Skip to main content

Authentication Bypass

31275 CVEs technique

Monthly

CVE-2026-33834 HIGH PATCH Exploit Unlikely This Week

Windows Event Logging Service privilege escalation allows local authenticated attackers with low-level privileges to gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2012+ environments. The vulnerability requires no user interaction and has low attack complexity (AC:L), making exploitation straightforward once initial access is obtained. Microsoft has released patches via their March 2026 security updates, and exploitation requires only standard user credentials on vulnerable systems. CVSS 7.8 HIGH severity with complete compromise of confidentiality, integrity, and availability upon successful exploitation.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-33117 Maven CRITICAL PATCH GHSA Act Now

Authentication bypass in Microsoft Azure SDK for Java allows remote unauthenticated attackers to circumvent security controls over the network without user interaction. The vulnerability exposes confidentiality and integrity of Azure services to unauthorized access, with confirmed vendor patch available. CVSS 9.1 reflects critical network-based exploitation against default configurations, though no active exploitation (CISA KEV) or public POC has been identified at time of analysis.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-44277 CRITICAL NEWS Act Now

Critical unauthenticated access control bypass in Fortinet FortiAuthenticator versions 6.5.0-6.5.6, 6.6.0-6.6.8, 8.0.0, and 8.0.2 enables remote code execution without authentication. The CVSS score of 9.8 with AV:N/AC:L/PR:N/UI:N indicates trivial remote exploitation against default configurations. While the vendor advisory (FG-IR-26-128) confirms this vulnerability, the incomplete description placeholder ('<insert attack vector here>') suggests the advisory may contain additional details not yet published in CVE records. No public exploit code or active exploitation confirmed at time of analysis, though the authentication bypass nature and maximum CVSS scores make this a priority patching target for organizations running FortiAuthenticator.

Authentication Bypass Fortinet
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26083 CRITICAL NEWS Act Now

Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge.

Authentication Bypass Fortinet Fortisandbox Cloud Fortisandbox Fortisandbox Paas
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-44343 CRITICAL PATCH Act Now

WGDashboard is a dashboard for WireGuard VPN. Prior to 4.3.2, there are critical vulnerabilities affecting WGDashboard that, if exploited, could allow unauthorized parties to access the host file system without authentication. This vulnerability is fixed in 4.3.2.

Authentication Bypass Wgdashboard
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-20887 HIGH This Week

Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable remote code execution. This result may potentially occur via network access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Authentication Bypass Denial Of Service Intel RCE
NVD
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-40300 MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.

Authentication Bypass Zulip
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-25431 MEDIUM This Month

WPMU DEV Hustle plugin versions through 7.8.10.1 allow unauthenticated remote attackers to modify sensitive data via missing authorization controls on access-restricted functionality. The vulnerability exploits incorrectly configured access control security levels, enabling attackers to bypass authentication mechanisms without user interaction. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Hustle
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42074 npm CRITICAL PATCH GHSA Act Now

Sandbox escape in OpenClaude (npm package openclaude) versions before 0.5.1 allows a prompt-injected LLM to disable host sandboxing by setting the model-controlled `dangerouslyDisableSandbox: true` flag in any Bash tool_use call, yielding full unsandboxed command execution on the host. CVSS 4.0 scores this 9.3 Critical (AV:N/AC:L/PR:N/UI:N, VC/VI/VA:H); no public exploit identified at time of analysis beyond the reporter's PoC, but the upstream fix has been merged. The flaw is especially severe because it is reachable under default settings (`allowUnsandboxedCommands` defaults to true).

Kubernetes Information Disclosure Authentication Bypass Python RCE +2
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-8407 MEDIUM This Month

Missing authorization in the PAM module of Devolutions Server allows authenticated users with a PAM license to retrieve OTP secret keys and recovery codes without additional permissions, leading to account compromise through crafted API requests. Affected versions include Devolutions Server 2025.3.16.0 and earlier, plus 2026.1.6.0 through 2026.1.11.0. No public exploit code or active exploitation has been identified; however, the low CVSS score and minimal EPSS percentile suggest limited real-world attack incentive despite the confidentiality impact.

Authentication Bypass Server
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-43515 Maven CRITICAL PATCH GHSA Act Now

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Authentication Bypass Apache Tomcat Suse Red Hat
NVD VulDB HeroDevs
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43512 Maven CRITICAL PATCH GHSA Act Now

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Authentication Bypass Apache Tomcat Suse Red Hat
NVD VulDB HeroDevs
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30805 CRITICAL Act Now

Authentication bypass in Pandora FMS versions 777-800 allows remote attackers to gain unauthorized API access via insecure default resource initialization. The vulnerability stems from CWE-1188 (default credentials or configuration), enabling attackers to bypass authentication mechanisms and access the API with high confidentiality and integrity impact. CVSS 4.0 scores this at 9.1 CRITICAL due to network attack vector requiring no privileges or user interaction, though attack complexity is high and specific timing conditions apply (AT:P). No CISA KEV listing or public POC identified at time of analysis, suggesting exploitation requires vendor-specific knowledge of the insecure defaults.

Authentication Bypass Pandora Fms
NVD
CVSS 4.0
9.1
EPSS
0.0%
CVE-2026-45089 Go HIGH PATCH GHSA This Week

Arbitrary file creation and corruption in dalfox v2 REST API server mode allows unauthenticated remote attackers to write log-formatted data to any filesystem path accessible to the dalfox process. The server exposes output, output-all, and debug JSON fields from the API request directly to the logger's file-write path without validation, and the default configuration omits API key authentication entirely. The vulnerability is fixed in dalfox v2.13.0, released 2025-01-20, which strips all filesystem-dangerous fields from API-sourced requests before passing them to the scan engine. GitHub advisory GHSA-8hf9-3q64-q2qf confirms the issue; no public exploit code is identified at time of analysis, and CISA KEV does not list this CVE.

Authentication Bypass File Upload
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-45088 Go HIGH PATCH GHSA This Week

Unauthenticated arbitrary file read in dalfox REST API server mode allows remote attackers to exfiltrate sensitive files from the host filesystem. The vulnerability chains two flaws: missing authentication middleware when no API key is set (default configuration), and unsanitized deserialization of the `custom-payload-file` JSON parameter directly into the scan engine. Remote attackers can supply any file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, cloud credential files) and the engine reads each line, embeds it as an XSS payload, and transmits it to an attacker-controlled HTTP endpoint via dalfox's own scan traffic. No exploit code is publicly identified at time of analysis; vendor-released patch available in version 2.13.0.

Authentication Bypass XSS Privilege Escalation
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45087 Go CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in Dalfox REST API server mode (versions ≤2.12.0) allows network attackers to execute arbitrary OS commands by injecting shell payloads via the `found-action` parameter in POST /scan requests. The server binds to 0.0.0.0:6664 by default with no API key enforcement unless explicitly configured, and deserializes attacker-controlled JSON directly into execution-control options without sanitization. Attackers trivially guarantee exploitation by hosting a reflective XSS endpoint to trigger the injected command. Fixed in version 2.13.0. CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). EPSS data not available; no CISA KEV listing at time of analysis. Public exploit code exists (detailed proof-of-concept published in GitHub advisory GHSA-v25v-m36w-jp4h).

Denial Of Service Command Injection Authentication Bypass XSS RCE +1
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-43983 HIGH POC PATCH This Week

Pocket ID OIDC provider fails to validate user authorization state during refresh token exchange, allowing revoked, disabled, or unauthorized users to obtain fresh access tokens indefinitely. Affects all versions prior to 2.6.0. Publicly available exploit code exists via GitHub security advisory GHSA-w6p7-2fxx-4f44. Attack requires low privileges and user interaction (CVSS 8.5) but enables persistent unauthorized access even after administrative revocation actions. Fixed in version 2.6.0.

Authentication Bypass Pocket Id
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5061 MEDIUM PATCH This Month

Sandbox path bypass in consul-template before 0.42.0 allows local authenticated users to read files outside the intended sandbox via symlink attack in the file template helper. The vulnerability requires local access and elevated privileges but grants high confidentiality impact. Vendor-released patch available in version 0.42.0.

Authentication Bypass Tooling
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-40020 LOW PATCH Monitor

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_allow_anyone configuration setting and inject the anyone permission into dovecot-acl files, enabling spam of mailbox folders to all users. The vulnerability requires authentication and elevated complexity conditions (CVSS 3.1), and no public exploits are known at the time of analysis.

Authentication Bypass Ox Dovecot Pro
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-6865 HIGH CISA This Week

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.

Authentication Bypass Path Traversal Easylogic T150 Formerly Saitel Dr Remote Terminal Unit Controller Saitel Dp Remote Terminal Unit Controller
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-4827 HIGH CISA This Week

Weak session token generation in Schneider Electric industrial protection relays and energy management systems allows remote attackers to hijack authenticated user sessions via network-based prediction attacks. Affects 36 product variants across Easergy MiCOM P30/P40/C264, PowerLogic P5/P7/T-series, EcoStruxure Power Automation/Operation platforms, and iPMFLS systems. CVSS 8.7 reflects high confidentiality and integrity impact with user interaction required. No active exploitation confirmed (not in CISA KEV), but authentication bypass via session prediction enables privilege escalation in critical infrastructure environments. EPSS data not provided - risk assessment relies on CVSS vector and operational technology context.

Authentication Bypass Easergy Micom C264 Easergy C5 Easergy Micom P30 Easergy Micom P40 +10
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-45212 MEDIUM This Month

Unauthenticated remote attackers can trigger a denial-of-service condition against Asset CleanUp: Page Speed Booster (WordPress plugin) versions up to 1.4.0.3 by exploiting missing authorization controls that incorrectly configure access restrictions. The vulnerability allows attackers to perform actions intended for authenticated administrators without proper authentication, resulting in availability impact through the ability to modify or disable asset optimization features.

Authentication Bypass Asset Cleanup
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45210 MEDIUM This Month

Missing authorization in Broadstreet Ads WordPress plugin through version 1.52.2 allows authenticated users to bypass access controls and modify data, resulting in integrity and availability impact. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before executing sensitive operations. Exploitation requires valid user authentication but no special configuration or interaction.

Authentication Bypass Broadstreet Ads
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2465 HIGH PATCH This Week

Privilege escalation in Turboard FOR-S allows remote unauthenticated attackers to gain elevated access by exploiting incorrect authorization checks, requiring only user interaction. The vulnerability affects versions 7.01.2026 through 17.02.2026, with fix available in version 18.02.2026. Turkish national CERT (TR-CERT) reported this authorization bypass vulnerability (CWE-863), which enables attackers to compromise confidentiality, integrity, and availability of the affected business intelligence platform.

Authentication Bypass Privilege Escalation Turboard For S
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6001 HIGH This Week

Authorization bypass in BAPSİS web application enables unauthenticated remote attackers to exploit trusted identifiers through user-controlled keys when victims interact with crafted requests. ABIS Technology's BAPSİS platform (versions before v.202604152042) contains a CWE-639 flaw where authorization checks rely on client-controlled key values, allowing attackers to manipulate trust relationships and gain unauthorized access with high impact to confidentiality, integrity, and availability. TR-CERT published advisory but no public exploit code identified at time of analysis, with CVSS 8.8 reflecting network-exploitable attack requiring only user interaction.

Authentication Bypass Bapsi S
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5029 HIGH This Week

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.

Authentication Bypass RCE Code Runner Mcp Server
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-1934 MEDIUM This Month

Authenticated users with Subscriber-level access can bypass PayPal payment verification in the Motors - Car Dealership & Classified Listings WordPress plugin (versions up to 1.4.103) by directly modifying their stm_payment_status user meta field to 'completed', gaining access to paid Dealer membership features without completing any transaction. The vulnerability exists in the stm_save_user_extra_fields() function, which fails to validate permission for sensitive meta field modifications during profile updates. While CVSS 4.3 reflects low severity, the integrity impact is direct-payment systems are completely circumvented for any authenticated user.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33893 HIGH CISA Act Now

Hardcoded cryptographic keys in Siemens Teamcenter PLM software enable remote attackers to bypass authentication and gain unauthorized access to confidential product lifecycle management data. The vulnerability affects multiple Teamcenter versions (V2312, V2406, V2412, V2506, V2512) and is remotely exploitable without authentication (CVSS:4.0 AV:N/AC:L/PR:N). While no active exploitation or public POC has been identified at time of analysis, the straightforward nature of hardcoded credential extraction (AC:L) combined with the criticality of Teamcenter as an enterprise PLM platform housing intellectual property makes this a high-priority remediation target for manufacturing and engineering organizations.

Authentication Bypass Teamcenter V2312 Teamcenter V2406 Teamcenter V2412 Teamcenter V2506 +1
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-27662 HIGH CISA This Week

Local unauthenticated attackers can access the web browser on Siemens SIMATIC HMI Unified Comfort and Comfort Pro panels (all models <V21) via the Control Panel when security mechanisms are not configured. The CVSS v4.0 score of 7.0 reflects high integrity and availability impact (VI:H/VA:H) with local attack vector (AV:L), low complexity (AC:L), and no authentication required (PR:N). The vulnerability is classified as CWE-1188 (Initialization of a Resource with an Insecure Default) and tagged as Authentication Bypass. No public exploit or active exploitation confirmed at time of analysis, but the local access requirement and lack of default protections significantly lower the attack bar in environments where physical or local system access is feasible, such as industrial control settings.

Authentication Bypass Simatic Hmi Mtp1000 Unified Comfort Panel Simatic Hmi Mtp1000 Unified Comfort Panel Hygienic Simatic Hmi Mtp1000 Unified Comfort Panel Hygienic Neutral Design Simatic Hmi Mtp1000 Unified Comfort Panel Neutral +46
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-22924 HIGH CISA Act Now

Remote unauthenticated attackers can exhaust resources and bypass authentication controls in Siemens SIMATIC CN 4100 versions before V5.0, enabling denial of service conditions and unauthorized actions that compromise system availability and integrity. The vulnerability stems from improper connection validation (CWE-306), allowing network-based exploitation without any user interaction or privileges. Siemens has released V5.0 to address this flaw, documented in security advisory SSA-032379.

Authentication Bypass Denial Of Service Simatic Cn 4100
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-40946 HIGH CISA This Week

Predictable Technical Service credentials derived from CRC16-based algorithm and device serial number enable authentication bypass in Siemens blueplanet solar inverters and hybrid systems. Remote adjacent network attackers without authentication can calculate valid service credentials from publicly-observable serial numbers, gaining unauthorized administrative access to compromise device integrity and availability. Affects 23 blueplanet product families including TL3, NX3, NH3, and gridsafe variants across industrial solar installations. Patches released for GEN2 models (V6.1.4.9) and gridsafe variants (V3.91), but legacy TL3/NX3/NH3 first-generation models remain unpatched with no vendor-provided fix versions.

Authentication Bypass Blueplanet 100 Nx3 M8 Blueplanet 100 Tl3 Gen2 Blueplanet 105 Tl3 Blueplanet 105 Tl3 Gen2 +26
NVD VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-39432 HIGH This Week

Missing authorization in Timetics WordPress plugin through version 1.0.53 allows unauthenticated remote attackers to bypass access controls and access sensitive administrative functions or data. With CVSS 8.2 (High), the vulnerability enables high confidentiality impact and low integrity impact against network-accessible instances. Patchstack reported this broken access control flaw, indicating potential exposure of booking systems, customer data, or administrative operations to unauthorized access without authentication.

Authentication Bypass Timetics
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-5693 MEDIUM This Month

Unauthenticated attackers can cancel arbitrary bookings in the Smart Appointment & Booking WordPress plugin versions up to 1.0.8 due to a logic flaw in nonce validation that uses AND instead of OR, combined with a missing capability check in the saab_cancel_booking() function. By supplying any value for the security parameter and a predictable booking ID, attackers can modify or delete booking records without authentication or user interaction.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4663 MEDIUM This Month

Unauthenticated attackers can modify critical payment gateway settings in the iPOSpays Gateways WC WordPress plugin through an exposed REST API endpoint lacking authorization checks, enabling them to overwrite live API keys, secret keys, and payment tokens. Affected versions up to 1.3.7 permit unrestricted access to the /wp-json/ipospays/v1/save_settings endpoint due to a permission_callback set to '__return_true' with no nonce verification, allowing complete compromise of payment processing credentials without authentication. This is a high-integrity attack vector against e-commerce sites using the plugin.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-6709 MEDIUM This Month

Authenticated attackers with Subscriber-level WordPress access can overwrite the Coinbase Commerce API key in versions up to 1.1.2 of the Coinbase Commerce for Contact Form 7 WordPress plugin due to missing capability checks and nonce verification in the save_settings() function. The vulnerability allows privilege escalation and potential compromise of payment processing by replacing the legitimate API key with an attacker-controlled value via a crafted POST request to /wp-admin/admin-post, affecting all WordPress sites running this plugin with that version or earlier.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7050 MEDIUM This Month

Forms Rb plugin for WordPress versions up to 1.1.9 contains an authorization bypass vulnerability allowing authenticated contributors and above to read, modify, and delete form submission records and configuration belonging to forms they do not own. The vulnerability stems from insufficient authorization checks in API endpoints (CWE-862), affecting all installations with the plugin active. CVSS score of 4.3 reflects low attack complexity and network accessibility, though impact is limited to integrity and information disclosure within WordPress administrative contexts.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6663 MEDIUM This Month

Unauthenticated remote code execution in GWD Connect WordPress plugin versions up to 2.9 allows attackers to execute arbitrary PHP code on unregistered installations via the update_agent action in standalone agent endpoints (gwd-backup.php and gwd-logs.php) when the API key is not configured. The vulnerability exploits a missing authorization check that occurs only when the authentication key has not been set up, affecting default installations. No public exploit code or active exploitation has been confirmed at this time.

Authentication Bypass PHP RCE WordPress
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-4301 MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify arbitrary WordPress post content, metadata, author assignment, and post type through missing authorization checks in the Rate Star Review Vote AJAX handler, allowing full post content takeover via the 'rating_id' parameter when the 'form' parameter is set to 'update'. The vulnerability affects all versions up to 1.6.4 and requires only basic user authentication (not administrator privileges), making it exploitable by any registered site user.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6708 MEDIUM This Month

Unauthenticated attackers can delete any classroom record in the HEL Online Classroom WordPress plugin (versions up to 1.0.3) via a REST API endpoint that bypasses all WordPress authentication checks through a permission_callback set to '__return_true', resulting in permanent data loss. The vulnerability affects the plugin's core functionality and requires only network access with no user interaction, though the CVSS score of 5.3 reflects limited confidentiality impact (integrity modification only, no information disclosure).

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-7255 MEDIUM Monitor

Brute-force password attacks against the web management interface of Zyxel WRE6505 v2 firmware V1.00(ABDV.3)C0 succeed due to improper rate-limiting on authentication attempts, allowing adjacent LAN attackers to bypass authentication and gain administrative access without requiring valid credentials. The vulnerability affects a legacy wireless range extender model marked as end-of-life by Zyxel, with CVSS 6.5 reflecting high confidentiality impact but local network scope.

Authentication Bypass Zyxel
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40134 MEDIUM This Month

Insufficient authorization checks in SAP Incentive and Commission Management allow authenticated users to invoke remote-enabled function modules and perform unauthorized table update operations, compromising data integrity. The vulnerability requires valid user credentials and network access but has limited scope - no confidentiality or availability impact. CVSS 4.3 (low) reflects the authentication requirement and integrity-only impact; no active exploitation or public POC identified at analysis time.

Authentication Bypass SAP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-40133 MEDIUM This Month

Missing authorization checks in SAP S/4HANA Condition Maintenance allow authenticated attackers to view and modify condition table records they should not have access to, compromising data confidentiality and integrity while potentially denying legitimate users access to those same records. The vulnerability requires valid user credentials but affects all versions of the affected module, with CVSS 6.3 reflecting its multi-faceted impact across three security dimensions.

Authentication Bypass SAP
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-40132 MEDIUM This Month

Missing authorization checks in SAP Strategic Enterprise Management's Scorecard Wizard (Business Server Pages application) allow authenticated users to access restricted information and modify risk evaluation settings without proper authorization. An attacker with valid credentials can view confidential data and alter default configuration values, artificially reducing assessed risk levels to deceive risk assessment processes. No patch availability or active exploitation has been confirmed.

Authentication Bypass SAP
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34260 CRITICAL NEWS Act Now

SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications.

Authentication Bypass SQLi SAP
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-31240 PyPI HIGH GHSA This Week

Unauthenticated remote attackers can modify or delete arbitrary memory records in mem0 1.0.0 server by directly calling unprotected API endpoints including PUT /memories/{memory_id}. The vulnerability stems from complete absence of authentication and authorization controls on critical memory management functions, allowing data manipulation and loss without any verification of requester identity. EPSS score of 0.06% (18th percentile) indicates low exploitation probability in the wild, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2023-30059 MEDIUM This Month

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-31242 CRITICAL Act Now

Unauthenticated remote attackers can completely destroy the mem0 v1.0.0 memory database by sending a DELETE request to the /memories endpoint, which executes DROP TABLE SQL statements without authentication or authorization checks. This causes irreversible data loss and total service denial for all users. EPSS score of 0.03% suggests low observed exploitation probability despite the CVSS 9.1 critical rating, likely due to mem0's limited deployment footprint. No public exploit code or active exploitation (CISA KEV) confirmed at time of analysis, but SSVC indicates the vulnerability is automatable with a single HTTP request.

Authentication Bypass Denial Of Service
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-31241 PyPI MEDIUM This Month

mem0 1.0.0 server exposes an unauthenticated memory deletion API endpoint (DELETE /memories) that allows remote attackers to delete arbitrary user memory records by specifying user identifiers in query parameters, resulting in unauthorized data loss and denial of service. No authentication or authorization validation is performed before processing deletion requests, enabling any network-accessible attacker to target any user's data without credentials.

Authentication Bypass Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-43914 HIGH PATCH This Week

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.

Authentication Bypass Oracle
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-43913 HIGH PATCH This Week

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a separate confirmation by an existing owner upgrades it to Confirmed. The POST /api/ciphers/purge endpoint uses plain Headers and only checks that the membership type is Owner without verifying that the membership status is Confirmed. An authenticated user who has been invited as an organization owner and has accepted the invite and has not yet been confirmed can call this endpoint to hard-delete all ciphers and attachments in the organization, causing immediate organization-wide data loss. This vulnerability is fixed in 1.35.5.

Authentication Bypass Hashicorp
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43912 HIGH PATCH This Week

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.

Authentication Bypass Hashicorp
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-43899 CRITICAL PATCH Act Now

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass (RCE). While the patch correctly restricted api.openExternal() inside the renderer's preload/index.ts script, it structurally neglected to sanitize native Electron pop-up window handlers. An attacker or a compromised AI endpoint returning a Markdown link can trigger a target="_blank" native window interception in tabPresenter.ts, which forwards the malicious URL directly to shell.openExternal(url) and completely bypasses the isValidExternalUrl security boundary. This vulnerability is fixed in v1.0.4-beta.1.

Authentication Bypass Deepchat
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-43889 MEDIUM PATCH This Month

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each-skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.

Authentication Bypass Outline
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-43890 HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route handler authorizes ONLY the collection branch (line 125 if (collectionId)), while the downstream subscriptionCreator command at server/commands/subscriptionCreator.ts writes the subscription against the documentId (which was never validated). The result is a subscription record pinning the attacker's user to a victim document the attacker has no read access to, on any team in the instance. The schema (server/routes/api/subscriptions/schema.ts) only enforces "at least one of collectionId/documentId" via .refine() - it does NOT enforce mutual exclusivity, so passing both is a valid, schema-conforming request. This vulnerability is fixed in 1.7.1.

Authentication Bypass Outline
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-28957 LOW PATCH Monitor

An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to capture a user's screen.

Authentication Bypass Apple
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-43652 HIGH PATCH This Week

macOS Tahoe allows applications to access protected user data due to insufficient permission enforcement on system APIs. The vulnerability affects all macOS versions prior to 26.5 and is tagged as an authentication bypass, indicating apps can circumvent permission prompts or system restrictions to read sensitive data without user consent. While not yet actively exploited (EPSS 0.01%, no CISA KEV listing), the CVSS vector (AV:N/AC:L/PR:N/UI:N) appears inconsistent with the local application context described, suggesting potential network-accessible component or misclassified attack vector requiring vendor clarification.

Authentication Bypass Apple
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28873 HIGH PATCH This Week

Apps on iOS and iPadOS can bypass App Privacy Report logging due to insufficient entitlement checks, allowing malicious applications to conceal their privacy-invasive activities from users. Fixed in iOS/iPadOS 18.7.9 and 26.4. The CVSS vector (AV:N/AC:L/PR:N/UI:N) appears inconsistent with the actual attack requirements, as exploitation requires a malicious app already installed on the device, not remote network access. Despite the 7.5 CVSS score, EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation is confirmed, and no public exploit code identified at time of analysis.

Authentication Bypass Apple
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28993 MEDIUM PATCH This Month

Local authenticated apps bypass user consent mechanisms to access sensitive user data across iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, and visionOS 26.4 and earlier. The vulnerability allows malicious or compromised applications running with standard user privileges to exfiltrate protected information without triggering the expected permission prompts. Apple has patched this by implementing an additional consent verification layer, though the low EPSS score (0.02%) suggests real-world exploitation remains limited.

Authentication Bypass Apple Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-28930 HIGH PATCH This Week

Insufficient permission enforcement in macOS Tahoe prior to 26.5 allows applications to bypass access controls and read protected user data without proper authorization. Apple addressed the vulnerability through hardened permission checks in version 26.5. EPSS probability indicates minimal observed exploitation activity (0.01%, 3rd percentile), and no public exploit code or CISA KEV listing exists at time of analysis, suggesting exploitation requires application-specific development effort rather than readily available tooling.

Authentication Bypass Apple
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28988 MEDIUM PATCH This Month

Privacy bypass in Apple operating systems allows local authenticated apps to circumvent user-configured privacy restrictions through permission mishandling. The vulnerability affects iOS, iPadOS, macOS Tahoe, visionOS, and watchOS versions prior to 26.5. An attacker with local app execution privileges can access sensitive data classified as restricted by user privacy settings, though without authentication bypass or integrity compromise. Fixed in coordinated OS updates across Apple's ecosystem.

Authentication Bypass Apple
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20696 MEDIUM PATCH This Month

An authorization issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.

Authentication Bypass Apple
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-28951 HIGH PATCH This Week

Privilege escalation in Apple operating systems allows local authenticated applications to gain root privileges through an authorization flaw in state management. Affects multiple macOS versions (Sonoma, Sequoia, Tahoe) and iOS/iPadOS versions prior to patched releases. Apple has issued coordinated security updates across all affected platforms (iOS 18.7.9/26.5, iPadOS 18.7.9/26.5, macOS Sonoma 14.8.7, Sequoia 15.7.7, Tahoe 26.5). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8, with no public exploit identified at time of analysis and no CISA KEV listing. The local attack vector requiring authenticated privileges substantially reduces immediate risk compared to network-based vulnerabilities.

Authentication Bypass Apple
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-28910 LOW PATCH Monitor

Improper permissions checking in macOS before version 26.4 allows a malicious app with local user privileges to access arbitrary files without user interaction, potentially exposing sensitive data. The vulnerability has a low EPSS score (0.01%) and no confirmed active exploitation, making it a low-priority but real local privilege escalation risk for systems where untrusted applications may execute.

Authentication Bypass Apple
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-28965 HIGH PATCH This Week

Lock screen bypass in iOS and iPadOS versions prior to 26.5 allows unauthorized access to restricted content without authentication. Apple's security advisory HT227110 confirms the privacy issue affected lock screen content filtering mechanisms. Despite CVSS 7.5 scoring suggesting network exploitation, the vulnerability requires physical access to a locked device, creating a significant disparity between theoretical severity and practical attack surface. EPSS probability of 0.02% (5th percentile) indicates minimal observed exploitation attempts, and no CISA KEV listing or public exploit code exists at time of analysis.

Authentication Bypass Apple
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28974 HIGH PATCH This Week

Confidentiality breach in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, watchOS) allows remote unauthenticated attackers to access high-sensitivity information through improper access control checks. Despite the vendor description indicating denial-of-service impact, the CVSS vector reveals a severe confidentiality compromise (C:H) with network-accessible attack surface requiring no authentication. Apple has patched all affected platforms in coordinated security updates released across six operating systems. EPSS score of 0.02% suggests low observed exploitation probability, and no public exploit code has been identified at time of analysis.

Authentication Bypass Apple
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28954 HIGH PATCH This Week

macOS Gatekeeper can be bypassed using specially crafted disk images, allowing unauthenticated remote attackers to execute untrusted code without security warnings across iOS, iPadOS, and all supported macOS versions. Apple has released patches addressing this authentication bypass in macOS Tahoe 26.5, Sequoia 15.7.7, Sonoma 14.8.7, iOS 18.7.9, and iPadOS 18.7.9. Despite the CVSS 7.5 HIGH rating, EPSS probability remains very low at 0.02% (5th percentile), suggesting limited immediate exploitation risk, though the attack requires no special conditions and could be delivered via common distribution channels like email or web downloads.

Authentication Bypass Apple
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28978 HIGH PATCH This Week

Sandbox escape in macOS Sequoia, Sonoma, and Tahoe allows malicious applications with low privileges to break containment and gain elevated system access. Apple fixed this permissions handling flaw in macOS 15.7.7, 14.8.7, and 26.5 after addressing inadequate sandbox restrictions. No active exploitation confirmed (CISA KEV absent), but the CVSS scope change (S:C) indicates complete sandbox bypass with high impact to confidentiality, integrity, and availability. EPSS score of 0.01% suggests low probability of mass exploitation despite the severity, likely due to the requirement for local app installation and low-privilege authenticated access.

Authentication Bypass Apple
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28914 MEDIUM PATCH This Month

Gatekeeper security checks in macOS Tahoe can be bypassed using maliciously crafted ZIP archives due to a logic flaw in file handling. An attacker can create a weaponized ZIP file that, when extracted or opened by a user, circumvents Gatekeeper validation, potentially allowing execution of untrusted code. The vulnerability requires user interaction (opening or extracting the malicious archive) and is limited to local attack surface. Vendor-released patch: macOS Tahoe 26.5.

Authentication Bypass Apple
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-42884 MEDIUM PATCH This Month

Audiobookshelf prior to version 2.32.2 fails to enforce library access controls on the GET /api/collections and GET /api/collections/:id endpoints, allowing authenticated users to enumerate and retrieve collection metadata and book information from libraries they are not authorized to access. An attacker with valid credentials to any library can exploit this privilege escalation to discover sensitive metadata across all libraries in a multi-library installation.

Authentication Bypass Audiobookshelf
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42883 MEDIUM PATCH This Month

Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they do not have access to by directly specifying item IDs in the GET /api/libraries/:id/download endpoint, bypassing library access controls. An attacker with valid credentials and access to any single library can exfiltrate complete file contents from restricted libraries, including those explicitly denied to them.

Authentication Bypass Audiobookshelf
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8321 MEDIUM POC This Month

Authentication bypass in Inkeep Agents 0.58.14 allows remote unauthenticated attackers to circumvent authentication controls via alternate channel manipulation in the runAuth middleware. The vulnerability exists in the createDevContext function of agents-api/src/middleware/runAuth.ts, enabling unauthorized access to protected resources with low impact to confidentiality, integrity, and availability. Publicly available exploit code exists (GitHub issue #3024), and the vendor has not yet responded to the vulnerability report, meaning no patch is currently available.

Authentication Bypass Agents
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-42071 PHP HIGH PATCH GHSA This Week

A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. ### Impact - REPORTER (access level 25) can view file attachments that were uploaded to private bugnotes by DEVELOPER/MANAGER/ADMIN users - Private bugnotes are intended for internal developer discussion; their attachments (logs, screenshots, patches) should be equally protected - The web UI is NOT affected - it filters through bugnote_get_all_visible_bugnotes() first ### Patches - 029d9d203d9e4ae96b3e59d552fa7395cc1e5071 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security - Tang Cheuk Hei (@siunam321) This advisory's contents was largely copied from Tristan's well-written report.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-42070 PHP MEDIUM PATCH GHSA This Month

The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users - bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. ### Impact 1. UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN - bypassing the DEVELOPER threshold 2. UPDATER can change private notes to public - exposing confidential internal discussion 3. UPDATER can change public notes to private - hiding information from reporters/viewers ### Patches - 6e58fae4f22efdc3987f903c8ba2611de17a9435 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security This advisory's contents was largely copied from Tristan's well-written report.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-34754 PHP MEDIUM PATCH GHSA This Month

### Impact MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access. ### Patches - b262b4d2835b81394d75356dead66e52a6275206 ### Workarounds None. ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-34390 PHP MEDIUM PATCH GHSA This Month

Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in. The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. ### Impact Privilege escalation. The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. ### Patches - 69e0180f180ed5acf48a8d281a73683a7bf32461 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue: - [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam) - Vishal Shukla

Authentication Bypass Privilege Escalation PHP
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-42869 CRITICAL PATCH Act Now

Authentication bypass in SOCFortress CoPilot versions prior to 0.1.57 allows remote unauthenticated attackers to forge admin-scoped JWT tokens and gain full control of the security operations platform. The application ships with a publicly known JWT signing secret hardcoded as a fallback value (bL4unrkoxtFs1MT6A7Ns2yMLkduyuqrkTxDV9CjlbNc=) in backend/app/auth/utils.py and .env.example. Any deployment using the default Docker Compose setup or where JWT_SECRET is not explicitly set signs all authentication tokens with this known value, enabling attackers to impersonate administrators and control every integrated security tool without credentials. CVSS 10.0 with network vector and no authentication required. Fix confirmed in version 0.1.57 via GitHub commit 4640511a0cf2e7b144a71375b5b349a8318cb186.

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-45223 HIGH PATCH This Week

Authentication bypass in Crabbox coordinator allows privilege escalation to full admin access. Attackers holding valid low-privilege user tokens can inject an admin claim into the token payload, sign it with HMAC-SHA256, and authenticate to admin-restricted coordinator endpoints. This grants unauthorized access to lease visibility across all users, pool state management, and forced release operations. Patch available in version 0.9.0 with upstream commit confirmed. No active exploitation (CISA KEV) or public POC identified at time of analysis, but CVSS 8.8 reflects network-accessible attack with low complexity once initial authentication is obtained.

Authentication Bypass Crabbox
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-45222 npm MEDIUM PATCH This Month

Summarize versions through 0.14.1 create daemon configuration files with world-readable permissions, allowing local attackers with user-level access to read bearer tokens and API credentials from ~/.summarize/daemon.json. The vulnerability enables unauthorized daemon access or recovery of sensitive provider API keys through insecure file permissions on Unix-like systems.

Authentication Bypass Summarize
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-33052 PHP MEDIUM PATCH GHSA This Month

MantisBT 2.28.0-2.28.1 allows authenticated users with add_profile_threshold permission to create global profiles by tampering with the user_id parameter, bypassing the manage_global_profile_threshold authorization check. An attacker with low-privileged authentication can escalate their profile creation capabilities to global scope via direct parameter manipulation in the profile creation request.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-44413 HIGH PATCH This Week

Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to server APIs. Despite the CVE description stating 'authenticated users could expose server API,' the CVSS vector (PR:N) confirms no authentication is required for exploitation, enabling direct unauthorized API access with high confidentiality impact and limited integrity impact. JetBrains has released patches in versions 2026.1 and 2025.11.5. EPSS and KEV status not available at time of analysis.

Authentication Bypass Teamcity
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-43639 HIGH POC PATCH This Week

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access, achieving complete administrative takeover. The vulnerability exploits a missing authorization check in the POST /providers/{providerId}/clients/existing endpoint, allowing authenticated provider users to add any organization to their provider without the target's consent. Publicly available exploit code exists (detailed writeup by Sanjok Karki), and vendor-released patch v2026.4.0 fully addresses the issue via GitHub PR #7372. Self-hosted installations are unaffected due to endpoint access restrictions. CVSS 8.9 reflects high confidentiality, integrity, and availability impact with high attack complexity and high privilege requirements.

Authentication Bypass Server
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-43638 MEDIUM POC PATCH This Month

Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrary organizations via the POST /ciphers/import-organization endpoint by submitting an empty collections array, bypassing authorization checks. This missing authorization vulnerability (CWE-862) affects all authenticated users regardless of organization membership, enabling them to inject malicious credentials or pivot across organizations. Publicly available exploit code exists, and the vendor has released patched version 2026.4.1.

Authentication Bypass Server
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-45006 npm HIGH PATCH This Week

Compromised AI models running with access to OpenClaw's gateway tool can persist malicious configuration changes affecting command execution, network endpoints, credentials, and security policies by exploiting an incomplete denylist that failed to protect newly added config paths. The vulnerability allows model-driven writes to sensitive config subtrees (command execution safeguards, proxy/TLS settings, telemetry hooks, operator policies) that survive restart, enabling persistent control beyond the intended model-to-operator trust boundary. Patch available in OpenClaw 2026.4.23 with fail-closed allowlist enforcement. No public exploit or active exploitation confirmed, but CVSS 8.8 (AV:N/AC:L/PR:L) indicates authenticated remote attackers with low-privilege model access can achieve full config compromise.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-45002 npm MEDIUM PATCH This Month

OpenClaw before 2026.4.20 allows attackers to bypass the hooks.allowRequestSessionKey opt-in restriction via template-rendered session keys in hook mappings, circumventing webhook routing isolation controls. The vulnerability enables externally influenced session keys to be rendered through templated hook mappings even when the opt-in is disabled, affecting webhook routing isolation but not enabling host execution. Vendor-released patch available (version 2026.4.20); no public exploit code identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-45001 npm MEDIUM PATCH This Month

Prompt-injected AI models can escalate privileges and persist unauthorized configuration changes in OpenClaw gateway before version 2026.4.20 via insufficient authorization guards on agent-facing config.patch and config.apply endpoints. Authenticated attackers (PR:L) with model tool access can disable sandbox policies, enable malicious plugins, modify TLS/authentication settings, alter SSRF protections, reconfigure MCP servers, and weaken filesystem hardening-effectively bypassing operator-enforced security boundaries. Vendor-released patch available in version 2026.4.20. No evidence of active exploitation; EPSS data not available for this recently disclosed vulnerability.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-44998 npm LOW PATCH Monitor

OpenClaw before version 2026.4.20 allows authenticated local agents to bypass tool policy restrictions by appending bundled MCP and LSP tools to the effective tool set after policy filtering has completed. Attackers with local agent access can circumvent profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies, potentially gaining unauthorized access to restricted tools. This vulnerability requires a configured bundled tool source and an operator-defined restrictive policy; no active exploitation has been identified.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44997 npm LOW PATCH Monitor

OpenClaw before 2026.4.22 fails to propagate security envelope constraints when spawning ACP child sessions, allowing authenticated restricted subagents to bypass depth limits, child-count restrictions, control scope, and target-agent constraints. An attacker with subagent privileges can exploit this by spawning child sessions that inherit insufficient security enforcement, potentially escalating privileges or accessing resources beyond their assigned scope.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44994 npm MEDIUM PATCH This Month

Authentication bypass in OpenClaw before version 2026.4.22 allows unauthenticated attackers to read sensitive bootstrap and configuration metadata from the Control UI config endpoint when Gateway authentication is enabled. The vulnerability exposes internal bootstrap information and configuration fields intended only for authenticated Control UI sessions via an unprotected HTTP GET request to the `/__openclaw/control-ui-config.json` endpoint, with no user interaction required.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-44993 npm LOW PATCH Monitor

OpenClaw before version 2026.4.20 misclassifies direct messages as group conversations in Feishu card-action callbacks, allowing authenticated attackers to bypass dmPolicy restrictions and trigger card-action flows that should have been blocked. The vulnerability affects direct message handling in the Feishu integration and requires authenticated access (PR:L per CVSS vector) but achieves both confidentiality and integrity impact with moderate CVSS score of 5.4.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44991 npm LOW PATCH Monitor

Authorization bypass in OpenClaw before 2026.4.21 allows non-owner senders to execute owner-enforced slash commands when channels are configured with wildcard inbound senders (allowFrom: ["*"]) without explicit owner allowFrom settings. Attackers with legitimate channel access can exploit this to bypass owner-only command authorization checks and execute commands such as /send, /config, or /debug. The vulnerability requires authenticated access to affected channels but is limited to command-owner authorization and does not grant tool access or gateway administrator scope.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Windows Event Logging Service privilege escalation allows local authenticated attackers with low-level privileges to gain SYSTEM-level control across Windows 10, Windows 11, and Windows Server 2012+ environments. The vulnerability requires no user interaction and has low attack complexity (AC:L), making exploitation straightforward once initial access is obtained. Microsoft has released patches via their March 2026 security updates, and exploitation requires only standard user credentials on vulnerable systems. CVSS 7.8 HIGH severity with complete compromise of confidentiality, integrity, and availability upon successful exploitation.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in Microsoft Azure SDK for Java allows remote unauthenticated attackers to circumvent security controls over the network without user interaction. The vulnerability exposes confidentiality and integrity of Azure services to unauthorized access, with confirmed vendor patch available. CVSS 9.1 reflects critical network-based exploitation against default configurations, though no active exploitation (CISA KEV) or public POC has been identified at time of analysis.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Critical unauthenticated access control bypass in Fortinet FortiAuthenticator versions 6.5.0-6.5.6, 6.6.0-6.6.8, 8.0.0, and 8.0.2 enables remote code execution without authentication. The CVSS score of 9.8 with AV:N/AC:L/PR:N/UI:N indicates trivial remote exploitation against default configurations. While the vendor advisory (FG-IR-26-128) confirms this vulnerability, the incomplete description placeholder ('<insert attack vector here>') suggests the advisory may contain additional details not yet published in CVE records. No public exploit code or active exploitation confirmed at time of analysis, though the authentication bypass nature and maximum CVSS scores make this a priority patching target for organizations running FortiAuthenticator.

Authentication Bypass Fortinet
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge.

Authentication Bypass Fortinet Fortisandbox Cloud +2
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

WGDashboard is a dashboard for WireGuard VPN. Prior to 4.3.2, there are critical vulnerabilities affecting WGDashboard that, if exploited, could allow unauthorized parties to access the host file system without authentication. This vulnerability is fixed in 4.3.2.

Authentication Bypass Wgdashboard
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable remote code execution. This result may potentially occur via network access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Authentication Bypass Denial Of Service Intel +1
NVD
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.

Authentication Bypass Zulip
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

WPMU DEV Hustle plugin versions through 7.8.10.1 allow unauthenticated remote attackers to modify sensitive data via missing authorization controls on access-restricted functionality. The vulnerability exploits incorrectly configured access control security levels, enabling attackers to bypass authentication mechanisms without user interaction. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Hustle
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Sandbox escape in OpenClaude (npm package openclaude) versions before 0.5.1 allows a prompt-injected LLM to disable host sandboxing by setting the model-controlled `dangerouslyDisableSandbox: true` flag in any Bash tool_use call, yielding full unsandboxed command execution on the host. CVSS 4.0 scores this 9.3 Critical (AV:N/AC:L/PR:N/UI:N, VC/VI/VA:H); no public exploit identified at time of analysis beyond the reporter's PoC, but the upstream fix has been merged. The flaw is especially severe because it is reachable under default settings (`allowUnsandboxedCommands` defaults to true).

Kubernetes Information Disclosure Authentication Bypass +4
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the PAM module of Devolutions Server allows authenticated users with a PAM license to retrieve OTP secret keys and recovery codes without additional permissions, leading to account compromise through crafted API requests. Affected versions include Devolutions Server 2025.3.16.0 and earlier, plus 2026.1.6.0 through 2026.1.11.0. No public exploit code or active exploitation has been identified; however, the low CVSS score and minimal EPSS percentile suggest limited real-world attack incentive despite the confidentiality impact.

Authentication Bypass Server
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Authentication Bypass Apache Tomcat +2
NVD VulDB HeroDevs
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Authentication Bypass Apache Tomcat +2
NVD VulDB HeroDevs
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in Pandora FMS versions 777-800 allows remote attackers to gain unauthorized API access via insecure default resource initialization. The vulnerability stems from CWE-1188 (default credentials or configuration), enabling attackers to bypass authentication mechanisms and access the API with high confidentiality and integrity impact. CVSS 4.0 scores this at 9.1 CRITICAL due to network attack vector requiring no privileges or user interaction, though attack complexity is high and specific timing conditions apply (AT:P). No CISA KEV listing or public POC identified at time of analysis, suggesting exploitation requires vendor-specific knowledge of the insecure defaults.

Authentication Bypass Pandora Fms
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Arbitrary file creation and corruption in dalfox v2 REST API server mode allows unauthenticated remote attackers to write log-formatted data to any filesystem path accessible to the dalfox process. The server exposes output, output-all, and debug JSON fields from the API request directly to the logger's file-write path without validation, and the default configuration omits API key authentication entirely. The vulnerability is fixed in dalfox v2.13.0, released 2025-01-20, which strips all filesystem-dangerous fields from API-sourced requests before passing them to the scan engine. GitHub advisory GHSA-8hf9-3q64-q2qf confirms the issue; no public exploit code is identified at time of analysis, and CISA KEV does not list this CVE.

Authentication Bypass File Upload
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated arbitrary file read in dalfox REST API server mode allows remote attackers to exfiltrate sensitive files from the host filesystem. The vulnerability chains two flaws: missing authentication middleware when no API key is set (default configuration), and unsanitized deserialization of the `custom-payload-file` JSON parameter directly into the scan engine. Remote attackers can supply any file path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, cloud credential files) and the engine reads each line, embeds it as an XSS payload, and transmits it to an attacker-controlled HTTP endpoint via dalfox's own scan traffic. No exploit code is publicly identified at time of analysis; vendor-released patch available in version 2.13.0.

Authentication Bypass XSS Privilege Escalation
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

Unauthenticated remote code execution in Dalfox REST API server mode (versions ≤2.12.0) allows network attackers to execute arbitrary OS commands by injecting shell payloads via the `found-action` parameter in POST /scan requests. The server binds to 0.0.0.0:6664 by default with no API key enforcement unless explicitly configured, and deserializes attacker-controlled JSON directly into execution-control options without sanitization. Attackers trivially guarantee exploitation by hosting a reflective XSS endpoint to trigger the injected command. Fixed in version 2.13.0. CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). EPSS data not available; no CISA KEV listing at time of analysis. Public exploit code exists (detailed proof-of-concept published in GitHub advisory GHSA-v25v-m36w-jp4h).

Denial Of Service Command Injection Authentication Bypass +3
NVD GitHub
EPSS 0% CVSS 8.5
HIGH POC PATCH This Week

Pocket ID OIDC provider fails to validate user authorization state during refresh token exchange, allowing revoked, disabled, or unauthorized users to obtain fresh access tokens indefinitely. Affects all versions prior to 2.6.0. Publicly available exploit code exists via GitHub security advisory GHSA-w6p7-2fxx-4f44. Attack requires low privileges and user interaction (CVSS 8.5) but enables persistent unauthorized access even after administrative revocation actions. Fixed in version 2.6.0.

Authentication Bypass Pocket Id
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Sandbox path bypass in consul-template before 0.42.0 allows local authenticated users to read files outside the intended sandbox via symlink attack in the file template helper. The vulnerability requires local access and elevated privileges but grants high confidentiality impact. Vendor-released patch available in version 0.42.0.

Authentication Bypass Tooling
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

OX Dovecot Pro is vulnerable to IMAP SETACL command injection that allows authenticated users to bypass the imap_acl_allow_anyone configuration setting and inject the anyone permission into dovecot-acl files, enabling spam of mailbox folders to all users. The vulnerability requires authentication and elevated complexity conditions (CVSS 3.1), and no public exploits are known at the time of analysis.

Authentication Bypass Ox Dovecot Pro
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.

Authentication Bypass Path Traversal Easylogic T150 Formerly Saitel Dr Remote Terminal Unit Controller +1
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Weak session token generation in Schneider Electric industrial protection relays and energy management systems allows remote attackers to hijack authenticated user sessions via network-based prediction attacks. Affects 36 product variants across Easergy MiCOM P30/P40/C264, PowerLogic P5/P7/T-series, EcoStruxure Power Automation/Operation platforms, and iPMFLS systems. CVSS 8.7 reflects high confidentiality and integrity impact with user interaction required. No active exploitation confirmed (not in CISA KEV), but authentication bypass via session prediction enables privilege escalation in critical infrastructure environments. EPSS data not provided - risk assessment relies on CVSS vector and operational technology context.

Authentication Bypass Easergy Micom C264 Easergy C5 +12
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote attackers can trigger a denial-of-service condition against Asset CleanUp: Page Speed Booster (WordPress plugin) versions up to 1.4.0.3 by exploiting missing authorization controls that incorrectly configure access restrictions. The vulnerability allows attackers to perform actions intended for authenticated administrators without proper authentication, resulting in availability impact through the ability to modify or disable asset optimization features.

Authentication Bypass Asset Cleanup
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing authorization in Broadstreet Ads WordPress plugin through version 1.52.2 allows authenticated users to bypass access controls and modify data, resulting in integrity and availability impact. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before executing sensitive operations. Exploitation requires valid user authentication but no special configuration or interaction.

Authentication Bypass Broadstreet Ads
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Turboard FOR-S allows remote unauthenticated attackers to gain elevated access by exploiting incorrect authorization checks, requiring only user interaction. The vulnerability affects versions 7.01.2026 through 17.02.2026, with fix available in version 18.02.2026. Turkish national CERT (TR-CERT) reported this authorization bypass vulnerability (CWE-863), which enables attackers to compromise confidentiality, integrity, and availability of the affected business intelligence platform.

Authentication Bypass Privilege Escalation Turboard For S
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authorization bypass in BAPSİS web application enables unauthenticated remote attackers to exploit trusted identifiers through user-controlled keys when victims interact with crafted requests. ABIS Technology's BAPSİS platform (versions before v.202604152042) contains a CWE-639 flaw where authorization checks rely on client-controlled key values, allowing attackers to manipulate trust relationships and gain unauthorized access with high impact to confidentiality, integrity, and availability. TR-CERT published advisory but no public exploit code identified at time of analysis, with CVSS 8.8 reflecting network-exploitable attack requiring only user interaction.

Authentication Bypass Bapsi S
NVD
EPSS 0% CVSS 8.7
HIGH This Week

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.

Authentication Bypass RCE Code Runner Mcp Server
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated users with Subscriber-level access can bypass PayPal payment verification in the Motors - Car Dealership & Classified Listings WordPress plugin (versions up to 1.4.103) by directly modifying their stm_payment_status user meta field to 'completed', gaining access to paid Dealer membership features without completing any transaction. The vulnerability exists in the stm_save_user_extra_fields() function, which fails to validate permission for sensitive meta field modifications during profile updates. While CVSS 4.3 reflects low severity, the integrity impact is direct-payment systems are completely circumvented for any authenticated user.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 8.7
HIGH Act Now

Hardcoded cryptographic keys in Siemens Teamcenter PLM software enable remote attackers to bypass authentication and gain unauthorized access to confidential product lifecycle management data. The vulnerability affects multiple Teamcenter versions (V2312, V2406, V2412, V2506, V2512) and is remotely exploitable without authentication (CVSS:4.0 AV:N/AC:L/PR:N). While no active exploitation or public POC has been identified at time of analysis, the straightforward nature of hardcoded credential extraction (AC:L) combined with the criticality of Teamcenter as an enterprise PLM platform housing intellectual property makes this a high-priority remediation target for manufacturing and engineering organizations.

Authentication Bypass Teamcenter V2312 Teamcenter V2406 +3
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Local unauthenticated attackers can access the web browser on Siemens SIMATIC HMI Unified Comfort and Comfort Pro panels (all models <V21) via the Control Panel when security mechanisms are not configured. The CVSS v4.0 score of 7.0 reflects high integrity and availability impact (VI:H/VA:H) with local attack vector (AV:L), low complexity (AC:L), and no authentication required (PR:N). The vulnerability is classified as CWE-1188 (Initialization of a Resource with an Insecure Default) and tagged as Authentication Bypass. No public exploit or active exploitation confirmed at time of analysis, but the local access requirement and lack of default protections significantly lower the attack bar in environments where physical or local system access is feasible, such as industrial control settings.

Authentication Bypass Simatic Hmi Mtp1000 Unified Comfort Panel Simatic Hmi Mtp1000 Unified Comfort Panel Hygienic +48
NVD VulDB
EPSS 0% CVSS 8.8
HIGH Act Now

Remote unauthenticated attackers can exhaust resources and bypass authentication controls in Siemens SIMATIC CN 4100 versions before V5.0, enabling denial of service conditions and unauthorized actions that compromise system availability and integrity. The vulnerability stems from improper connection validation (CWE-306), allowing network-based exploitation without any user interaction or privileges. Siemens has released V5.0 to address this flaw, documented in security advisory SSA-032379.

Authentication Bypass Denial Of Service Simatic Cn 4100
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Predictable Technical Service credentials derived from CRC16-based algorithm and device serial number enable authentication bypass in Siemens blueplanet solar inverters and hybrid systems. Remote adjacent network attackers without authentication can calculate valid service credentials from publicly-observable serial numbers, gaining unauthorized administrative access to compromise device integrity and availability. Affects 23 blueplanet product families including TL3, NX3, NH3, and gridsafe variants across industrial solar installations. Patches released for GEN2 models (V6.1.4.9) and gridsafe variants (V3.91), but legacy TL3/NX3/NH3 first-generation models remain unpatched with no vendor-provided fix versions.

Authentication Bypass Blueplanet 100 Nx3 M8 Blueplanet 100 Tl3 Gen2 +28
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Missing authorization in Timetics WordPress plugin through version 1.0.53 allows unauthenticated remote attackers to bypass access controls and access sensitive administrative functions or data. With CVSS 8.2 (High), the vulnerability enables high confidentiality impact and low integrity impact against network-accessible instances. Patchstack reported this broken access control flaw, indicating potential exposure of booking systems, customer data, or administrative operations to unauthorized access without authentication.

Authentication Bypass Timetics
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can cancel arbitrary bookings in the Smart Appointment & Booking WordPress plugin versions up to 1.0.8 due to a logic flaw in nonce validation that uses AND instead of OR, combined with a missing capability check in the saab_cancel_booking() function. By supplying any value for the security parameter and a predictable booking ID, attackers can modify or delete booking records without authentication or user interaction.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify critical payment gateway settings in the iPOSpays Gateways WC WordPress plugin through an exposed REST API endpoint lacking authorization checks, enabling them to overwrite live API keys, secret keys, and payment tokens. Affected versions up to 1.3.7 permit unrestricted access to the /wp-json/ipospays/v1/save_settings endpoint due to a permission_callback set to '__return_true' with no nonce verification, allowing complete compromise of payment processing credentials without authentication. This is a high-integrity attack vector against e-commerce sites using the plugin.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated attackers with Subscriber-level WordPress access can overwrite the Coinbase Commerce API key in versions up to 1.1.2 of the Coinbase Commerce for Contact Form 7 WordPress plugin due to missing capability checks and nonce verification in the save_settings() function. The vulnerability allows privilege escalation and potential compromise of payment processing by replacing the legitimate API key with an attacker-controlled value via a crafted POST request to /wp-admin/admin-post, affecting all WordPress sites running this plugin with that version or earlier.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Forms Rb plugin for WordPress versions up to 1.1.9 contains an authorization bypass vulnerability allowing authenticated contributors and above to read, modify, and delete form submission records and configuration belonging to forms they do not own. The vulnerability stems from insufficient authorization checks in API endpoints (CWE-862), affecting all installations with the plugin active. CVSS score of 4.3 reflects low attack complexity and network accessibility, though impact is limited to integrity and information disclosure within WordPress administrative contexts.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Unauthenticated remote code execution in GWD Connect WordPress plugin versions up to 2.9 allows attackers to execute arbitrary PHP code on unregistered installations via the update_agent action in standalone agent endpoints (gwd-backup.php and gwd-logs.php) when the API key is not configured. The vulnerability exploits a missing authorization check that occurs only when the authentication key has not been set up, affecting default installations. No public exploit code or active exploitation has been confirmed at this time.

Authentication Bypass PHP RCE +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify arbitrary WordPress post content, metadata, author assignment, and post type through missing authorization checks in the Rate Star Review Vote AJAX handler, allowing full post content takeover via the 'rating_id' parameter when the 'form' parameter is set to 'update'. The vulnerability affects all versions up to 1.6.4 and requires only basic user authentication (not administrator privileges), making it exploitable by any registered site user.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can delete any classroom record in the HEL Online Classroom WordPress plugin (versions up to 1.0.3) via a REST API endpoint that bypasses all WordPress authentication checks through a permission_callback set to '__return_true', resulting in permanent data loss. The vulnerability affects the plugin's core functionality and requires only network access with no user interaction, though the CVSS score of 5.3 reflects limited confidentiality impact (integrity modification only, no information disclosure).

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM Monitor

Brute-force password attacks against the web management interface of Zyxel WRE6505 v2 firmware V1.00(ABDV.3)C0 succeed due to improper rate-limiting on authentication attempts, allowing adjacent LAN attackers to bypass authentication and gain administrative access without requiring valid credentials. The vulnerability affects a legacy wireless range extender model marked as end-of-life by Zyxel, with CVSS 6.5 reflecting high confidentiality impact but local network scope.

Authentication Bypass Zyxel
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insufficient authorization checks in SAP Incentive and Commission Management allow authenticated users to invoke remote-enabled function modules and perform unauthorized table update operations, compromising data integrity. The vulnerability requires valid user credentials and network access but has limited scope - no confidentiality or availability impact. CVSS 4.3 (low) reflects the authentication requirement and integrity-only impact; no active exploitation or public POC identified at analysis time.

Authentication Bypass SAP
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Missing authorization checks in SAP S/4HANA Condition Maintenance allow authenticated attackers to view and modify condition table records they should not have access to, compromising data confidentiality and integrity while potentially denying legitimate users access to those same records. The vulnerability requires valid user credentials but affects all versions of the affected module, with CVSS 6.3 reflecting its multi-faceted impact across three security dimensions.

Authentication Bypass SAP
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing authorization checks in SAP Strategic Enterprise Management's Scorecard Wizard (Business Server Pages application) allow authenticated users to access restricted information and modify risk evaluation settings without proper authorization. An attacker with valid credentials can view confidential data and alter default configuration values, artificially reducing assessed risk levels to deceive risk assessment processes. No patch availability or active exploitation has been confirmed.

Authentication Bypass SAP
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications.

Authentication Bypass SQLi SAP
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated remote attackers can modify or delete arbitrary memory records in mem0 1.0.0 server by directly calling unprotected API endpoints including PUT /memories/{memory_id}. The vulnerability stems from complete absence of authentication and authorization controls on critical memory management functions, allowing data manipulation and loss without any verification of requester identity. EPSS score of 0.06% (18th percentile) indicates low exploitation probability in the wild, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated remote attackers can completely destroy the mem0 v1.0.0 memory database by sending a DELETE request to the /memories endpoint, which executes DROP TABLE SQL statements without authentication or authorization checks. This causes irreversible data loss and total service denial for all users. EPSS score of 0.03% suggests low observed exploitation probability despite the CVSS 9.1 critical rating, likely due to mem0's limited deployment footprint. No public exploit code or active exploitation (CISA KEV) confirmed at time of analysis, but SSVC indicates the vulnerability is automatable with a single HTTP request.

Authentication Bypass Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

mem0 1.0.0 server exposes an unauthenticated memory deletion API endpoint (DELETE /memories) that allows remote attackers to delete arbitrary user memory records by specifying user identifiers in query parameters, resulting in unauthorized data loss and denial of service. No authentication or authorization validation is performed before processing deletion requests, enabling any network-accessible attacker to target any user's data without credentials.

Authentication Bypass Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login brute-force protection if email 2fa is enabled. If email 2fa is enabled, the unprotected 2fa-function send_email_login (email.rs, api endpoint /api/two-factor/send-email-login) also acts as an oracle determining whether a username-password combination is correct. An attacker can abuse that endpoint to brute-force passwords without rate-limiting. This works even for users who don't have email 2fa configured. This vulnerability is fixed in 1.35.4.

Authentication Bypass Oracle
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, and a separate confirmation by an existing owner upgrades it to Confirmed. The POST /api/ciphers/purge endpoint uses plain Headers and only checks that the membership type is Owner without verifying that the membership status is Confirmed. An authenticated user who has been invited as an organization owner and has accepted the invite and has not yet been confirmed can call this endpoint to hard-delete all ciphers and attachments in the organization, causing immediate organization-wide data loss. This vulnerability is fixed in 1.35.5.

Authentication Bypass Hashicorp
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as groups.groups_uuid, or a collections_groups.collections_uuid entry belongs to the same organization as collections_groups.groups_uuid. Multiple organization group-management endpoints accept arbitrary MembershipId and CollectionId values and persist them directly without verifying org consistency. This lets an attacker who is Admin in Organization A, and only a low-privileged member in Organization B bind their Org B membership UUID into an Org A group, then use that foreign group relationship to gain unauthorized access to Org B vault data. With an accessAll=true Org A group, the attacker can make /api/sync and /api/ciphers enumerate Org B ciphers. Once those unauthorized sync results reveal Org B collection IDs, the attacker can also bind those foreign collection IDs to the Org A group and turn the same flaw into write access over Org B items. This vulnerability is fixed in 1.35.5.

Authentication Bypass Hashicorp
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass (RCE). While the patch correctly restricted api.openExternal() inside the renderer's preload/index.ts script, it structurally neglected to sanitize native Electron pop-up window handlers. An attacker or a compromised AI endpoint returning a Markdown link can trigger a target="_blank" native window interception in tabPresenter.ts, which forwards the malicious URL directly to shell.openExternal(url) and completely bypasses the isValidExternalUrl security boundary. This vulnerability is fixed in v1.0.4-beta.1.

Authentication Bypass Deepchat
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each-skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.

Authentication Bypass Outline
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route handler authorizes ONLY the collection branch (line 125 if (collectionId)), while the downstream subscriptionCreator command at server/commands/subscriptionCreator.ts writes the subscription against the documentId (which was never validated). The result is a subscription record pinning the attacker's user to a victim document the attacker has no read access to, on any team in the instance. The schema (server/routes/api/subscriptions/schema.ts) only enforces "at least one of collectionId/documentId" via .refine() - it does NOT enforce mutual exclusivity, so passing both is a valid, schema-conforming request. This vulnerability is fixed in 1.7.1.

Authentication Bypass Outline
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to capture a user's screen.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

macOS Tahoe allows applications to access protected user data due to insufficient permission enforcement on system APIs. The vulnerability affects all macOS versions prior to 26.5 and is tagged as an authentication bypass, indicating apps can circumvent permission prompts or system restrictions to read sensitive data without user consent. While not yet actively exploited (EPSS 0.01%, no CISA KEV listing), the CVSS vector (AV:N/AC:L/PR:N/UI:N) appears inconsistent with the local application context described, suggesting potential network-accessible component or misclassified attack vector requiring vendor clarification.

Authentication Bypass Apple
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Apps on iOS and iPadOS can bypass App Privacy Report logging due to insufficient entitlement checks, allowing malicious applications to conceal their privacy-invasive activities from users. Fixed in iOS/iPadOS 18.7.9 and 26.4. The CVSS vector (AV:N/AC:L/PR:N/UI:N) appears inconsistent with the actual attack requirements, as exploitation requires a malicious app already installed on the device, not remote network access. Despite the 7.5 CVSS score, EPSS exploitation probability is very low (0.02%, 5th percentile), no active exploitation is confirmed, and no public exploit code identified at time of analysis.

Authentication Bypass Apple
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local authenticated apps bypass user consent mechanisms to access sensitive user data across iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, and visionOS 26.4 and earlier. The vulnerability allows malicious or compromised applications running with standard user privileges to exfiltrate protected information without triggering the expected permission prompts. Apple has patched this by implementing an additional consent verification layer, though the low EPSS score (0.02%) suggests real-world exploitation remains limited.

Authentication Bypass Apple Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Insufficient permission enforcement in macOS Tahoe prior to 26.5 allows applications to bypass access controls and read protected user data without proper authorization. Apple addressed the vulnerability through hardened permission checks in version 26.5. EPSS probability indicates minimal observed exploitation activity (0.01%, 3rd percentile), and no public exploit code or CISA KEV listing exists at time of analysis, suggesting exploitation requires application-specific development effort rather than readily available tooling.

Authentication Bypass Apple
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Privacy bypass in Apple operating systems allows local authenticated apps to circumvent user-configured privacy restrictions through permission mishandling. The vulnerability affects iOS, iPadOS, macOS Tahoe, visionOS, and watchOS versions prior to 26.5. An attacker with local app execution privileges can access sensitive data classified as restricted by user privacy settings, though without authentication bypass or integrity compromise. Fixed in coordinated OS updates across Apple's ecosystem.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

An authorization issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Apple operating systems allows local authenticated applications to gain root privileges through an authorization flaw in state management. Affects multiple macOS versions (Sonoma, Sequoia, Tahoe) and iOS/iPadOS versions prior to patched releases. Apple has issued coordinated security updates across all affected platforms (iOS 18.7.9/26.5, iPadOS 18.7.9/26.5, macOS Sonoma 14.8.7, Sequoia 15.7.7, Tahoe 26.5). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8, with no public exploit identified at time of analysis and no CISA KEV listing. The local attack vector requiring authenticated privileges substantially reduces immediate risk compared to network-based vulnerabilities.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Improper permissions checking in macOS before version 26.4 allows a malicious app with local user privileges to access arbitrary files without user interaction, potentially exposing sensitive data. The vulnerability has a low EPSS score (0.01%) and no confirmed active exploitation, making it a low-priority but real local privilege escalation risk for systems where untrusted applications may execute.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Lock screen bypass in iOS and iPadOS versions prior to 26.5 allows unauthorized access to restricted content without authentication. Apple's security advisory HT227110 confirms the privacy issue affected lock screen content filtering mechanisms. Despite CVSS 7.5 scoring suggesting network exploitation, the vulnerability requires physical access to a locked device, creating a significant disparity between theoretical severity and practical attack surface. EPSS probability of 0.02% (5th percentile) indicates minimal observed exploitation attempts, and no CISA KEV listing or public exploit code exists at time of analysis.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Confidentiality breach in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, watchOS) allows remote unauthenticated attackers to access high-sensitivity information through improper access control checks. Despite the vendor description indicating denial-of-service impact, the CVSS vector reveals a severe confidentiality compromise (C:H) with network-accessible attack surface requiring no authentication. Apple has patched all affected platforms in coordinated security updates released across six operating systems. EPSS score of 0.02% suggests low observed exploitation probability, and no public exploit code has been identified at time of analysis.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

macOS Gatekeeper can be bypassed using specially crafted disk images, allowing unauthenticated remote attackers to execute untrusted code without security warnings across iOS, iPadOS, and all supported macOS versions. Apple has released patches addressing this authentication bypass in macOS Tahoe 26.5, Sequoia 15.7.7, Sonoma 14.8.7, iOS 18.7.9, and iPadOS 18.7.9. Despite the CVSS 7.5 HIGH rating, EPSS probability remains very low at 0.02% (5th percentile), suggesting limited immediate exploitation risk, though the attack requires no special conditions and could be delivered via common distribution channels like email or web downloads.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandbox escape in macOS Sequoia, Sonoma, and Tahoe allows malicious applications with low privileges to break containment and gain elevated system access. Apple fixed this permissions handling flaw in macOS 15.7.7, 14.8.7, and 26.5 after addressing inadequate sandbox restrictions. No active exploitation confirmed (CISA KEV absent), but the CVSS scope change (S:C) indicates complete sandbox bypass with high impact to confidentiality, integrity, and availability. EPSS score of 0.01% suggests low probability of mass exploitation despite the severity, likely due to the requirement for local app installation and low-privilege authenticated access.

Authentication Bypass Apple
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Gatekeeper security checks in macOS Tahoe can be bypassed using maliciously crafted ZIP archives due to a logic flaw in file handling. An attacker can create a weaponized ZIP file that, when extracted or opened by a user, circumvents Gatekeeper validation, potentially allowing execution of untrusted code. The vulnerability requires user interaction (opening or extracting the malicious archive) and is limited to local attack surface. Vendor-released patch: macOS Tahoe 26.5.

Authentication Bypass Apple
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Audiobookshelf prior to version 2.32.2 fails to enforce library access controls on the GET /api/collections and GET /api/collections/:id endpoints, allowing authenticated users to enumerate and retrieve collection metadata and book information from libraries they are not authorized to access. An attacker with valid credentials to any library can exploit this privilege escalation to discover sensitive metadata across all libraries in a multi-library installation.

Authentication Bypass Audiobookshelf
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they do not have access to by directly specifying item IDs in the GET /api/libraries/:id/download endpoint, bypassing library access controls. An attacker with valid credentials and access to any single library can exfiltrate complete file contents from restricted libraries, including those explicitly denied to them.

Authentication Bypass Audiobookshelf
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in Inkeep Agents 0.58.14 allows remote unauthenticated attackers to circumvent authentication controls via alternate channel manipulation in the runAuth middleware. The vulnerability exists in the createDevContext function of agents-api/src/middleware/runAuth.ts, enabling unauthorized access to protected resources with low impact to confidentiality, integrity, and availability. Publicly available exploit code exists (GitHub issue #3024), and the vendor has not yet responded to the vulnerability report, meaning no patch is currently available.

Authentication Bypass Agents
NVD VulDB GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. ### Impact - REPORTER (access level 25) can view file attachments that were uploaded to private bugnotes by DEVELOPER/MANAGER/ADMIN users - Private bugnotes are intended for internal developer discussion; their attachments (logs, screenshots, patches) should be equally protected - The web UI is NOT affected - it filters through bugnote_get_all_visible_bugnotes() first ### Patches - 029d9d203d9e4ae96b3e59d552fa7395cc1e5071 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security - Tang Cheuk Hei (@siunam321) This advisory's contents was largely copied from Tristan's well-written report.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users - bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. ### Impact 1. UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN - bypassing the DEVELOPER threshold 2. UPDATER can change private notes to public - exposing confidential internal discussion 3. UPDATER can change public notes to private - hiding information from reporters/viewers ### Patches - 6e58fae4f22efdc3987f903c8ba2611de17a9435 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security This advisory's contents was largely copied from Tristan's well-written report.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

### Impact MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access. ### Patches - b262b4d2835b81394d75356dead66e52a6275206 ### Workarounds None. ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in. The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. ### Impact Privilege escalation. The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. ### Patches - 69e0180f180ed5acf48a8d281a73683a7bf32461 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue: - [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam) - Vishal Shukla

Authentication Bypass Privilege Escalation PHP
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authentication bypass in SOCFortress CoPilot versions prior to 0.1.57 allows remote unauthenticated attackers to forge admin-scoped JWT tokens and gain full control of the security operations platform. The application ships with a publicly known JWT signing secret hardcoded as a fallback value (bL4unrkoxtFs1MT6A7Ns2yMLkduyuqrkTxDV9CjlbNc=) in backend/app/auth/utils.py and .env.example. Any deployment using the default Docker Compose setup or where JWT_SECRET is not explicitly set signs all authentication tokens with this known value, enabling attackers to impersonate administrators and control every integrated security tool without credentials. CVSS 10.0 with network vector and no authentication required. Fix confirmed in version 0.1.57 via GitHub commit 4640511a0cf2e7b144a71375b5b349a8318cb186.

Authentication Bypass Docker
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authentication bypass in Crabbox coordinator allows privilege escalation to full admin access. Attackers holding valid low-privilege user tokens can inject an admin claim into the token payload, sign it with HMAC-SHA256, and authenticate to admin-restricted coordinator endpoints. This grants unauthorized access to lease visibility across all users, pool state management, and forced release operations. Patch available in version 0.9.0 with upstream commit confirmed. No active exploitation (CISA KEV) or public POC identified at time of analysis, but CVSS 8.8 reflects network-accessible attack with low complexity once initial authentication is obtained.

Authentication Bypass Crabbox
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Summarize versions through 0.14.1 create daemon configuration files with world-readable permissions, allowing local attackers with user-level access to read bearer tokens and API credentials from ~/.summarize/daemon.json. The vulnerability enables unauthorized daemon access or recovery of sensitive provider API keys through insecure file permissions on Unix-like systems.

Authentication Bypass Summarize
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

MantisBT 2.28.0-2.28.1 allows authenticated users with add_profile_threshold permission to create global profiles by tampering with the user_id parameter, bypassing the manage_global_profile_threshold authorization check. An attacker with low-privileged authentication can escalate their profile creation capabilities to global scope via direct parameter manipulation in the profile creation request.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to server APIs. Despite the CVE description stating 'authenticated users could expose server API,' the CVSS vector (PR:N) confirms no authentication is required for exploitation, enabling direct unauthorized API access with high confidentiality impact and limited integrity impact. JetBrains has released patches in versions 2026.1 and 2025.11.5. EPSS and KEV status not available at time of analysis.

Authentication Bypass Teamcity
NVD VulDB
EPSS 0% CVSS 8.9
HIGH POC PATCH This Week

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access, achieving complete administrative takeover. The vulnerability exploits a missing authorization check in the POST /providers/{providerId}/clients/existing endpoint, allowing authenticated provider users to add any organization to their provider without the target's consent. Publicly available exploit code exists (detailed writeup by Sanjok Karki), and vendor-released patch v2026.4.0 fully addresses the issue via GitHub PR #7372. Self-hosted installations are unaffected due to endpoint access restrictions. CVSS 8.9 reflects high confidentiality, integrity, and availability impact with high attack complexity and high privilege requirements.

Authentication Bypass Server
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrary organizations via the POST /ciphers/import-organization endpoint by submitting an empty collections array, bypassing authorization checks. This missing authorization vulnerability (CWE-862) affects all authenticated users regardless of organization membership, enabling them to inject malicious credentials or pivot across organizations. Publicly available exploit code exists, and the vendor has released patched version 2026.4.1.

Authentication Bypass Server
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Compromised AI models running with access to OpenClaw's gateway tool can persist malicious configuration changes affecting command execution, network endpoints, credentials, and security policies by exploiting an incomplete denylist that failed to protect newly added config paths. The vulnerability allows model-driven writes to sensitive config subtrees (command execution safeguards, proxy/TLS settings, telemetry hooks, operator policies) that survive restart, enabling persistent control beyond the intended model-to-operator trust boundary. Patch available in OpenClaw 2026.4.23 with fail-closed allowlist enforcement. No public exploit or active exploitation confirmed, but CVSS 8.8 (AV:N/AC:L/PR:L) indicates authenticated remote attackers with low-privilege model access can achieve full config compromise.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before 2026.4.20 allows attackers to bypass the hooks.allowRequestSessionKey opt-in restriction via template-rendered session keys in hook mappings, circumventing webhook routing isolation controls. The vulnerability enables externally influenced session keys to be rendered through templated hook mappings even when the opt-in is disabled, affecting webhook routing isolation but not enabling host execution. Vendor-released patch available (version 2026.4.20); no public exploit code identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Prompt-injected AI models can escalate privileges and persist unauthorized configuration changes in OpenClaw gateway before version 2026.4.20 via insufficient authorization guards on agent-facing config.patch and config.apply endpoints. Authenticated attackers (PR:L) with model tool access can disable sandbox policies, enable malicious plugins, modify TLS/authentication settings, alter SSRF protections, reconfigure MCP servers, and weaken filesystem hardening-effectively bypassing operator-enforced security boundaries. Vendor-released patch available in version 2026.4.20. No evidence of active exploitation; EPSS data not available for this recently disclosed vulnerability.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.4.20 allows authenticated local agents to bypass tool policy restrictions by appending bundled MCP and LSP tools to the effective tool set after policy filtering has completed. Attackers with local agent access can circumvent profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies, potentially gaining unauthorized access to restricted tools. This vulnerability requires a configured bundled tool source and an operator-defined restrictive policy; no active exploitation has been identified.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before 2026.4.22 fails to propagate security envelope constraints when spawning ACP child sessions, allowing authenticated restricted subagents to bypass depth limits, child-count restrictions, control scope, and target-agent constraints. An attacker with subagent privileges can exploit this by spawning child sessions that inherit insufficient security enforcement, potentially escalating privileges or accessing resources beyond their assigned scope.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Authentication bypass in OpenClaw before version 2026.4.22 allows unauthenticated attackers to read sensitive bootstrap and configuration metadata from the Control UI config endpoint when Gateway authentication is enabled. The vulnerability exposes internal bootstrap information and configuration fields intended only for authenticated Control UI sessions via an unprotected HTTP GET request to the `/__openclaw/control-ui-config.json` endpoint, with no user interaction required.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.4.20 misclassifies direct messages as group conversations in Feishu card-action callbacks, allowing authenticated attackers to bypass dmPolicy restrictions and trigger card-action flows that should have been blocked. The vulnerability affects direct message handling in the Feishu integration and requires authenticated access (PR:L per CVSS vector) but achieves both confidentiality and integrity impact with moderate CVSS score of 5.4.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Authorization bypass in OpenClaw before 2026.4.21 allows non-owner senders to execute owner-enforced slash commands when channels are configured with wildcard inbound senders (allowFrom: ["*"]) without explicit owner allowFrom settings. Attackers with legitimate channel access can exploit this to bypass owner-only command authorization checks and execute commands such as /send, /config, or /debug. The vulnerability requires authenticated access to affected channels but is limited to command-owner authorization and does not grant tool access or gateway administrator scope.

Authentication Bypass Openclaw
NVD GitHub
Prev Page 39 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy