker (CVSS PR:N), only a victim page load (UI:R). Successful exploitation enables UI redressing, clickjacking, phishing overlays, visual defacement, and limited CSS attribute-selector-based data exfiltration; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SAP Authentication Bypass Ui5 Webcomponents Base
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Privilege escalation in SAP S/4HANA's Draft Operation component allows authenticated restricted users to read entity data beyond their authorized scope due to missing authorization checks. The flaw, classified under CWE-862, is exploitable over the network without elevated privileges, resulting in low confidentiality impact with no effect on integrity or availability. No public exploit code or active exploitation has been identified at time of analysis, keeping real-world risk bounded despite the network-accessible attack vector.

SAP Authentication Bypass Sap S 4Hana Draft Operation
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in SAP S/4HANA's Create Single Payment function exposes restricted entity set keys to authenticated but low-privileged users. The flaw (CWE-862) allows a restricted user to query specific payment-related entity sets beyond their intended access scope, resulting in low-impact confidentiality leakage with no effect on data integrity or system availability. No public exploit code exists and this vulnerability is not listed in CISA KEV; EPSS data was not provided, but the CVSS 4.3 medium score and limited impact scope suggest low exploitation urgency.

SAP Authentication Bypass Sap S 4 Hana Create Single Payment
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthorized access in SAP Approuter arises because the component fails to validate incoming request headers during the OAuth2 login flow under certain configurations (CWE-601, open redirect). An unauthenticated remote attacker who lures a victim into clicking a crafted link can hijack the authentication flow to gain high-confidentiality and high-integrity access to the application. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the network-reachable, low-complexity nature (CVSS 8.1) makes it a meaningful patch priority for SAP BTP/Cloud Foundry environments.

SAP Authentication Bypass Open Redirect +1
NVD
MEDIUM PATCH This Month

Cross-scope billing rate manipulation in Kimai 2.56.0 allows authenticated users with edit access to any single project, customer, or activity to tamper with rate configurations belonging to entirely different organizational units they are not authorized to access. The root cause is missing parent-child consistency validation in three Web admin rate-editing endpoints, where the controller validates the authenticated user's access to the parent object but never verifies that the child rate record actually belongs to that same parent. A PoC was privately submitted and subsequently removed from the advisory before public disclosure; no public exploit code is circulating and no CISA KEV active-exploitation listing exists at time of analysis.

Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

Improper authorization in Kimai's Team API endpoints allows an authenticated Teamlead to add users and activities to their team that fall outside their intended management scope, bypassing the access boundaries enforced by the frontend. Affected versions are Kimai <= 2.57.0 (composer package kimai/kimai). A proof-of-concept was reportedly created but withheld; no public exploit code is currently available and this vulnerability is not listed in CISA KEV. Once a Teamlead writes an out-of-scope team relation, downstream authorization logic may treat those relations as legitimate, silently expanding access to time entries, project visibility, and reporting for the affected users and activities.

PHP Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

Permission revocation bypass in Kimai's timesheet restart and duplicate workflows allows authenticated users to create new database-persisted time entries under projects they no longer have access to. Affecting Kimai up to and including version 2.57.0, the flaw exists because `TimesheetVoter.php` evaluates the `*_own_timesheet` ownership branch before team-based access checks, meaning a historical timesheet entry acts as a durable capability token that survives administrative revocation. No public exploit is available - a PoC was reportedly submitted to the project and then redacted - and this vulnerability is not listed in CISA KEV.

PHP Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

Improper object-level authorization in Kimai 2.56.0 allows any authenticated user holding the generic `create_activity` permission to inject Activity records into projects outside their authorized scope by directly invoking the preset-project creation routes with an arbitrary project ID. The controllers in `ActivityController.php` and `ProjectController.php` validate only the global capability (can the user create activities at all?) without performing a secondary check that the user also has edit rights on the specific target project. No public exploit exists at time of analysis, though a PoC was privately shared with the vendor and subsequently removed; the vendor has released a fix in version 2.57.0.

PHP Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

Broken object-level authorization in Kimai's Timesheet API (versions <= 2.56.0) allows any authenticated user with the default ROLE_USER permission to reassign their own timesheet entries to arbitrary project IDs in the database - including projects belonging to teams or customers they have no membership in. The root cause is an unconditional OR branch in the Symfony EntityType query_builder that matches any submitted project ID before team-ACL predicates are evaluated; the TimesheetVoter further compounds this by checking only timesheet ownership, never the destination project's access controls. A proof-of-concept was disclosed with the advisory (later redacted); no active exploitation has been confirmed via CISA KEV.

PHP Authentication Bypass
NVD GitHub
MEDIUM PATCH This Month

{id}` correctly enforces teamlead validation through `TimesheetVoter`, but the collection endpoint `GET /api/timesheets?user=<id>` omits this check entirely, creating an inconsistent authorization model (CWE-863) that allows horizontal privilege escalation within the application. A private proof-of-concept was confirmed during responsible disclosure but has not been made public; the vendor-released fix is Kimai 2.57.0.

PHP Authentication Bypass
NVD GitHub
CRITICAL POC PATCH Act Now

Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.

PHP Python Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Broken access control in Cockpit CMS's Bucket file storage API (/system/buckets/api) lets any authenticated user, regardless of assigned role, execute all bucket file operations (list, upload, delete, rename, create folder) against any named bucket - including admin-only buckets. VulnCheck reported the flaw and publicly available exploit code exists (proof-of-concept gist), but there is no evidence of active exploitation. With a CVSS 4.0 score of 8.7 and full confidentiality/integrity/availability impact on stored files, it enables privilege escalation of file-storage capabilities across tenant boundaries within the CMS.

PHP Authentication Bypass Cockpit Cms
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.

Authentication Bypass Hedgedoc
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read every user's AI request logs and full conversation histories by querying the /api/usage/request-logs and /api/usage/request-details endpoints, which ship without authentication middleware. Exposed data includes system prompts, user and assistant messages, tool calls, and user email addresses, and the linked GHSA advisory shows the same missing-auth flaw class also leaks plaintext provider API keys via /api/usage/stats and permits unauthenticated CRUD on /api/providers. This is a network-reachable, no-privilege flaw (CVSS 4.0 8.7) with no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote attacker retrieve full plaintext API keys for every connected AI provider by issuing a single GET to the /api/usage/stats endpoint, which lacks authentication middleware. The same missing-auth flaw class extends to unauthenticated CRUD on /api/providers and exposure of full conversation histories, so an attacker can harvest credentials, hijack provider accounts, and commit billing fraud or quota exhaustion. Reported by VulnCheck with a critical CVSS 4.0 base of 9.3; no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in OpenClaw's native web search component allows authenticated lower-trust callers to invoke operations normally gated behind stronger policy checks. Versions 2026.5.28 through 2026.6.5 are affected, with exploitation requiring crafted input paths targeting misconfigured authorization logic - no special tooling needed given the low attack complexity. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable attack surface and low complexity reduce the barrier for abuse by compromised or malicious low-privilege accounts.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw (versions 2026.3.22 up to but not including 2026.6.6) lets a lower-trust WhatsApp sender satisfy elevated sender allowlists because WhatsApp group IDs are accepted as if they were privileged individual sender identities. An authenticated but low-privilege attacker can therefore invoke actions gated behind stronger authorization, effectively escalating privilege within the messaging integration. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (high); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw 2026.5.20 through 2026.6.5 lets a low-privilege caller invoke owner-only tools through the MCP loopback feature, escalating beyond intended permissions to execute or persist privileged actions. The flaw stems from incorrect permission enforcement (CWE-732) on configured input paths reachable over the network. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Authorization bypass in OpenClaw's plugin install wrappers (versions 2026.6.5 through 2026.6.8) allows a lower-trust authenticated caller to skip the install policy check, executing or persisting plugin actions beyond their intended authorization scope. The impact is bounded by operator configuration - deployments where the plugin install feature is disabled or unreachable are not affected. No public exploit code has been identified and the vulnerability does not appear in CISA KEV; vendor-released fix is available in version 2026.6.9.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Privilege-boundary bypass in OpenClaw's Discord guild-action handling (versions 2026.6.6 up to but not including 2026.6.9) lets a low-privilege authenticated caller invoke operations that should require stronger authorization. By abusing misconfigured input paths, the attacker skips the cross-provider requester authorization step and executes restricted guild operations. No public exploit identified at time of analysis; the CVSS 4.0 score of 7.2 reflects high integrity and availability impact with no confidentiality exposure.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Privilege escalation via authorization bypass in OpenClaw 2026.6.6 through 2026.6.8 allows a low-privileged, authenticated caller to invoke message-mutation operations that should require stronger authorization, letting them execute privileged actions. The flaw is a missing authorization check (CWE-862) on mutation input paths and requires the affected feature to be enabled and reachable. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw before 2026.6.9 lets a lower-trust caller escape the exec-approval trust boundary through the flock wrapper, executing or persisting privileged actions the caller was never authorized to perform. The CVSS 4.0 vector (PR:L) indicates an authenticated but low-privilege actor can achieve high confidentiality, integrity, and availability impact when the affected feature is enabled. Reported by VulnCheck with a vendor GitHub Security Advisory (GHSA-3fp5-v549-9v66); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Authorization bypass via symlink following in OpenClaw's mirror sync feature (versions before 2026.6.9) lets a lower-privilege caller escalate into actions that should require stronger authorization. By planting or referencing symlink parents on a remote mirror target, an authenticated attacker can trick the sync logic into resolving links that cross policy and trust boundaries, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no CISA KEV listing; no EPSS score was supplied.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Privilege escalation via broken authorization in the OpenClaw @openclaw/feishu integration (versions 2026.6.6 and earlier) allows a lower-trust, already-authenticated caller to invoke Feishu permission tools that should have been blocked by per-account disablement settings. Because the enforcement gap lets a low-privilege actor perform actions requiring stronger authorization, the flaw carries high confidentiality and integrity impact (CVSS 4.0 base 8.6). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Feishu
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Authorization bypass in the @openclaw/feishu npm package (versions <= 2026.6.6) allows a lower-trust caller - or attacker-influenced input reaching a configured input path - to perform Feishu (Lark) actions that should have required stronger authorization, because per-account disablement can be ignored. Authenticated remote attackers can trigger unauthorized operations affecting confidentiality and integrity; no public exploit has been identified at time of analysis, and the flaw is fixed in version 2026.6.9. Real-world impact is gated by the operator's configuration and whether untrusted input can reach the affected feature.

Authentication Bypass Node.js Feishu
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in OpenClaw before 2026.6.8 lets a lower-trust, already-authenticated caller invoke admin-restricted operations by abusing OpenAI-compatible HTTP model-override input paths, bypassing the authorization checks that should gate those actions. The flaw was reported by VulnCheck and stems from missing authorization (CWE-862) on override-driven request handling. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credentials enumerate, create, modify, and delete provider connections via the Next.js routes under src/app/api/providers/*. Because the /api/providers endpoints ship without authentication middleware, attackers can harvest partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled providers, or wipe all connections for a full denial of service; the companion /api/usage/stats endpoint further leaks full plaintext API keys. Rated CVSS 4.0 9.3 (critical); no public exploit identified at time of analysis, though the trivial access makes exploitation straightforward.

Authentication Bypass Denial Of Service 9Router
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access read and modify other congregations' family records by supplying a different family's familyId to family-scoped endpoints. Because the backend loads the family entity by the attacker-controlled ID without ownership verification, a user who also holds the Notes permission can additionally create notes on unrelated families' records, breaking the intended self-service scope. No public exploit identified at time of analysis, though the flaw is trivially reproducible by manipulating a request parameter.

Authentication Bypass Crm
NVD GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. No vendor patch has been issued as of analysis time; a public exploit exists via a GitHub issue report (POC), though high attack complexity (AC:H) constrains opportunistic exploitation. This vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.

PHP Authentication Bypass Crm
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

{appId}/{clusterName}/{namespace} endpoint as the literal string 'raw', so no matching secret is found and the signature check is skipped for the real target app. No public exploit identified at time of analysis; the flaw is fixed in Apollo 2.5.2.

Canonical Authentication Bypass
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Authentication bypass in Apollo (Ctrip apolloconfig) ConfigService allows an unauthenticated remote attacker to read protected configuration data from /configs and /configfiles endpoints even when AccessKey/management-key authentication is enabled. The flaw stems from ConfigService accepting a non-canonical appId variant (e.g. accented or trailing-space forms) that misses the AccessKey secret cache lookup - causing signature verification to be skipped - while the downstream release lookup still resolves the value to the real, protected app under equivalence-treating database collations. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the confidentiality-only impact drives the CVSS 7.5 (High) rating.

Canonical Authentication Bypass
NVD GitHub
CVSS 6.0
MEDIUM PATCH This Month

Improper authorization in Decidim's CSV census admin controller allows participant managers to read, create, update, and delete CSV census rows they are not permitted to access. The `/admin/csv_census/census_logs` endpoint family in `decidim-verifications` fails to call `enforce_permission_to` before rendering or mutating `Decidim::Verifications::CsvDatum`, granting participant managers the same data-mutation capability as full administrators. Exploitation corrupts the verification dataset that drives Decidim's authorization workflows, potentially invalidating or fabricating eligibility records for all participants. No public exploit code has been identified at time of analysis, but detailed reproduction steps are included in the public security advisory.

Authentication Bypass
NVD GitHub
CVSS 8.5
HIGH PATCH This Week

Cross-tenant authentication bypass in Decidim (the Ruby-on-Rails participatory-democracy platform) lets a JWT issued in one organization (tenant) be replayed against a second organization's GraphQL API by simply changing the HTTP Host header. An authenticated Org 1 principal (admin or API user) can then read Org 2's admin-only participantDetails field, harvest Org 2 participant personal data, and reach Org 2's proposal.answer mutation path. Rated CVSS 8.5 with a scope change; the vendor advisory publishes step-by-step reproduction, but no CISA KEV listing and no EPSS score were provided, so widespread active exploitation is not established.

Authentication Bypass
NVD GitHub
CVSS 5.4
MEDIUM PATCH This Month

Unauthorized access to the demographics questionnaire admin editor in Decidim's decidim-demographics module allows any authenticated participant to reach and interact with the `/admin/demographics/questions/edit_questions` route without admin privileges. Affected versions span 0.31.0-0.31.4 and 0.32.0.rc1, with fixes released in 0.31.5 and 0.32.0. The vulnerability is not listed in CISA KEV and no separate public exploit code has been identified; however, the advisory published by Decidim includes step-by-step reproduction instructions, lowering the barrier for exploitation by any registered platform user.

Authentication Bypass
NVD GitHub
CVSS 6.5
MEDIUM PATCH This Month

{env}/releases/{releaseId}` endpoint fetches and returns a release payload without invoking `UserPermissionValidator.shouldHideConfigToCurrentUser(...)`, meaning a low-privileged user who supplies a valid release ID belonging to a restricted application receives the full configuration - potentially including embedded credentials, database connection strings, and service endpoints. No public exploit has been identified at time of analysis, and exploitation is gated by a non-default configuration setting (`configView.memberOnly.envs`), but the practical data sensitivity of Apollo configuration stores makes this a meaningful confidentiality risk.

Authentication Bypass
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass File Upload RCE +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Tenant data leakage in the Tempo Operator gateway component (Red Hat OpenShift Distributed Tracing 3) allows an authenticated low-privileged user to read span attributes from namespaces belonging to other tenants. The flaw exists because namespace-scoped redaction is inconsistently applied across certain query API response paths when query RBAC is enabled, meaning the authorization control exists but is not uniformly enforced. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the high confidentiality impact and low attack complexity make it a meaningful risk in shared multi-tenant tracing deployments.

Authentication Bypass Red Hat Openshift Distributed Tracing 3
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Mattermost's Playbooks feature permits any authenticated team member to overwrite another user's playbook metric configuration by supplying a foreign metric ID in a crafted import or update request. Affected branches are 11.7.x through 11.7.1, 11.6.x through 11.6.4, and 10.11.x through 10.11.19, where the server authorizes metric writes based on team membership alone rather than verifying that the referenced metric ID belongs to the playbook being saved. No public exploit code has been identified and this vulnerability does not appear in CISA KEV at time of analysis.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 3.8
LOW Monitor

Insufficient sanitization of team objects in Mattermost's scheme teams API endpoint allows an authenticated user holding the User Manager role to extract invite links for private teams from API responses and use those links to join or redistribute access to those teams. Affected versions are 11.7.x through 11.7.2 and 10.11.x through 10.11.19. No public exploit identified at time of analysis and exploitation has not been confirmed by CISA KEV, but the low attack complexity (AC:L) means a malicious User Manager could reliably reproduce this without trial and error.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in Mattermost's /share-channel slash command autocomplete handler allows any authenticated user to enumerate remote cluster connection metadata, regardless of whether they hold the manage_shared_channels permission. Affects three active release lines (11.7.x, 11.6.x, 10.11.x) and is classified under CWE-862 (Missing Authorization). No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; exploitation is constrained to authenticated users, limiting realistic blast radius to insider threat or compromised-account scenarios.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Cross-tenant privilege escalation in the repository creation functionality shared by Google Cloud BigQuery, Dataform, and Colab Enterprise allowed an authenticated GCP user to take over repositories belonging to other tenants. Rated CVSS 4.0 9.4 (critical) with a scope-changing cross-tenant impact, the flaw was a Missing Authorization (CWE-862) issue affecting the managed services between October 2025 and 10 May 2026. Google reports no public exploit identified at time of analysis; the defect was fixed server-side on 10 May 2026 with no customer action required.

Authentication Bypass Google Bigquery +2
NVD VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. A publicly available exploit (POC) exists via GitHub issue #200; the vendor has not yet responded to the disclosure, and no patch has been released.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Bluetooth authentication bypass in the Evbee DC-80 DC EV charging station lets an attacker within radio range issue privileged commands without any credentials, enabling sensitive information disclosure, forced reboots, and - most dangerously - the ability to push an arbitrary firmware update URL to the device. Reported by DIVD (DIVD-2026-00001), it carries CVSS 4.0 base 8.7 (High). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Dc 80
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Missing authentication on the evbee DC-80 EV charging station exposes an administrative web server on TCP port 8090 that requires no login, allowing remote unauthenticated attackers to read sensitive data such as configured passwords and to upload arbitrary files via multiple endpoints. Reported through the DIVD CSIRT coordinated-disclosure program (DIVD-2026-00001), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable, no-privilege vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Dc 80
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization controls in the Car Rental Manager WordPress plugin (≤1.3.7) allow unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited integrity impact. The CVSS vector (PR:N/UI:N) confirms exploitation requires no credentials or user interaction against any publicly reachable WordPress site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, keeping real-world risk at a moderate level despite the trivial exploitation conditions.

Authentication Bypass Car Rental Manager
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in the Church Admin WordPress plugin (versions through 5.0.30) allows unauthenticated remote attackers to invoke plugin endpoints and perform unauthorized write operations without authentication. The root cause is incorrectly configured access control security levels (CWE-862), where certain plugin actions omit the required capability or nonce checks. No public exploit code or active exploitation has been identified at time of analysis, though the zero-barrier CVSS vector (PR:N, AC:L, AV:N) means opportunistic abuse is technically straightforward for any attacker who can reach the WordPress instance.

Authentication Bypass Church Admin
NVD
EPSS 0% CVSS 2.7
LOW Monitor

Insecure Direct Object Reference (IDOR) in Cozmoslabs User Profile Picture WordPress plugin (versions through 2.6.3) allows a high-privileged authenticated attacker to modify the profile picture of arbitrary users by manipulating a user-controlled object key in requests. The flaw stems from CWE-639 - the plugin fails to validate that the authenticated user is authorized to modify the target user's resource before processing the change. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, consistent with its low CVSS score of 2.7.

Authentication Bypass User Profile Picture
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing Authorization in the myCred WordPress plugin (all versions through 3.1.2) allows authenticated low-privileged users to exploit incorrectly configured access control levels, resulting in unauthorized integrity and availability impacts against the plugin's loyalty points system. The root cause (CWE-862) indicates the plugin performs sensitive operations without verifying that the requesting user holds the requisite permission level. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Mycred
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing authorization in the License Manager for WooCommerce WordPress plugin (versions through 3.0.17) allows authenticated low-privilege users to perform arbitrary content deletion without proper permission checks. The flaw stems from CWE-862, where sensitive plugin actions are accessible to any authenticated user regardless of their assigned role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress License Manager For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows unauthenticated network attackers to bypass access control security levels, yielding limited confidentiality and integrity impact against affected WordPress sites. Reported by Patchstack under CWE-862, the flaw is automatable per CISA's SSVC framework, meaning it can be exploited at scale without human interaction. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis, but the unauthenticated, low-complexity attack surface warrants prompt patching.

Authentication Bypass Simply Schedule Appointments
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.

Authentication Bypass WordPress Woocommerce Bulk Edit Products Wp Sheet Editor
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.

Authentication Bypass Simply Schedule Appointments
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in ThemeMove's EduMall WordPress theme (versions through 4.5.1) permits authenticated low-privileged users to invoke restricted functionality without proper authorization checks. An attacker with any valid WordPress account can bypass the intended access control tiers and trigger actions that degrade site availability. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a contained, low-severity impact limited to availability.

Authentication Bypass Edumall
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Universal Clocks WordPress plugin (≤1.2.0) by PressTigers exposes unauthorized action endpoints due to missing authorization checks, enabling unauthenticated remote attackers to perform integrity-impacting operations without valid credentials. Reported by Patchstack under CWE-862, the flaw stems from incorrectly configured access control security levels that fail to validate caller permissions before executing plugin functionality. No public exploit code or active exploitation (CISA KEV listing) has been identified at time of analysis.

Authentication Bypass Universal Clocks
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in the MeetingHub WordPress plugin (versions through 1.25.10) allows unauthenticated remote attackers to exploit incorrectly configured access control and perform unauthorized integrity-affecting actions. The CVSS vector (PR:N/AV:N/AC:L/UI:N) confirms no authentication or user interaction is required, making any WordPress installation running an affected version directly exposed from the network. No active exploitation has been confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis.

Authentication Bypass Meetinghub
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated broken access control in the Fascinate WordPress theme by themebeez (versions through 1.1.5) permits remote attackers to exploit incorrectly configured capability checks, resulting in unauthorized write-level actions on affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, with impact limited to integrity (I:L). No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Fascinate
NVD
Prev Page 3 of 347 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy