Skip to main content

Authentication Bypass

31265 CVEs technique

Monthly

CVE-2026-45157 MEDIUM PATCH This Month

Unauthorized chunking upload access in Nextcloud Server allows an authenticated share recipient to read temporary part files during another user's active file upload. Affecting versions 32.0.0-32.0.8 and 33.0.0-33.0.2, the flaw stems from the WebDAV chunking upload collection failing to restrict directory listing or GET requests on intermediate upload objects when accessed via a share token - a boundary the fix explicitly closes by blocking reads on FutureFile and UploadFile node types. No public exploit has been identified and no CISA KEV listing exists at time of analysis, but the high confidentiality impact (CVSS C:H) means sensitive in-transit file contents are fully exposed to any malicious share recipient who times access during an active upload.

Authentication Bypass Nextcloud Suse
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-45156 HIGH PATCH This Week

Authentication bypass in Nextcloud's User OIDC app (versions 0.3.0-3.0.x, 5.0.0-5.0.x, and 6.0.0-6.3.x) allows a malicious ID4me authority to impersonate arbitrary users due to missing JWT signature verification in the ID4me login flow. The flaw stems from a literal 'TODO: VALIATE SIGNATURE!' code comment that left ID tokens accepted without cryptographic validation, enabling identity spoofing once a victim is redirected through the attacker-controlled authority. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-45155 LOW PATCH Monitor

Nextcloud Server's Circles app exposes a missing access control check on the member-add API endpoint, allowing an authenticated user to add an arbitrary circle - identified only by its internal ID - as a member of another circle without verifying that the requesting user has any relationship to the target circle. Affected versions span 32.0.0-32.0.6 and 33.0.0, with Enterprise editions from 29.x through 31.x also impacted. Exploitation is severely constrained by the 62^15 entropy of circle IDs, making the vulnerability practically exploitable only when an attacker has obtained a valid circle ID through a separate information-disclosure path, at which point they could track or infer circle membership relationships. No public exploit exists and this is not listed in CISA KEV.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
2.6
EPSS
0.0%
CVE-2026-45154 LOW PATCH Monitor

Nextcloud Collectives versions 2.6.0 through 4.3.0 (exclusive) exposes deleted collective pages to unauthorized guests via a missing permission check in the public trash controller. Guests granted view-only access to a shared collective can bypass deletion-based access controls by directly querying trashbin endpoints, reading content that was intentionally removed. CVSS scores this at 2.6 (Low) with no public exploit identified at time of analysis and no CISA KEV listing, placing real-world priority at the lower end of the risk spectrum.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
2.6
EPSS
0.0%
CVE-2026-45153 MEDIUM PATCH This Month

PIN authentication bypass in the Nextcloud Files Android app (versions 33.0.0 through 33.0.x) allows a physically present attacker to circumvent the app's passcode lock screen by pressing the Android back button immediately after the host device is unlocked. The PassCodeActivity failed to intercept back-navigation events during PIN verification, granting direct file access without completing authentication. No public exploit identified at time of analysis and no CISA KEV listing; risk is tightly constrained by the physical access vector. Patched in version 33.1.0 via upstream PR #16896.

Google Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-45264 MEDIUM PATCH This Month

Rename permission bypass in Nextcloud's team folder (groupfolders) feature allows authenticated low-privileged users holding READ and CREATE permissions to rename files in team folders even when UPDATE permission is explicitly denied. Affecting Nextcloud versions 17.0.0 through 21.0.3, the flaw originates from a single-character bitwise operator error in ACLStorageWrapper.php - a `&` used instead of `|` when evaluating combined permission flags effectively nullifies the UPDATE permission check. No public exploit identified at time of analysis; vendor-released patches are available across all affected version branches.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-10272 MEDIUM POC This Month

Improper authorization in a4m4's Student-Management-System allows unauthenticated remote attackers to manipulate the `sid` parameter in `admin/deleteform.php` to delete student records without any credentials. All commits up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 are affected, and a proof-of-concept exploit has been publicly disclosed via the project's GitHub issue tracker. No patch is available; the maintainer has not responded to the responsible disclosure report, leaving all deployed instances exposed with no official remediation path.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-42671 MEDIUM This Month

Missing authorization in the GeoDirectory WordPress plugin (through v2.8.157) permits unauthenticated remote attackers to invoke privileged plugin operations without any credential requirement, resulting in partial integrity and availability impact on directory listings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, network-accessible exploitation requiring no user interaction, reported by Patchstack under the 'Authentication Bypass' tag. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a moderate-priority patch tier for any WordPress deployment running a public-facing GeoDirectory instance.

Authentication Bypass Geodirectory
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42674 HIGH This Week

Authentication bypass in the Advanced Access Manager (AAM) WordPress plugin through version 7.1.0 allows remote unauthenticated attackers to circumvent access controls via URL encoding manipulation, achieving high integrity impact on protected resources. The flaw is reported by Patchstack and tracked under CWE-290 (Authentication Bypass by Spoofing). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Authentication Bypass Advanced Access Manager
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42675 HIGH This Week

Broken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated attackers to access functionality that should be restricted by authorization checks. The flaw stems from missing authorization (CWE-862) on plugin endpoints, with CVSS 7.3 reflecting low impact across confidentiality, integrity, and availability without requiring privileges or user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass Hydra Booking
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-42682 CRITICAL Act Now

Broken access control in Tomdever's wpForo Forum WordPress plugin (versions up to and including 3.0.6) allows remote unauthenticated attackers to invoke restricted functionality due to missing authorization checks, leading to high integrity and availability impact on affected forums. The CVSS 9.1 score reflects network-reachable exploitation with no privileges or user interaction required, and no public exploit identified at time of analysis. Patchstack disclosed the issue and tracks it as a broken access control flaw against the plugin.

Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-42251 HIGH This Week

Credential exposure in Kamsoft KS-SOMED medical software allowed remote unauthenticated attackers to authenticate to the FTP server hosting application update packages by extracting hard-coded credentials from the KSPLUPDFTP.exe and ANEKSKLIENT.EXE modules. While the vendor states the exposed credentials ultimately had only read-only access, the original threat model included an attacker uploading a malicious update file that would propagate to client machines as a legitimate update. No public exploit identified at time of analysis.

Authentication Bypass
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42677 HIGH PATCH This Week

Information disclosure in WP Document Revisions WordPress plugin versions before 4.0.0 allows unauthenticated remote attackers to access protected documents due to broken access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N) indicates trivially exploitable confidentiality-only impact, and no public exploit identified at time of analysis, though Patchstack has cataloged the issue with a working proof reference.

Authentication Bypass Wp Document Revisions
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-10269 MEDIUM PATCH This Month

Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JWT authentication by manipulating the HTTP Host header, gaining unauthorized access to protected dashboard and API endpoints. The vulnerable isLocalRequest() function in dashboardGuard.js blindly trusted the client-supplied Host header to determine whether a request originated from localhost, enabling any network-reachable attacker to spoof local origin by sending Host: localhost. No public exploit code or CISA KEV listing exists at time of analysis; vendor-released patch v0.4.1 is available and confirmed.

Authentication Bypass 9Router
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-47415 PyPI HIGH PATCH GHSA This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read, modify, or delete issues belonging to other tenants by supplying a known issue UUID against their own workspace path. The issue CRUD endpoints validate workspace membership but never verify that the targeted issue actually belongs to that workspace, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the vulnerability is source-verified end-to-end with an upstream fix released as version 0.1.4.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-47417 PyPI HIGH PATCH GHSA This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read and inject comments on issues belonging to any other tenant in a multi-tenant deployment. The comment endpoints validate workspace membership but never verify that the URL-supplied issue_id actually belongs to that workspace, breaking tenant isolation. No public exploit identified at time of analysis, but source-code-level analysis confirms the gap end-to-end.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47418 PyPI HIGH PATCH GHSA This Week

{workspace_id}/projects/{project_id} only verify membership in the URL-supplied workspace, then perform primary-key-only lookups against the Project table without scoping by workspace_id. No public exploit identified at time of analysis, and EPSS/KEV signals are not provided for this advisory.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47429 npm CRITICAL PATCH GHSA Act Now

Arbitrary file read and remote code execution in Vitest versions prior to 4.1.0 allow remote unauthenticated attackers to read files outside the project directory on Windows and execute arbitrary scripts when the Vitest UI or Browser Mode API server is exposed to the network via the --api.host flag or api.host configuration option. The flaw stems from incorrect use of the deprecated isFileServingAllowed check, which can be bypassed using Windows-specific path syntax (\\?\\..\\), and is compounded by API features (saveTestFile + rerun, readFile/writeFile/saveSnapshotFile) that effectively grant script execution to anyone who can reach the API. Publicly available exploit code exists in the GHSA advisory PoC; no public exploit beyond that is identified at time of analysis.

Microsoft RCE Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-48119 Go HIGH PATCH GHSA This Week

Cross-tenant data forgery in Nezha monitoring dashboard allows any authenticated low-privilege user with a valid agent secret to submit fabricated service-monitor TaskResult messages for services owned by other tenants. The dashboard's inbound result worker validates only that the referenced service ID exists, skipping the ownership and coverage checks enforced on the outbound dispatch path, so attackers can poison victim service history and trigger victim-owned notifications containing attacker-controlled text. A working local proof-of-concept is published in the GHSA advisory; no public exploit identified at time of analysis in the wild, and the issue is not on CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-10255 MEDIUM POC This Month

Unauthenticated remote information disclosure in SourceCodester Pharmacy Sales and Inventory System 1.0 allows network-based attackers to bypass access controls and read sensitive sales statement data via the sell_statement function in application/controllers/ShowForm.php. The CVSS vector confirms PR:N (no authentication required) with low access complexity, and a proof-of-concept exploit has been publicly disclosed via GitHub. No KEV listing at time of analysis, but the combination of unauthenticated network access and available exploit code elevates practical risk beyond the moderate CVSS 5.3 score alone.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-25600 MEDIUM PATCH This Month

Hard-coded cryptographic secret in PDBM.exe (by Trac d.o.o.) enables authenticated local attackers to decrypt administrative credentials stored in the product's configuration file. The static secret, constant across all PDBM installations, is embedded directly in the application binary and is used as the key for the credential encryption routine. Because the affected version configures the stored account with full administrative privileges, a successful extraction yields unrestricted access to PDBM's management interface and all underlying operational functions. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Pdbm
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-25599 MEDIUM PATCH Monitor

Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Authentication Bypass Orca Heat Pump Orca User Portal
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-46605 Maven MEDIUM PATCH This Month

Incomplete authorization in Apache ActiveMQ Broker allows authenticated low-privilege users to remove messaging destinations (queues and topics) beyond their granted permissions, causing targeted availability disruption to broker-connected producers and consumers. Affected versions span the 5.x line before 5.19.7 and the 6.x line from 6.0.0 before 6.2.6, covering ActiveMQ Broker and ActiveMQ All distributions. With an EPSS of 0.01% (3rd percentile), no CISA KEV listing, and no public exploit code identified, this is a low-urgency but genuine authorization control gap that is most relevant to environments with multiple untrusted authenticated broker accounts.

Apache Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44825 Maven HIGH GHSA This Week

Hardcoded credentials in Apache Solr 9.4.0 through 9.10.1 and 10.0.0 allow remote attackers to obtain full administrative access to clusters that bootstrapped Basic Authentication via the bin/solr auth enable tool. The setup script silently installs template accounts (superadmin, admin, search, index) with publicly known default passwords alongside the user-specified account, and no public exploit identified at time of analysis though the credentials are documented and trivially reusable.

Apache Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-40543 HIGH This Week

Unauthenticated information disclosure in SOPlanning version 1.55 and below allows remote attackers to download backup archives and configuration files directly from backup endpoints without any authentication, exposing the user database with password hashes and sensitive configuration data. The CVSS 4.0 score of 8.8 reflects high confidentiality impact over the network with no privileges or user interaction required, and no public exploit identified at time of analysis. Disclosure was coordinated through CERT.PL, indicating a vetted advisory rather than opportunistic discovery.

Authentication Bypass
NVD
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-10243 MEDIUM This Month

Remote unauthenticated access to multiple Admin Endpoints in code-projects Smart Parking System 1.0 allows attackers to bypass all authentication controls, gaining network-reachable read, write, and availability impact with no credentials or user interaction required. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation of a missing authentication gate - not a weak or bypassable one, but an entirely absent one across multiple admin functions. Publicly available exploit code exists per the E:P exploit maturity modifier and a referenced GitHub proof-of-concept repository, though no CISA KEV listing is present at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-48188 CRITICAL Act Now

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication bypass when the backing MySQL/MariaDB instance runs with the NO_BACKSLASH_ESCAPES SQL mode. The flaw carries a CVSS of 9.1 with network-reachable, no-privileges-required exploitation against confidentiality and integrity, but no public exploit identified at time of analysis and the issue is gated by a specific non-default database configuration.

SQLi Authentication Bypass Otrs Otrs Community Edition
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-10218 LOW POC Monitor

Improper authorization in GoClaw (nextlevelbuilder/goclaw) up to version 3.11.3 allows a remote low-privileged attacker to bypass authorization controls via the `auth` function in `internal/http/evolution_handlers.go`. The CVSS 4.0 score is 2.1 with limited integrity and availability impact and no confidentiality exposure. A public proof-of-concept exploit has been disclosed via a GitHub issue, though the project has not been confirmed as actively exploited in the wild per CISA KEV.

Authentication Bypass Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10215 PHP LOW POC PATCH Monitor

Horizontal privilege escalation in Dolibarr ERP CRM through version 23.0.1 permits any authenticated low-privilege user to read other users' leave request records via the Leave Request REST API, with a publicly available proof-of-concept confirming exploitability. The flaw in `checkUserAccessToObject` within `api_holidays.class.php` (CWE-285, Improper Authorization) arises because the access control helper receives only an integer object ID rather than the full object, causing ownership validation to fail silently and return another user's confidential HR data. No active exploitation is confirmed in CISA KEV, but the public POC and low attack complexity make this a realistic insider or multi-tenant threat requiring prompt patching.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10212 PyPI LOW POC Monitor

Authorization bypass in AstrBotDevs AstrBot 4.24.2 enables remote low-privilege authenticated attackers to manipulate the session_id argument within the astr_main_agent function to access or control sessions belonging to other users. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the server fails to verify that the requesting user owns the supplied session_id. A publicly available exploit exists via GitHub gist, no vendor patch has been released, and the vendor did not respond to disclosure - elevating practical risk above what the CVSS 6.3 Medium score alone implies.

Authentication Bypass Astrbot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10211 LOW POC Monitor

Incorrect authorization in AstrBot 4.23.6 allows remote low-privileged attackers to bypass filesystem path restrictions via the `_normalize_rw_path` function in `astrbot/core/tools/computer_tools/fs.py`, resulting in unauthorized read, write, or access to files outside the intended scope. The vulnerability stems from improper path normalization logic that fails to enforce access controls correctly, enabling authenticated users to escape sandboxed file boundaries. A public proof-of-concept exploit exists on GitHub, and the vendor was unresponsive to coordinated disclosure, leaving no official patch available at time of analysis.

Authentication Bypass Astrbot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-37233 HIGH This Week

Authorization bypass in FlexRIC v2.0.0 allows a malicious xApp to delete subscriptions belonging to other xApps connected to the same iApp instance, breaking multi-tenant isolation in O-RAN deployments. The root cause is a self-comparison bug in eq_xapp_ric_gen_id() that ignores the xApp identity dimension entirely. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%).

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-37235 HIGH This Week

Denial of service in FlexRIC v2.0.0 allows remote unauthenticated attackers to impersonate any xApp by forging the xapp_id field in E42 messages sent to the iApp on port 36422, since the value is not bound to the sender's SCTP association. Misrouted responses corrupt the red-black tree state and can crash the targeted xApp, the RIC, or the iApp itself. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 9th percentile) reflecting limited weaponization to date.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41017 PyPI MEDIUM PATCH This Month

JWT session cookies in Apache Airflow's JWTRefreshMiddleware are set without the Secure flag when Airflow runs behind an HTTPS-terminating reverse proxy, exposing them to network interception. Affected versions span Apache Airflow 3.0.0 through 3.2.1 (exclusive), where the middleware checked only for a local ssl_cert configuration setting to determine cookie security - missing the common deployment pattern where TLS is offloaded at a load balancer or proxy layer. An unauthenticated network adversary positioned for man-in-the-middle interception could capture a user's JWT refresh cookie and take over their authenticated session. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.01% reflects low automated exploitation likelihood.

Apache Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-45426 PyPI LOW PATCH Monitor

{/, l, o, g} - rather than a literal prefix strip, causing the filename derived from the URL to diverge from the file actually served. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Python Apache Deserialization Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-40963 PyPI LOW PATCH Monitor

DAG authorization bypass in Apache Airflow 3.0.0-3.2.1 allows authenticated low-privileged users to enumerate DAG structure and cross-DAG dependency topology for DAGs they are not authorized to view, by querying the `/ui/structure/structure_data` endpoint without proper RBAC enforcement. The endpoint returned external dependency nodes and edges without applying the `ReadableDagsFilterDep` authorization filter, crossing per-DAG RBAC boundaries. No public exploit exists and EPSS is 0.01% (4th percentile); impact is confined to confidentiality of workflow topology in multi-tenant or fine-grained RBAC deployments.

Open Redirect Apache Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-46764 PyPI MEDIUM PATCH This Month

The event log detail endpoint in Apache Airflow before 3.2.2 applies a generic DAG-level audit log permission check rather than scoping authorization to the specific DAG that owns the requested event log entry, allowing any authenticated low-privilege user to read audit log entries belonging to DAGs outside their permitted scope. The flaw is a broken object-level authorization (IDOR) pattern - classified as CWE-639 - where the user-supplied `event_log_id` path parameter can reference log rows from unauthorized DAGs without triggering a rejection. No public exploit code exists and the issue is not listed in CISA KEV, but the attack is trivially executable by any authenticated Airflow user in a multi-tenant deployment.

Python Apache Deserialization Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49267 PyPI MEDIUM PATCH This Month

Missing certificate validation during SMTP STARTTLS negotiation in Apache Airflow 2.0.0 through 3.2.1 exposes email traffic to man-in-the-middle interception. Both the core email utility (airflow.utils.email.send_email) and the SMTP provider hook (SmtpHook.get_conn, SmtpHook.aget_conn) called starttls() without an SSL context, causing Python's smtplib to accept any server certificate unconditionally. An unauthenticated network-adjacent attacker who can intercept traffic between the Airflow instance and its configured SMTP relay can present a fraudulent TLS certificate, successfully complete the upgrade handshake, and read all outbound email content in cleartext. No public exploit identified at time of analysis and EPSS is 0.01%, but the impact class is high confidentiality loss per CVSS.

Apache Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-49298 PyPI HIGH PATCH GHSA This Week

Sensitive information disclosure in Apache Airflow versions prior to 3.2.2 exposes JWT authentication tokens via KubernetesExecutor command-line arguments, allowing low-privileged users with process listing access on worker pods to harvest credentials and impersonate workers against the Execution API. The flaw, addressed in PR #60108 alongside a redesign of workload/execution token lifetimes, carries a CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit has been identified at time of analysis and EPSS sits at 0.02%, suggesting limited mass-exploitation activity.

Apache Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41014 PyPI MEDIUM PATCH This Month

Per-DAG RBAC bypass in Apache Airflow 3.2.0-3.2.1 allows authenticated users with restricted DAG permissions to read partitioned DAG run metadata for DAGs outside their authorized scope via the /ui/partitioned_dag_runs endpoint. The route enforced asset-level access control via requires_access_asset but omitted the parallel DAG-level check (requires_access_dag) and result-set filtering by readable DAG IDs, creating a gap in the multi-layer authorization model. No public exploit identified at time of analysis; EPSS is 0.01% (4th percentile), indicating very low exploitation probability consistent with the authenticated, information-disclosure-only impact.

Open Redirect Apache Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48726 PyPI MEDIUM PATCH This Month

JWT session tokens remain valid after logout in Apache Airflow deployments using FabAuthManager or KeycloakAuthManager due to an unreachable revoke_token() call in the logout code path. Versions before 3.2.2 are affected. When the configured auth manager returns an external redirect URL on logout (as Keycloak-backed deployments do), the logout handler redirects the browser before invoking revoke_token(), leaving the JWT - with its embedded jti claim - unregistered in the RevokedToken table and therefore still accepted by the API. No public exploit is identified at time of analysis, and EPSS exploitation probability stands at 0.01% (4th percentile), but the impact is meaningful in environments where session hijacking or token theft is a realistic threat model.

Authentication Bypass Apache Python
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41084 PyPI HIGH PATCH GHSA This Week

API authorization bypass in Apache Airflow 3.2.0 through versions before 3.2.2 allows authenticated users with access to one DAG to mutate TaskInstances belonging to other DAGs they should not control, via the bulk TaskInstances PUT/DELETE endpoints. The flaw stems from the bulk handler omitting per-DAG authorization checks, enabling cross-DAG state tampering with high integrity impact (CVSS 7.5, vector AV:N/AC:L/PR:N/UI:N/I:H). No public exploit identified at time of analysis and EPSS probability is low at 0.01%.

Apache Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-10167 MEDIUM POC This Month

Authentication bypass in OUSL-GROUP-BrinaryBrains School Student Management System allows unauthenticated remote attackers to manipulate the 'role' argument in the sign_auth_cookie function, forging or escalating authentication cookies without valid credentials. All commits up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 are affected, publicly available exploit code exists (confirmed by CVSS E:P and a public GitHub issue), and no patch is available as the project has not responded to disclosure. Despite a moderate CVSS 4.0 score of 5.5, the combination of zero-barrier remote exploitation and absent vendor remediation represents material unmitigated risk for any organization running this system.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-8382 MEDIUM This Month

Authorization bypass in Advanced Custom Fields (ACF®) plugin for WordPress versions up to and including 6.8.1 allows unauthenticated remote attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance. The attack requires no credentials, no user interaction, and low complexity - exploitable by anyone who can reach a page rendering a public-facing ACF front-end form. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified at time of analysis, but the zero-barrier attack path makes content integrity on exposed WordPress sites a real concern.

WordPress Authentication Bypass Advanced Custom Fields
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-10157 MEDIUM POC PATCH This Month

Authentication bypass in Open5GS versions up to 2.7.6 allows remote attackers to manipulate UE security capabilities through the AMF's NGAP PathSwitchRequest message handler in src/amf/ngap-handler.c. The flaw stems from the AMF blindly overwriting locally stored UE 5G security capabilities with values received from a target gNB during a path switch, violating 3GPP TS 33.501 6.7.3.1, and publicly available exploit code exists though no public exploit identified as actively exploited at time of analysis.

Authentication Bypass Open5gs
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-10154 MEDIUM PATCH This Month

Insecure Direct Object Reference in Dolibarr ERP CRM 23.0.0-23.0.2 allows any authenticated low-privilege user to read another user's messaging records by manipulating the `id` parameter in `htdocs/user/messaging.php`. The commit diff confirms the endpoint performed zero ownership or permission validation before serving messaging data - any valid session could enumerate other users' messages by cycling numeric IDs. No public exploit code has been identified and this CVE does not appear in CISA KEV, but the vulnerability is trivially exploitable given its low complexity and minimal authentication barrier.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-10152 LOW POC Monitor

Improper access control in TaleLin lin-cms-spring-boot through version 0.2.1 allows authenticated remote attackers to bypass authorization enforcement on the book API endpoint, gaining unauthorized read, write, and functional access to book resources. The flaw is rooted in BookController.java and tagged as an authentication bypass, suggesting privilege escalation beyond what the standard CVSS PR:L signal alone implies. A publicly available exploit exists via GitHub issue #336, no vendor patch has been released, and the maintainer has not responded to responsible disclosure - conditions that collectively elevate operational urgency despite the medium CVSS score of 6.3.

Java Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2018-25412 CRITICAL POC Act Now

Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Authentication Bypass File Upload
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-47414 PyPI HIGH PATCH GHSA This Week

Cross-workspace label tampering in praisonai-platform <=0.1.2 lets any authenticated workspace member rewrite, delete, attach, detach, and enumerate labels belonging to other tenants because five label endpoints only check workspace membership and never verify that the URL-supplied label_id or issue_id actually belongs to that workspace. Reported by the upstream MervinPraison/PraisonAI project with a fix in 0.1.4; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-47406 PyPI HIGH PATCH GHSA This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform (<=0.1.2) allows any authenticated workspace member to read, create, and delete issue dependencies belonging to foreign workspaces by supplying arbitrary issue UUIDs in URL paths and request bodies. The dependency endpoints only enforce membership on the URL workspace_id while passing unvalidated issue and dependency identifiers to DependencyService, enabling cross-tenant linking of issues across any two workspaces in the deployment. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4x6r-9v57-3gqw confirms the flaw and a fixed version (0.1.4) is available.

Python Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47405 PyPI HIGH PATCH GHSA This Week

Vertical privilege escalation in PraisonAI Platform versions 0.1.2 and earlier allows any authenticated low-privilege workspace member to self-promote to owner and take over the workspace. The flaw stems from administrative FastAPI routes reusing a shared authorization dependency that defaults to the lowest 'member' role, so role-mutation endpoints never enforce admin/owner checks. A working PoC is published in the GHSA-h37g-4h4p-9x97 advisory, though no public exploit identified at time of analysis in mass-exploitation form, and the issue is not currently in CISA KEV.

Privilege Escalation Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-47399 PyPI HIGH PATCH GHSA This Week

Cross-workspace object access in PraisonAI Platform (pip package praisonai-platform <= 0.1.2) allows any authenticated workspace member to read, modify, and delete agents, projects, issues, and comments belonging to other workspaces by supplying the victim object's global UUID through their own workspace-scoped URL. The flaw stems from route-layer membership checks not being bound to service-layer object lookups, breaking tenant isolation in multi-tenant deployments. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis beyond the advisory's own demonstration.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-47408 PyPI MEDIUM PATCH GHSA This Month

{workspace_id}/issues/{issue_id}/activity endpoint validates workspace membership but passes issue_id directly to an unscoped database query, returning actor identities, action types, and before/after field values from the details JSON blob for any issue UUID reachable by the attacker. No public exploit has been identified at time of analysis, but the vulnerability is source-inspection-verified via the GHSA-27p4-pjqv-whgj advisory.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48169 PyPI HIGH PATCH GHSA This Week

Cross-workspace IDOR and member-to-owner privilege escalation in PraisonAI Platform API (pip package praisonai-platform <= 0.1.2) lets any authenticated user read, modify, and delete issues and projects belonging to other tenants, and lets any workspace member promote themselves to owner and evict the legitimate owner. The two flaws chain together: a single member-level invite to any workspace becomes platform-wide data access plus full takeover of any workspace the attacker is added to. No public exploit identified at time of analysis beyond the detailed PoC published in the GHSA advisory, and the issue is not in CISA KEV.

Privilege Escalation Python Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-47393 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass in PraisonAI versions <= 4.6.39 allows remote unauthenticated attackers to invoke arbitrary LLM orchestration via the Flask API server generated by the documented `praisonai deploy --type api` quickstart. The generator defaults `auth_enabled=False`, causing `check_auth()` to short-circuit to `True` and accept any request to `/chat` and `/agents`, exposing the operator's LLM API keys and any agent-attached tools (python_repl, bash, file I/O, HTTP). Publicly available exploit code exists in the form of a working PoC, and CVSS scores this 9.8 critical.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47396 PyPI CRITICAL PATCH GHSA Act Now

Unauthenticated remote agent control in PraisonAI's call server (versions <= 4.6.39) allows any network-reachable client to enumerate, inspect, invoke, and unregister registered agents when the operator launches `praisonai-call` without setting the `CALL_SERVER_TOKEN` environment variable. The flaw stems from a fail-open authentication dependency combined with the server binding to 0.0.0.0 by default, and a working proof-of-concept is published in the GHSA advisory demonstrating end-to-end exploitation against a default deployment.

Python Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47233 PHP MEDIUM PATCH GHSA This Month

Permanent inventory field deletion in Admidio (composer/admidio/admidio <= 5.0.9) is reachable by any authenticated low-privilege user due to a missing authorization gate in the `field_delete` mode of `modules/inventory.php`. Deleting a field cascades to all stored item data (`adm_inventory_item_data`) and field options (`adm_inventory_field_options`) for that field with no in-product undo path - recovery requires a database restore. This is an incomplete fix: commit d37ca6b (2026-04-12) added `isAdministratorInventory()` to the sibling `item_delete` handler but left `field_delete` and at least five other state-changing handlers ungated. A working proof-of-concept is published in the GitHub advisory; no public exploit frameworks or CISA KEV listing have been identified at time of analysis.

PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47231 PHP HIGH PATCH GHSA This Week

Insecure direct object reference in Admidio's documents module allows any user with upload rights on a single folder to exfiltrate files from private folders they cannot read. The `move_save` handler in `modules/documents-files.php` validates the actor's upload right against a URL-supplied `folder_uuid` rather than the file's actual parent folder, letting a low-privileged member relocate restricted files into an attacker-controlled folder and download them. No public exploit identified at time of analysis, but a detailed PoC with verified code paths is included in the GHSA-x628-457g-2pw9 advisory.

PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47230 PHP MEDIUM PATCH GHSA This Month

Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.

XSS PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47227 PHP MEDIUM PATCH GHSA This Month

Broken access control in Admidio's `modules/categories.php` allows any authenticated module-administrator to permanently delete, reorder, or rename category records belonging to modules they do not administer. An Announcements administrator, for example, can destroy Role categories, Event calendars, or Profile-field categories by supplying a foreign category UUID while passing their own authorized module type as the `type` GET parameter, bypassing a per-record authorization check that is permanently dead code. A detailed working proof-of-concept is publicly available, demonstrated on a fresh Admidio install; no public exploit identified at time of analysis as CISA KEV-confirmed active exploitation, but the CVSS 6.5 (PR:L, I:H) reflects real data-destruction risk in any Admidio deployment that delegates module-admin rights to non-superadmin users.

PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47226 PHP MEDIUM PATCH GHSA This Month

Cross-folder unauthorized file deletion in Admidio v5.0.9 allows any authenticated member with upload rights on a single folder to permanently destroy files stored in folders where they hold only view access. The vulnerability stems from a broken authorization boundary in modules/documents-files.php: the top-level upload-right check trusts an attacker-supplied folder_uuid URL parameter rather than the target file's actual parent folder, while the file_delete handler performs only a view-right check. This is confirmed as an incomplete fix of GHSA-rmpj-3x5m-9m5f (previously addressed in v5.0.7 but reintroduced by v5.0.9). A fully functional public proof-of-concept with step-by-step curl commands has been confirmed against a Docker deployment of v5.0.9; no public exploit identified at time of analysis as a weaponized tool, but the PoC lowers exploitation barrier significantly.

Docker PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47212 PHP MEDIUM PATCH GHSA This Month

Webhook signature verification is silently skipped in Symfony's Twilio Notifier bridge across symfony/symfony 6.4.x through 8.0.x and symfony/twilio-notifier, even when a signing secret is explicitly configured. TwilioRequestParser::doParse() accepts a secret parameter but contains no code that reads or uses it, meaning every inbound POST to the webhook endpoint is accepted unconditionally regardless of whether the X-Twilio-Signature HMAC header is present or valid. An attacker who can reach the endpoint URL can inject arbitrary forged Twilio status callbacks - fake delivered, failed, or undelivered events - to corrupt delivery metrics or trigger downstream automation. No public exploit code identified at time of analysis; vendor-released patches are available in 6.4.40, 7.4.12, and 8.0.12.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-47201 Go HIGH PATCH GHSA This Week

Authentication bypass in authentik's SAML Source ACS endpoint allows an attacker holding any account at a trusted upstream IdP to impersonate other federated users via XML Signature Wrapping (XSW). The flaw stems from the signature verifier not binding the validated signature to the assertion subsequently consumed for identity data, so a crafted response can present a legitimately signed assertion for signature checks while a separate forged assertion supplies the victim identifier. No public exploit identified at time of analysis, but the upstream commit (a370d76) and detailed XSW3-style test fixtures make the technique transparent to anyone reading the patch.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.5
EPSS
0.1%
CVE-2026-47123 HIGH PATCH This Week

Authentication bypass in FreeScout help desk (versions prior to 1.8.220) allows remote attackers who can spoof an agent's email From address to inject forged replies into customer-facing threads. The FetchEmails command's notification reply path parsed thread_id and user_id directly from the Message-ID without HMAC verification, so spoofed messages were relayed to customers through the legitimate SMTP server. No public exploit identified at time of analysis, but the upstream commit publicly documents the exact missing hash check.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-48810 MEDIUM PATCH This Month

Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48811 MEDIUM PATCH This Month

FreeScout's internal note deletion endpoint allows a low-privileged authenticated user to permanently destroy private thread notes in any conversation, bypassing mailbox membership checks entirely. The ThreadPolicy::delete authorization policy fails to verify whether the requesting user still belongs to the mailbox containing the targeted note - meaning a deprovisioned former team member with a still-active account can erase internal notes they previously created across any conversation. No public exploit has been identified at time of analysis, and this vulnerability is fixed in version 1.8.221.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47122 MEDIUM GHSA This Month

UI spoofing via XPC authentication bypass in Sparkle 2.x (through 2.9.1) allows a local low-privileged attacker to inject forged appcast metadata into the update progress broadcast, causing any Sparkle-aware application to display attacker-controlled release notes, version strings, and critical-update flags. The attack exploits a post-stage-1 regression in the AppInstaller's Mach service authentication: once _performedStage1Installation is set, code-signing validation is silently dropped for new connections to the <bundleId>-spki service. Critically, installed code integrity is not compromised - only the UI metadata displayed to users is affected. No public exploit or CISA KEV listing has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-46705 Cargo MEDIUM PATCH GHSA This Month

Authentication state leakage in the russh Rust SSH server library allows unauthenticated remote attackers to manipulate the authentication flow for one user by exploiting retained internal state from a prior authentication attempt made for a different user on the same connection. Versions >= 0.34.0-beta.1 and < 0.61.0 are affected. A publicly available proof-of-concept (provided in GHSA-hpv4-5h6f-wqr3) demonstrates that russh's connection-scoped AuthRequest state - including remaining methods list, partial_success, and in-progress method state - persists across (user, service) principal changes in violation of RFC 4252 section 5, enabling an attacker to observe or influence state that should be isolated to a different principal.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47266 PHP HIGH PATCH GHSA This Week

Unauthorized submission modification in Formie (Craft CMS plugin) versions prior to 2.2.21 and 3.1.26 allows remote unauthenticated attackers to overwrite existing form submissions by POSTing a known or guessed submission ID to the formie/submissions/save-submission endpoint. The flaw is an authorization bypass (CWE-639) that compromises integrity of stored submission data without requiring credentials. No public exploit identified at time of analysis, though the upstream fix and advisory are publicly disclosed on GitHub.

Authentication Bypass Formie
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-49386 MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before 2026.1.13570 permits any authenticated low-privileged user to enumerate restricted issues and articles through the Planning Canvas feature, exposing confidential project data they are not authorized to view. Rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), the flaw allows user-controlled identifiers to bypass access restrictions without proper authorization checks. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49385 MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.1.13570 permits any low-privileged authenticated user to modify service accounts, an administrative operation that should be restricted to privileged roles. Rooted in CWE-862 (Missing Authorization), the flaw is exploitable over the network with low complexity, requiring no user interaction - meaning any valid account holder on an exposed instance can tamper with service account configurations. No public exploit or CISA KEV listing has been identified at time of analysis, but the integrity impact is rated high given the sensitivity of service account access in YouTrack deployments.

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49378 MEDIUM PATCH This Month

Credential parameter exposure in JetBrains TeamCity before version 2026.1 allows authenticated low-privilege users to access sensitive credential values through the parameter autocompletion feature. Rooted in CWE-862 (Missing Authorization), the autocompletion endpoint fails to enforce proper access controls before surfacing credential parameters, potentially leaking secrets such as passwords, tokens, or API keys stored in build configurations. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the low attack complexity and network accessibility make it a meaningful lateral movement or privilege escalation risk in multi-tenant CI/CD environments.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49376 MEDIUM PATCH This Month

Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to CI/CD resources. The flaw (CWE-863, Incorrect Authorization) permits manipulation of the username field within SAML assertions, potentially enabling impersonation of legitimate users and unauthorized read/write access to build configurations and pipeline data. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49374 HIGH PATCH This Week

Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read sensitive build configuration parameters they should not have access to due to missing authorization checks. The flaw carries a CVSS 7.6 score driven by high confidentiality impact on a network-reachable CI/CD server, though no public exploit identified at time of analysis. Because TeamCity build parameters frequently contain secrets such as deployment credentials, signing keys, and API tokens, the disclosure can cascade into broader compromise of downstream systems.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-49369 MEDIUM PATCH This Month

Information disclosure in JetBrains YouTrack before version 2026.1.13162 allows authenticated low-privilege users to access sensitive user and group membership data they are not authorized to view. Rooted in CWE-863 (Incorrect Authorization), the flaw exists on the Users and Groups administrative pages, where authorization checks are insufficiently enforced for authenticated sessions. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low access complexity means any authenticated attacker can reliably reproduce the condition.

Information Disclosure Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49367 HIGH PATCH This Week

Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user account to run arbitrary commands on the host. The flaw, reported by JetBrains and tagged as an authentication bypass affecting the IDE's collaborative/guest-access functionality, carries a CVSS 8.0 (High) rating with network attack vector but requires low-privilege access and user interaction. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Intellij Idea
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-9051 CRITICAL Act Now

Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass Systemlink Enterprise
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-47740 PHP HIGH PATCH GHSA This Week

Authorization bypass in Shopperlabs Shopper headless e-commerce admin panel prior to 2.8.0 allows authenticated low-privilege users with read-only order permissions to mutate every order in the panel and trigger real Payment Service Provider captures via Filament admin actions. The flaw spans multiple Livewire components beyond orders - including product sub-forms, team settings, and RBAC management - enabling privilege escalation up to role creation and user deletion. No public exploit identified at time of analysis, but a detailed GitHub Security Advisory and patch diff are public.

Authentication Bypass Shopper
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47742 PHP MEDIUM PATCH GHSA This Month

Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of assigned role - to mutate pricing, inventory, SEO metadata, shipping dimensions, and attached media for any product by exploiting missing authorization on Livewire sub-form component store() methods. Because the product ID was accepted as an unlocked public Livewire property, attackers could additionally target arbitrary products by tampering with the wire payload from the client side, not just products they otherwise interact with. No active exploitation confirmed (not in CISA KEV), and no standalone POC code has been published, though the remediation PR diff is publicly available.

Authentication Bypass Shopper
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47745 PHP MEDIUM PATCH GHSA This Month

Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows any authenticated low-privilege panel user to disable payment methods, alter the default currency, or disable carriers - actions that should be restricted by per-action permissions. The business impact is severe: a malicious or compromised low-privilege account can cause a complete denial of checkout and undermine pricing integrity across the store. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Shopper
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42929 HIGH PATCH CISA Act Now

Authentication bypass via hard-coded credentials in Danelec MacGregor Voyage Data Recorder (VDR) G4e allows attackers with adjacent-network access to log in using undocumented default accounts and gain high-impact access to confidentiality and integrity of recorded voyage data. The flaw was disclosed via CISA ICS-CERT advisory ICSA-26-148-01 and carries a CVSS v4.0 score of 8.7, with no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-47135 npm HIGH PATCH GHSA This Week

Sandbox escape in vm2 versions 3.11.2 and earlier (through 3.11.3) allows sandboxed JavaScript to obtain real Node.js cross-realm symbols and write them onto host objects, hijacking host-side control flow such as util.promisify, stream duck-typing, and WebStream internals. The flaw stems from an incomplete Symbol.for override that blocks only 2 of 9 dangerous nodejs.* symbols and from bridge write traps that lack the dangerous-symbol guard present on read traps. A working proof-of-concept hijacking util.promisify is published in the GHSA advisory, and a vendor patch (3.11.4) is available; no entry in CISA KEV at time of analysis.

Apple Node.js Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-47200 npm MEDIUM PATCH GHSA This Month

{ middleware })` auth checks. Affected are Nuxt 3.11.0-3.21.5 and Nuxt 4.0.0-alpha.1-4.4.5 when `experimental.componentIslands` is enabled and pages rely solely on route middleware for authorization - a pattern common in Nuxt 4 where componentIslands is on by default. A working proof-of-concept using a single curl command is published in the vendor advisory; no public exploit identified at time of analysis beyond the POC, and no CISA KEV listing exists. Vendor-released patches are available as nuxt@3.21.6 and nuxt@4.4.6.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-7786 CRITICAL CISA Emergency

Hardcoded administrative credentials in Jinan USR IOT (PUSR) USR-W610 RS232/485-to-Wi-Fi/Ethernet serial converter firmware allow remote unauthenticated attackers to gain full administrative control of affected industrial gateway devices. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against an OT/ICS device class typically deployed in serial-to-IP bridging roles, and no public exploit identified at time of analysis, though credential recovery via firmware extraction is straightforward for any researcher.

Authentication Bypass Usr W610 Rs232 485 To Wi Fi Ethernet Converter
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
Threat
4.0
CVE-2026-5768 HIGH PATCH CISA Act Now

Unauthenticated BLE access to the Fourth Frontier X2 wearable cardiac monitor allows attackers within radio range to read and write critical GATT characteristics without pairing, enabling control of device functions and injection of fabricated health telemetry. The companion Frontier X Android and iOS applications additionally fail to authenticate paired devices, letting an attacker impersonate a legitimate X2 and feed falsified heart rate, breathing rate, and strain data into a victim's mobile app. No public exploit identified at time of analysis, and the issue is tracked under CISA ICS-MA-26-148-01.

Authentication Bypass Frontier X Android Application Frontier X Ios Application Frontier X2
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43917 MEDIUM This Month

Missing organization-level authorization in Dokploy 0.19.0 and earlier allows authenticated users from one organization to access, modify, and delete resources belonging to other organizations on the same instance. The shared `protectedProcedure` middleware confirms session authentication but never validates that the requested resource belongs to the caller's active organization, exposing 22 endpoints spanning deployments, backups, volume operations, cluster management, and mounts to cross-organization abuse. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.

Authentication Bypass Dokploy
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-35674 npm HIGH PATCH This Week

Scope bypass in OpenClaw versions prior to 2026.5.18 allows authenticated clients holding only the operator.write scope to invoke privileged Gateway commands via the chat.send route, escalating from limited operator access to full administrative control. Exploitation lets remote attackers mutate plugins, configuration, MCP settings, allowlists, and ACP rules that should require operator.approvals or operator.admin scopes. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.7 (high) and low attack complexity make this a serious privilege-escalation issue for any multi-tenant or delegated OpenClaw deployment.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35673 npm MEDIUM PATCH This Month

SSRF policy bypass in OpenClaw before 2026.4.29 enables authenticated low-privileged attackers to circumvent private-network SSRF protections via browser debug and export routes. The flaw (CWE-863, Incorrect Authorization) allows an attacker who already holds valid credentials to reuse previously blocked browser tabs, causing the application to export or inspect content from protected internal resources that the SSRF policy was intended to restrict. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the high confidentiality impact on the vulnerable component (VC:H in CVSS 4.0) warrants prompt patching for internet-exposed instances.

SSRF Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-35630 npm HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw QQBot before 2026.5.18 allows non-approver users to resolve pending exec and plugin approval requests by clicking native approval buttons, because the configured approver identity is not enforced server-side. The flaw collapses a core access-control gate around command and plugin execution workflows, and no public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-mgq6-vr84-7m2j and VulnCheck advisory provide enough detail to reproduce.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-34507 npm LOW PATCH Monitor

Policy bypass in OpenClaw's QQBot admin command handling allows authenticated low-privilege network users to circumvent DM-only and allowFrom authorization checks, routing restricted admin commands from unauthorized senders or contexts. Affected versions are all OpenClaw releases prior to 2026.4.29. The CVSS 4.0 score of 2.3 reflects limited confidentiality and integrity impact with no availability impact, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthorized chunking upload access in Nextcloud Server allows an authenticated share recipient to read temporary part files during another user's active file upload. Affecting versions 32.0.0-32.0.8 and 33.0.0-33.0.2, the flaw stems from the WebDAV chunking upload collection failing to restrict directory listing or GET requests on intermediate upload objects when accessed via a share token - a boundary the fix explicitly closes by blocking reads on FutureFile and UploadFile node types. No public exploit has been identified and no CISA KEV listing exists at time of analysis, but the high confidentiality impact (CVSS C:H) means sensitive in-transit file contents are fully exposed to any malicious share recipient who times access during an active upload.

Authentication Bypass Nextcloud Suse
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in Nextcloud's User OIDC app (versions 0.3.0-3.0.x, 5.0.0-5.0.x, and 6.0.0-6.3.x) allows a malicious ID4me authority to impersonate arbitrary users due to missing JWT signature verification in the ID4me login flow. The flaw stems from a literal 'TODO: VALIATE SIGNATURE!' code comment that left ID tokens accepted without cryptographic validation, enabling identity spoofing once a victim is redirected through the attacker-controlled authority. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Nextcloud
NVD GitHub
EPSS 0% CVSS 2.6
LOW PATCH Monitor

Nextcloud Server's Circles app exposes a missing access control check on the member-add API endpoint, allowing an authenticated user to add an arbitrary circle - identified only by its internal ID - as a member of another circle without verifying that the requesting user has any relationship to the target circle. Affected versions span 32.0.0-32.0.6 and 33.0.0, with Enterprise editions from 29.x through 31.x also impacted. Exploitation is severely constrained by the 62^15 entropy of circle IDs, making the vulnerability practically exploitable only when an attacker has obtained a valid circle ID through a separate information-disclosure path, at which point they could track or infer circle membership relationships. No public exploit exists and this is not listed in CISA KEV.

Authentication Bypass Nextcloud
NVD GitHub
EPSS 0% CVSS 2.6
LOW PATCH Monitor

Nextcloud Collectives versions 2.6.0 through 4.3.0 (exclusive) exposes deleted collective pages to unauthorized guests via a missing permission check in the public trash controller. Guests granted view-only access to a shared collective can bypass deletion-based access controls by directly querying trashbin endpoints, reading content that was intentionally removed. CVSS scores this at 2.6 (Low) with no public exploit identified at time of analysis and no CISA KEV listing, placing real-world priority at the lower end of the risk spectrum.

Authentication Bypass Nextcloud
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

PIN authentication bypass in the Nextcloud Files Android app (versions 33.0.0 through 33.0.x) allows a physically present attacker to circumvent the app's passcode lock screen by pressing the Android back button immediately after the host device is unlocked. The PassCodeActivity failed to intercept back-navigation events during PIN verification, granting direct file access without completing authentication. No public exploit identified at time of analysis and no CISA KEV listing; risk is tightly constrained by the physical access vector. Patched in version 33.1.0 via upstream PR #16896.

Google Authentication Bypass Nextcloud
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Rename permission bypass in Nextcloud's team folder (groupfolders) feature allows authenticated low-privileged users holding READ and CREATE permissions to rename files in team folders even when UPDATE permission is explicitly denied. Affecting Nextcloud versions 17.0.0 through 21.0.3, the flaw originates from a single-character bitwise operator error in ACLStorageWrapper.php - a `&` used instead of `|` when evaluating combined permission flags effectively nullifies the UPDATE permission check. No public exploit identified at time of analysis; vendor-released patches are available across all affected version branches.

Authentication Bypass Nextcloud
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper authorization in a4m4's Student-Management-System allows unauthenticated remote attackers to manipulate the `sid` parameter in `admin/deleteform.php` to delete student records without any credentials. All commits up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 are affected, and a proof-of-concept exploit has been publicly disclosed via the project's GitHub issue tracker. No patch is available; the maintainer has not responded to the responsible disclosure report, leaving all deployed instances exposed with no official remediation path.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in the GeoDirectory WordPress plugin (through v2.8.157) permits unauthenticated remote attackers to invoke privileged plugin operations without any credential requirement, resulting in partial integrity and availability impact on directory listings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, network-accessible exploitation requiring no user interaction, reported by Patchstack under the 'Authentication Bypass' tag. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a moderate-priority patch tier for any WordPress deployment running a public-facing GeoDirectory instance.

Authentication Bypass Geodirectory
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Authentication bypass in the Advanced Access Manager (AAM) WordPress plugin through version 7.1.0 allows remote unauthenticated attackers to circumvent access controls via URL encoding manipulation, achieving high integrity impact on protected resources. The flaw is reported by Patchstack and tracked under CWE-290 (Authentication Bypass by Spoofing). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Authentication Bypass Advanced Access Manager
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Broken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated attackers to access functionality that should be restricted by authorization checks. The flaw stems from missing authorization (CWE-862) on plugin endpoints, with CVSS 7.3 reflecting low impact across confidentiality, integrity, and availability without requiring privileges or user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass Hydra Booking
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Broken access control in Tomdever's wpForo Forum WordPress plugin (versions up to and including 3.0.6) allows remote unauthenticated attackers to invoke restricted functionality due to missing authorization checks, leading to high integrity and availability impact on affected forums. The CVSS 9.1 score reflects network-reachable exploitation with no privileges or user interaction required, and no public exploit identified at time of analysis. Patchstack disclosed the issue and tracks it as a broken access control flaw against the plugin.

Authentication Bypass
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Credential exposure in Kamsoft KS-SOMED medical software allowed remote unauthenticated attackers to authenticate to the FTP server hosting application update packages by extracting hard-coded credentials from the KSPLUPDFTP.exe and ANEKSKLIENT.EXE modules. While the vendor states the exposed credentials ultimately had only read-only access, the original threat model included an attacker uploading a malicious update file that would propagate to client machines as a legitimate update. No public exploit identified at time of analysis.

Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in WP Document Revisions WordPress plugin versions before 4.0.0 allows unauthenticated remote attackers to access protected documents due to broken access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N) indicates trivially exploitable confidentiality-only impact, and no public exploit identified at time of analysis, though Patchstack has cataloged the issue with a working proof reference.

Authentication Bypass Wp Document Revisions
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JWT authentication by manipulating the HTTP Host header, gaining unauthorized access to protected dashboard and API endpoints. The vulnerable isLocalRequest() function in dashboardGuard.js blindly trusted the client-supplied Host header to determine whether a request originated from localhost, enabling any network-reachable attacker to spoof local origin by sending Host: localhost. No public exploit code or CISA KEV listing exists at time of analysis; vendor-released patch v0.4.1 is available and confirmed.

Authentication Bypass 9Router
NVD VulDB GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read, modify, or delete issues belonging to other tenants by supplying a known issue UUID against their own workspace path. The issue CRUD endpoints validate workspace membership but never verify that the targeted issue actually belongs to that workspace, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the vulnerability is source-verified end-to-end with an upstream fix released as version 0.1.4.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read and inject comments on issues belonging to any other tenant in a multi-tenant deployment. The comment endpoints validate workspace membership but never verify that the URL-supplied issue_id actually belongs to that workspace, breaking tenant isolation. No public exploit identified at time of analysis, but source-code-level analysis confirms the gap end-to-end.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{workspace_id}/projects/{project_id} only verify membership in the URL-supplied workspace, then perform primary-key-only lookups against the Project table without scoping by workspace_id. No public exploit identified at time of analysis, and EPSS/KEV signals are not provided for this advisory.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Arbitrary file read and remote code execution in Vitest versions prior to 4.1.0 allow remote unauthenticated attackers to read files outside the project directory on Windows and execute arbitrary scripts when the Vitest UI or Browser Mode API server is exposed to the network via the --api.host flag or api.host configuration option. The flaw stems from incorrect use of the deprecated isFileServingAllowed check, which can be bypassed using Windows-specific path syntax (\\?\\..\\), and is compounded by API features (saveTestFile + rerun, readFile/writeFile/saveSnapshotFile) that effectively grant script execution to anyone who can reach the API. Publicly available exploit code exists in the GHSA advisory PoC; no public exploit beyond that is identified at time of analysis.

Microsoft RCE Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-tenant data forgery in Nezha monitoring dashboard allows any authenticated low-privilege user with a valid agent secret to submit fabricated service-monitor TaskResult messages for services owned by other tenants. The dashboard's inbound result worker validates only that the referenced service ID exists, skipping the ownership and coverage checks enforced on the outbound dispatch path, so attackers can poison victim service history and trigger victim-owned notifications containing attacker-controlled text. A working local proof-of-concept is published in the GHSA advisory; no public exploit identified at time of analysis in the wild, and the issue is not on CISA KEV.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated remote information disclosure in SourceCodester Pharmacy Sales and Inventory System 1.0 allows network-based attackers to bypass access controls and read sensitive sales statement data via the sell_statement function in application/controllers/ShowForm.php. The CVSS vector confirms PR:N (no authentication required) with low access complexity, and a proof-of-concept exploit has been publicly disclosed via GitHub. No KEV listing at time of analysis, but the combination of unauthenticated network access and available exploit code elevates practical risk beyond the moderate CVSS 5.3 score alone.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Hard-coded cryptographic secret in PDBM.exe (by Trac d.o.o.) enables authenticated local attackers to decrypt administrative credentials stored in the product's configuration file. The static secret, constant across all PDBM installations, is embedded directly in the application binary and is used as the key for the credential encryption routine. Because the affected version configures the stored account with full administrative privileges, a successful extraction yields unrestricted access to PDBM's management interface and all underlying operational functions. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Pdbm
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH Monitor

Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Authentication Bypass Orca Heat Pump +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incomplete authorization in Apache ActiveMQ Broker allows authenticated low-privilege users to remove messaging destinations (queues and topics) beyond their granted permissions, causing targeted availability disruption to broker-connected producers and consumers. Affected versions span the 5.x line before 5.19.7 and the 6.x line from 6.0.0 before 6.2.6, covering ActiveMQ Broker and ActiveMQ All distributions. With an EPSS of 0.01% (3rd percentile), no CISA KEV listing, and no public exploit code identified, this is a low-urgency but genuine authorization control gap that is most relevant to environments with multiple untrusted authenticated broker accounts.

Apache Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Hardcoded credentials in Apache Solr 9.4.0 through 9.10.1 and 10.0.0 allow remote attackers to obtain full administrative access to clusters that bootstrapped Basic Authentication via the bin/solr auth enable tool. The setup script silently installs template accounts (superadmin, admin, search, index) with publicly known default passwords alongside the user-specified account, and no public exploit identified at time of analysis though the credentials are documented and trivially reusable.

Apache Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated information disclosure in SOPlanning version 1.55 and below allows remote attackers to download backup archives and configuration files directly from backup endpoints without any authentication, exposing the user database with password hashes and sensitive configuration data. The CVSS 4.0 score of 8.8 reflects high confidentiality impact over the network with no privileges or user interaction required, and no public exploit identified at time of analysis. Disclosure was coordinated through CERT.PL, indicating a vetted advisory rather than opportunistic discovery.

Authentication Bypass
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Remote unauthenticated access to multiple Admin Endpoints in code-projects Smart Parking System 1.0 allows attackers to bypass all authentication controls, gaining network-reachable read, write, and availability impact with no credentials or user interaction required. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation of a missing authentication gate - not a weak or bypassable one, but an entirely absent one across multiple admin functions. Publicly available exploit code exists per the E:P exploit maturity modifier and a referenced GitHub proof-of-concept repository, though no CISA KEV listing is present at time of analysis.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication bypass when the backing MySQL/MariaDB instance runs with the NO_BACKSLASH_ESCAPES SQL mode. The flaw carries a CVSS of 9.1 with network-reachable, no-privileges-required exploitation against confidentiality and integrity, but no public exploit identified at time of analysis and the issue is gated by a specific non-default database configuration.

SQLi Authentication Bypass Otrs +1
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in GoClaw (nextlevelbuilder/goclaw) up to version 3.11.3 allows a remote low-privileged attacker to bypass authorization controls via the `auth` function in `internal/http/evolution_handlers.go`. The CVSS 4.0 score is 2.1 with limited integrity and availability impact and no confidentiality exposure. A public proof-of-concept exploit has been disclosed via a GitHub issue, though the project has not been confirmed as actively exploited in the wild per CISA KEV.

Authentication Bypass Goclaw
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Horizontal privilege escalation in Dolibarr ERP CRM through version 23.0.1 permits any authenticated low-privilege user to read other users' leave request records via the Leave Request REST API, with a publicly available proof-of-concept confirming exploitability. The flaw in `checkUserAccessToObject` within `api_holidays.class.php` (CWE-285, Improper Authorization) arises because the access control helper receives only an integer object ID rather than the full object, causing ownership validation to fail silently and return another user's confidential HR data. No active exploitation is confirmed in CISA KEV, but the public POC and low attack complexity make this a realistic insider or multi-tenant threat requiring prompt patching.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Authorization bypass in AstrBotDevs AstrBot 4.24.2 enables remote low-privilege authenticated attackers to manipulate the session_id argument within the astr_main_agent function to access or control sessions belonging to other users. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the server fails to verify that the requesting user owns the supplied session_id. A publicly available exploit exists via GitHub gist, no vendor patch has been released, and the vendor did not respond to disclosure - elevating practical risk above what the CVSS 6.3 Medium score alone implies.

Authentication Bypass Astrbot
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Incorrect authorization in AstrBot 4.23.6 allows remote low-privileged attackers to bypass filesystem path restrictions via the `_normalize_rw_path` function in `astrbot/core/tools/computer_tools/fs.py`, resulting in unauthorized read, write, or access to files outside the intended scope. The vulnerability stems from improper path normalization logic that fails to enforce access controls correctly, enabling authenticated users to escape sandboxed file boundaries. A public proof-of-concept exploit exists on GitHub, and the vendor was unresponsive to coordinated disclosure, leaving no official patch available at time of analysis.

Authentication Bypass Astrbot
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Authorization bypass in FlexRIC v2.0.0 allows a malicious xApp to delete subscriptions belonging to other xApps connected to the same iApp instance, breaking multi-tenant isolation in O-RAN deployments. The root cause is a self-comparison bug in eq_xapp_ric_gen_id() that ignores the xApp identity dimension entirely. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%).

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in FlexRIC v2.0.0 allows remote unauthenticated attackers to impersonate any xApp by forging the xapp_id field in E42 messages sent to the iApp on port 36422, since the value is not bound to the sender's SCTP association. Misrouted responses corrupt the red-black tree state and can crash the targeted xApp, the RIC, or the iApp itself. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 9th percentile) reflecting limited weaponization to date.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

JWT session cookies in Apache Airflow's JWTRefreshMiddleware are set without the Secure flag when Airflow runs behind an HTTPS-terminating reverse proxy, exposing them to network interception. Affected versions span Apache Airflow 3.0.0 through 3.2.1 (exclusive), where the middleware checked only for a local ssl_cert configuration setting to determine cookie security - missing the common deployment pattern where TLS is offloaded at a load balancer or proxy layer. An unauthenticated network adversary positioned for man-in-the-middle interception could capture a user's JWT refresh cookie and take over their authenticated session. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.01% reflects low automated exploitation likelihood.

Apache Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

{/, l, o, g} - rather than a literal prefix strip, causing the filename derived from the URL to diverge from the file actually served. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Python Apache Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

DAG authorization bypass in Apache Airflow 3.0.0-3.2.1 allows authenticated low-privileged users to enumerate DAG structure and cross-DAG dependency topology for DAGs they are not authorized to view, by querying the `/ui/structure/structure_data` endpoint without proper RBAC enforcement. The endpoint returned external dependency nodes and edges without applying the `ReadableDagsFilterDep` authorization filter, crossing per-DAG RBAC boundaries. No public exploit exists and EPSS is 0.01% (4th percentile); impact is confined to confidentiality of workflow topology in multi-tenant or fine-grained RBAC deployments.

Open Redirect Apache Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The event log detail endpoint in Apache Airflow before 3.2.2 applies a generic DAG-level audit log permission check rather than scoping authorization to the specific DAG that owns the requested event log entry, allowing any authenticated low-privilege user to read audit log entries belonging to DAGs outside their permitted scope. The flaw is a broken object-level authorization (IDOR) pattern - classified as CWE-639 - where the user-supplied `event_log_id` path parameter can reference log rows from unauthorized DAGs without triggering a rejection. No public exploit code exists and the issue is not listed in CISA KEV, but the attack is trivially executable by any authenticated Airflow user in a multi-tenant deployment.

Python Apache Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Missing certificate validation during SMTP STARTTLS negotiation in Apache Airflow 2.0.0 through 3.2.1 exposes email traffic to man-in-the-middle interception. Both the core email utility (airflow.utils.email.send_email) and the SMTP provider hook (SmtpHook.get_conn, SmtpHook.aget_conn) called starttls() without an SSL context, causing Python's smtplib to accept any server certificate unconditionally. An unauthenticated network-adjacent attacker who can intercept traffic between the Airflow instance and its configured SMTP relay can present a fraudulent TLS certificate, successfully complete the upgrade handshake, and read all outbound email content in cleartext. No public exploit identified at time of analysis and EPSS is 0.01%, but the impact class is high confidentiality loss per CVSS.

Apache Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sensitive information disclosure in Apache Airflow versions prior to 3.2.2 exposes JWT authentication tokens via KubernetesExecutor command-line arguments, allowing low-privileged users with process listing access on worker pods to harvest credentials and impersonate workers against the Execution API. The flaw, addressed in PR #60108 alongside a redesign of workload/execution token lifetimes, carries a CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit has been identified at time of analysis and EPSS sits at 0.02%, suggesting limited mass-exploitation activity.

Apache Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Per-DAG RBAC bypass in Apache Airflow 3.2.0-3.2.1 allows authenticated users with restricted DAG permissions to read partitioned DAG run metadata for DAGs outside their authorized scope via the /ui/partitioned_dag_runs endpoint. The route enforced asset-level access control via requires_access_asset but omitted the parallel DAG-level check (requires_access_dag) and result-set filtering by readable DAG IDs, creating a gap in the multi-layer authorization model. No public exploit identified at time of analysis; EPSS is 0.01% (4th percentile), indicating very low exploitation probability consistent with the authenticated, information-disclosure-only impact.

Open Redirect Apache Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

JWT session tokens remain valid after logout in Apache Airflow deployments using FabAuthManager or KeycloakAuthManager due to an unreachable revoke_token() call in the logout code path. Versions before 3.2.2 are affected. When the configured auth manager returns an external redirect URL on logout (as Keycloak-backed deployments do), the logout handler redirects the browser before invoking revoke_token(), leaving the JWT - with its embedded jti claim - unregistered in the RevokedToken table and therefore still accepted by the API. No public exploit is identified at time of analysis, and EPSS exploitation probability stands at 0.01% (4th percentile), but the impact is meaningful in environments where session hijacking or token theft is a realistic threat model.

Authentication Bypass Apache Python
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

API authorization bypass in Apache Airflow 3.2.0 through versions before 3.2.2 allows authenticated users with access to one DAG to mutate TaskInstances belonging to other DAGs they should not control, via the bulk TaskInstances PUT/DELETE endpoints. The flaw stems from the bulk handler omitting per-DAG authorization checks, enabling cross-DAG state tampering with high integrity impact (CVSS 7.5, vector AV:N/AC:L/PR:N/UI:N/I:H). No public exploit identified at time of analysis and EPSS probability is low at 0.01%.

Apache Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in OUSL-GROUP-BrinaryBrains School Student Management System allows unauthenticated remote attackers to manipulate the 'role' argument in the sign_auth_cookie function, forging or escalating authentication cookies without valid credentials. All commits up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 are affected, publicly available exploit code exists (confirmed by CVSS E:P and a public GitHub issue), and no patch is available as the project has not responded to disclosure. Despite a moderate CVSS 4.0 score of 5.5, the combination of zero-barrier remote exploitation and absent vendor remediation represents material unmitigated risk for any organization running this system.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in Advanced Custom Fields (ACF®) plugin for WordPress versions up to and including 6.8.1 allows unauthenticated remote attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance. The attack requires no credentials, no user interaction, and low complexity - exploitable by anyone who can reach a page rendering a public-facing ACF front-end form. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified at time of analysis, but the zero-barrier attack path makes content integrity on exposed WordPress sites a real concern.

WordPress Authentication Bypass Advanced Custom Fields
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Authentication bypass in Open5GS versions up to 2.7.6 allows remote attackers to manipulate UE security capabilities through the AMF's NGAP PathSwitchRequest message handler in src/amf/ngap-handler.c. The flaw stems from the AMF blindly overwriting locally stored UE 5G security capabilities with values received from a target gNB during a path switch, violating 3GPP TS 33.501 6.7.3.1, and publicly available exploit code exists though no public exploit identified as actively exploited at time of analysis.

Authentication Bypass Open5gs
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insecure Direct Object Reference in Dolibarr ERP CRM 23.0.0-23.0.2 allows any authenticated low-privilege user to read another user's messaging records by manipulating the `id` parameter in `htdocs/user/messaging.php`. The commit diff confirms the endpoint performed zero ownership or permission validation before serving messaging data - any valid session could enumerate other users' messages by cycling numeric IDs. No public exploit code has been identified and this CVE does not appear in CISA KEV, but the vulnerability is trivially exploitable given its low complexity and minimal authentication barrier.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper access control in TaleLin lin-cms-spring-boot through version 0.2.1 allows authenticated remote attackers to bypass authorization enforcement on the book API endpoint, gaining unauthorized read, write, and functional access to book resources. The flaw is rooted in BookController.java and tagged as an authentication bypass, suggesting privilege escalation beyond what the standard CVSS PR:L signal alone implies. A publicly available exploit exists via GitHub issue #336, no vendor patch has been released, and the maintainer has not responded to responsible disclosure - conditions that collectively elevate operational urgency despite the medium CVSS score of 6.3.

Java Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Authentication Bypass +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-workspace label tampering in praisonai-platform <=0.1.2 lets any authenticated workspace member rewrite, delete, attach, detach, and enumerate labels belonging to other tenants because five label endpoints only check workspace membership and never verify that the URL-supplied label_id or issue_id actually belongs to that workspace. Reported by the upstream MervinPraison/PraisonAI project with a fix in 0.1.4; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform (<=0.1.2) allows any authenticated workspace member to read, create, and delete issue dependencies belonging to foreign workspaces by supplying arbitrary issue UUIDs in URL paths and request bodies. The dependency endpoints only enforce membership on the URL workspace_id while passing unvalidated issue and dependency identifiers to DependencyService, enabling cross-tenant linking of issues across any two workspaces in the deployment. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4x6r-9v57-3gqw confirms the flaw and a fixed version (0.1.4) is available.

Python Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Vertical privilege escalation in PraisonAI Platform versions 0.1.2 and earlier allows any authenticated low-privilege workspace member to self-promote to owner and take over the workspace. The flaw stems from administrative FastAPI routes reusing a shared authorization dependency that defaults to the lowest 'member' role, so role-mutation endpoints never enforce admin/owner checks. A working PoC is published in the GHSA-h37g-4h4p-9x97 advisory, though no public exploit identified at time of analysis in mass-exploitation form, and the issue is not currently in CISA KEV.

Privilege Escalation Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-workspace object access in PraisonAI Platform (pip package praisonai-platform <= 0.1.2) allows any authenticated workspace member to read, modify, and delete agents, projects, issues, and comments belonging to other workspaces by supplying the victim object's global UUID through their own workspace-scoped URL. The flaw stems from route-layer membership checks not being bound to service-layer object lookups, breaking tenant isolation in multi-tenant deployments. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis beyond the advisory's own demonstration.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{workspace_id}/issues/{issue_id}/activity endpoint validates workspace membership but passes issue_id directly to an unscoped database query, returning actor identities, action types, and before/after field values from the details JSON blob for any issue UUID reachable by the attacker. No public exploit has been identified at time of analysis, but the vulnerability is source-inspection-verified via the GHSA-27p4-pjqv-whgj advisory.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-workspace IDOR and member-to-owner privilege escalation in PraisonAI Platform API (pip package praisonai-platform <= 0.1.2) lets any authenticated user read, modify, and delete issues and projects belonging to other tenants, and lets any workspace member promote themselves to owner and evict the legitimate owner. The two flaws chain together: a single member-level invite to any workspace becomes platform-wide data access plus full takeover of any workspace the attacker is added to. No public exploit identified at time of analysis beyond the detailed PoC published in the GHSA advisory, and the issue is not in CISA KEV.

Privilege Escalation Python Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in PraisonAI versions <= 4.6.39 allows remote unauthenticated attackers to invoke arbitrary LLM orchestration via the Flask API server generated by the documented `praisonai deploy --type api` quickstart. The generator defaults `auth_enabled=False`, causing `check_auth()` to short-circuit to `True` and accept any request to `/chat` and `/agents`, exposing the operator's LLM API keys and any agent-attached tools (python_repl, bash, file I/O, HTTP). Publicly available exploit code exists in the form of a working PoC, and CVSS scores this 9.8 critical.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated remote agent control in PraisonAI's call server (versions <= 4.6.39) allows any network-reachable client to enumerate, inspect, invoke, and unregister registered agents when the operator launches `praisonai-call` without setting the `CALL_SERVER_TOKEN` environment variable. The flaw stems from a fail-open authentication dependency combined with the server binding to 0.0.0.0 by default, and a working proof-of-concept is published in the GHSA advisory demonstrating end-to-end exploitation against a default deployment.

Python Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Permanent inventory field deletion in Admidio (composer/admidio/admidio <= 5.0.9) is reachable by any authenticated low-privilege user due to a missing authorization gate in the `field_delete` mode of `modules/inventory.php`. Deleting a field cascades to all stored item data (`adm_inventory_item_data`) and field options (`adm_inventory_field_options`) for that field with no in-product undo path - recovery requires a database restore. This is an incomplete fix: commit d37ca6b (2026-04-12) added `isAdministratorInventory()` to the sibling `item_delete` handler but left `field_delete` and at least five other state-changing handlers ungated. A working proof-of-concept is published in the GitHub advisory; no public exploit frameworks or CISA KEV listing have been identified at time of analysis.

PHP CSRF Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Insecure direct object reference in Admidio's documents module allows any user with upload rights on a single folder to exfiltrate files from private folders they cannot read. The `move_save` handler in `modules/documents-files.php` validates the actor's upload right against a URL-supplied `folder_uuid` rather than the file's actual parent folder, letting a low-privileged member relocate restricted files into an attacker-controlled folder and download them. No public exploit identified at time of analysis, but a detailed PoC with verified code paths is included in the GHSA-x628-457g-2pw9 advisory.

PHP CSRF Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.

XSS PHP CSRF +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken access control in Admidio's `modules/categories.php` allows any authenticated module-administrator to permanently delete, reorder, or rename category records belonging to modules they do not administer. An Announcements administrator, for example, can destroy Role categories, Event calendars, or Profile-field categories by supplying a foreign category UUID while passing their own authorized module type as the `type` GET parameter, bypassing a per-record authorization check that is permanently dead code. A detailed working proof-of-concept is publicly available, demonstrated on a fresh Admidio install; no public exploit identified at time of analysis as CISA KEV-confirmed active exploitation, but the CVSS 6.5 (PR:L, I:H) reflects real data-destruction risk in any Admidio deployment that delegates module-admin rights to non-superadmin users.

PHP CSRF Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-folder unauthorized file deletion in Admidio v5.0.9 allows any authenticated member with upload rights on a single folder to permanently destroy files stored in folders where they hold only view access. The vulnerability stems from a broken authorization boundary in modules/documents-files.php: the top-level upload-right check trusts an attacker-supplied folder_uuid URL parameter rather than the target file's actual parent folder, while the file_delete handler performs only a view-right check. This is confirmed as an incomplete fix of GHSA-rmpj-3x5m-9m5f (previously addressed in v5.0.7 but reintroduced by v5.0.9). A fully functional public proof-of-concept with step-by-step curl commands has been confirmed against a Docker deployment of v5.0.9; no public exploit identified at time of analysis as a weaponized tool, but the PoC lowers exploitation barrier significantly.

Docker PHP CSRF +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Webhook signature verification is silently skipped in Symfony's Twilio Notifier bridge across symfony/symfony 6.4.x through 8.0.x and symfony/twilio-notifier, even when a signing secret is explicitly configured. TwilioRequestParser::doParse() accepts a secret parameter but contains no code that reads or uses it, meaning every inbound POST to the webhook endpoint is accepted unconditionally regardless of whether the X-Twilio-Signature HMAC header is present or valid. An attacker who can reach the endpoint URL can inject arbitrary forged Twilio status callbacks - fake delivered, failed, or undelivered events - to corrupt delivery metrics or trigger downstream automation. No public exploit code identified at time of analysis; vendor-released patches are available in 6.4.40, 7.4.12, and 8.0.12.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authentication bypass in authentik's SAML Source ACS endpoint allows an attacker holding any account at a trusted upstream IdP to impersonate other federated users via XML Signature Wrapping (XSW). The flaw stems from the signature verifier not binding the validated signature to the assertion subsequently consumed for identity data, so a crafted response can present a legitimately signed assertion for signature checks while a separate forged assertion supplies the victim identifier. No public exploit identified at time of analysis, but the upstream commit (a370d76) and detailed XSW3-style test fixtures make the technique transparent to anyone reading the patch.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication bypass in FreeScout help desk (versions prior to 1.8.220) allows remote attackers who can spoof an agent's email From address to inject forged replies into customer-facing threads. The FetchEmails command's notification reply path parsed thread_id and user_id directly from the Message-ID without HMAC verification, so spoofed messages were relayed to customers through the legitimate SMTP server. No public exploit identified at time of analysis, but the upstream commit publicly documents the exact missing hash check.

Authentication Bypass Freescout
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.

Authentication Bypass Freescout
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

FreeScout's internal note deletion endpoint allows a low-privileged authenticated user to permanently destroy private thread notes in any conversation, bypassing mailbox membership checks entirely. The ThreadPolicy::delete authorization policy fails to verify whether the requesting user still belongs to the mailbox containing the targeted note - meaning a deprovisioned former team member with a still-active account can erase internal notes they previously created across any conversation. No public exploit has been identified at time of analysis, and this vulnerability is fixed in version 1.8.221.

Authentication Bypass Freescout
NVD GitHub VulDB
EPSS 0% CVSS 4.2
MEDIUM This Month

UI spoofing via XPC authentication bypass in Sparkle 2.x (through 2.9.1) allows a local low-privileged attacker to inject forged appcast metadata into the update progress broadcast, causing any Sparkle-aware application to display attacker-controlled release notes, version strings, and critical-update flags. The attack exploits a post-stage-1 regression in the AppInstaller's Mach service authentication: once _performedStage1Installation is set, code-signing validation is silently dropped for new connections to the <bundleId>-spki service. Critically, installed code integrity is not compromised - only the UI metadata displayed to users is affected. No public exploit or CISA KEV listing has been identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authentication state leakage in the russh Rust SSH server library allows unauthenticated remote attackers to manipulate the authentication flow for one user by exploiting retained internal state from a prior authentication attempt made for a different user on the same connection. Versions >= 0.34.0-beta.1 and < 0.61.0 are affected. A publicly available proof-of-concept (provided in GHSA-hpv4-5h6f-wqr3) demonstrates that russh's connection-scoped AuthRequest state - including remaining methods list, partial_success, and in-progress method state - persists across (user, service) principal changes in violation of RFC 4252 section 5, enabling an attacker to observe or influence state that should be isolated to a different principal.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthorized submission modification in Formie (Craft CMS plugin) versions prior to 2.2.21 and 3.1.26 allows remote unauthenticated attackers to overwrite existing form submissions by POSTing a known or guessed submission ID to the formie/submissions/save-submission endpoint. The flaw is an authorization bypass (CWE-639) that compromises integrity of stored submission data without requiring credentials. No public exploit identified at time of analysis, though the upstream fix and advisory are publicly disclosed on GitHub.

Authentication Bypass Formie
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before 2026.1.13570 permits any authenticated low-privileged user to enumerate restricted issues and articles through the Planning Canvas feature, exposing confidential project data they are not authorized to view. Rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), the flaw allows user-controlled identifiers to bypass access restrictions without proper authorization checks. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.1.13570 permits any low-privileged authenticated user to modify service accounts, an administrative operation that should be restricted to privileged roles. Rooted in CWE-862 (Missing Authorization), the flaw is exploitable over the network with low complexity, requiring no user interaction - meaning any valid account holder on an exposed instance can tamper with service account configurations. No public exploit or CISA KEV listing has been identified at time of analysis, but the integrity impact is rated high given the sensitivity of service account access in YouTrack deployments.

Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Credential parameter exposure in JetBrains TeamCity before version 2026.1 allows authenticated low-privilege users to access sensitive credential values through the parameter autocompletion feature. Rooted in CWE-862 (Missing Authorization), the autocompletion endpoint fails to enforce proper access controls before surfacing credential parameters, potentially leaking secrets such as passwords, tokens, or API keys stored in build configurations. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the low attack complexity and network accessibility make it a meaningful lateral movement or privilege escalation risk in multi-tenant CI/CD environments.

Authentication Bypass Teamcity
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote attackers to bypass authentication controls and gain unauthorized access to CI/CD resources. The flaw (CWE-863, Incorrect Authorization) permits manipulation of the username field within SAML assertions, potentially enabling impersonation of legitimate users and unauthorized read/write access to build configurations and pipeline data. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Teamcity
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read sensitive build configuration parameters they should not have access to due to missing authorization checks. The flaw carries a CVSS 7.6 score driven by high confidentiality impact on a network-reachable CI/CD server, though no public exploit identified at time of analysis. Because TeamCity build parameters frequently contain secrets such as deployment credentials, signing keys, and API tokens, the disclosure can cascade into broader compromise of downstream systems.

Authentication Bypass Teamcity
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Information disclosure in JetBrains YouTrack before version 2026.1.13162 allows authenticated low-privilege users to access sensitive user and group membership data they are not authorized to view. Rooted in CWE-863 (Incorrect Authorization), the flaw exists on the Users and Groups administrative pages, where authorization checks are insufficiently enforced for authenticated sessions. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low access complexity means any authenticated attacker can reliably reproduce the condition.

Information Disclosure Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user account to run arbitrary commands on the host. The flaw, reported by JetBrains and tagged as an authentication bypass affecting the IDE's collaborative/guest-access functionality, carries a CVSS 8.0 (High) rating with network attack vector but requires low-privilege access and user interaction. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Intellij Idea
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authorization bypass in Shopperlabs Shopper headless e-commerce admin panel prior to 2.8.0 allows authenticated low-privilege users with read-only order permissions to mutate every order in the panel and trigger real Payment Service Provider captures via Filament admin actions. The flaw spans multiple Livewire components beyond orders - including product sub-forms, team settings, and RBAC management - enabling privilege escalation up to role creation and user deletion. No public exploit identified at time of analysis, but a detailed GitHub Security Advisory and patch diff are public.

Authentication Bypass Shopper
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of assigned role - to mutate pricing, inventory, SEO metadata, shipping dimensions, and attached media for any product by exploiting missing authorization on Livewire sub-form component store() methods. Because the product ID was accepted as an unlocked public Livewire property, attackers could additionally target arbitrary products by tampering with the wire payload from the client side, not just products they otherwise interact with. No active exploitation confirmed (not in CISA KEV), and no standalone POC code has been published, though the remediation PR diff is publicly available.

Authentication Bypass Shopper
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows any authenticated low-privilege panel user to disable payment methods, alter the default currency, or disable carriers - actions that should be restricted by per-action permissions. The business impact is severe: a malicious or compromised low-privilege account can cause a complete denial of checkout and undermine pricing integrity across the store. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Shopper
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH Act Now

Authentication bypass via hard-coded credentials in Danelec MacGregor Voyage Data Recorder (VDR) G4e allows attackers with adjacent-network access to log in using undocumented default accounts and gain high-impact access to confidentiality and integrity of recorded voyage data. The flaw was disclosed via CISA ICS-CERT advisory ICSA-26-148-01 and carries a CVSS v4.0 score of 8.7, with no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Sandbox escape in vm2 versions 3.11.2 and earlier (through 3.11.3) allows sandboxed JavaScript to obtain real Node.js cross-realm symbols and write them onto host objects, hijacking host-side control flow such as util.promisify, stream duck-typing, and WebStream internals. The flaw stems from an incomplete Symbol.for override that blocks only 2 of 9 dangerous nodejs.* symbols and from bridge write traps that lack the dangerous-symbol guard present on read traps. A working proof-of-concept hijacking util.promisify is published in the GHSA advisory, and a vendor patch (3.11.4) is available; no entry in CISA KEV at time of analysis.

Apple Node.js Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

{ middleware })` auth checks. Affected are Nuxt 3.11.0-3.21.5 and Nuxt 4.0.0-alpha.1-4.4.5 when `experimental.componentIslands` is enabled and pages rely solely on route middleware for authorization - a pattern common in Nuxt 4 where componentIslands is on by default. A working proof-of-concept using a single curl command is published in the vendor advisory; no public exploit identified at time of analysis beyond the POC, and no CISA KEV listing exists. Vendor-released patches are available as nuxt@3.21.6 and nuxt@4.4.6.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% 4.0 CVSS 9.8
CRITICAL Emergency

Hardcoded administrative credentials in Jinan USR IOT (PUSR) USR-W610 RS232/485-to-Wi-Fi/Ethernet serial converter firmware allow remote unauthenticated attackers to gain full administrative control of affected industrial gateway devices. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against an OT/ICS device class typically deployed in serial-to-IP bridging roles, and no public exploit identified at time of analysis, though credential recovery via firmware extraction is straightforward for any researcher.

Authentication Bypass Usr W610 Rs232 485 To Wi Fi Ethernet Converter
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH Act Now

Unauthenticated BLE access to the Fourth Frontier X2 wearable cardiac monitor allows attackers within radio range to read and write critical GATT characteristics without pairing, enabling control of device functions and injection of fabricated health telemetry. The companion Frontier X Android and iOS applications additionally fail to authenticate paired devices, letting an attacker impersonate a legitimate X2 and feed falsified heart rate, breathing rate, and strain data into a victim's mobile app. No public exploit identified at time of analysis, and the issue is tracked under CISA ICS-MA-26-148-01.

Authentication Bypass Frontier X Android Application Frontier X Ios Application +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing organization-level authorization in Dokploy 0.19.0 and earlier allows authenticated users from one organization to access, modify, and delete resources belonging to other organizations on the same instance. The shared `protectedProcedure` middleware confirms session authentication but never validates that the requested resource belongs to the caller's active organization, exposing 22 endpoints spanning deployments, backups, volume operations, cluster management, and mounts to cross-organization abuse. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.

Authentication Bypass Dokploy
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Scope bypass in OpenClaw versions prior to 2026.5.18 allows authenticated clients holding only the operator.write scope to invoke privileged Gateway commands via the chat.send route, escalating from limited operator access to full administrative control. Exploitation lets remote attackers mutate plugins, configuration, MCP settings, allowlists, and ACP rules that should require operator.approvals or operator.admin scopes. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.7 (high) and low attack complexity make this a serious privilege-escalation issue for any multi-tenant or delegated OpenClaw deployment.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

SSRF policy bypass in OpenClaw before 2026.4.29 enables authenticated low-privileged attackers to circumvent private-network SSRF protections via browser debug and export routes. The flaw (CWE-863, Incorrect Authorization) allows an attacker who already holds valid credentials to reuse previously blocked browser tabs, causing the application to export or inspect content from protected internal resources that the SSRF policy was intended to restrict. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the high confidentiality impact on the vulnerable component (VC:H in CVSS 4.0) warrants prompt patching for internet-exposed instances.

SSRF Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authorization bypass in OpenClaw QQBot before 2026.5.18 allows non-approver users to resolve pending exec and plugin approval requests by clicking native approval buttons, because the configured approver identity is not enforced server-side. The flaw collapses a core access-control gate around command and plugin execution workflows, and no public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-mgq6-vr84-7m2j and VulnCheck advisory provide enough detail to reproduce.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Policy bypass in OpenClaw's QQBot admin command handling allows authenticated low-privilege network users to circumvent DM-only and allowFrom authorization checks, routing restricted admin commands from unauthorized senders or contexts. Affected versions are all OpenClaw releases prior to 2026.4.29. The CVSS 4.0 score of 2.3 reflects limited confidentiality and integrity impact with no availability impact, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
Prev Page 30 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy