Skip to main content

Authentication Bypass

31281 CVEs technique

Monthly

CVE-2026-7909 LOW PATCH Monitor

Site isolation bypass in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to circumvent Chrome's site isolation security boundary through a crafted HTML page. The vulnerability requires user interaction and a pre-compromised renderer, limiting real-world impact despite being triggered remotely. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-31974 LOW Monitor

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenticated users with user interaction to make unauthorized modifications to critical system components. The vulnerability requires administrative privileges and user consent (CVSS:3.1/AV:N/AC:H/PR:H/UI:R), resulting in limited confidentiality, integrity, and availability impacts. No active exploitation has been publicly reported.

Authentication Bypass Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
3.9
EPSS
0.0%
CVE-2026-8031 MEDIUM POC This Month

Missing authentication in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to access the /cdemos/echs/api/v2/patient-records API endpoint and retrieve sensitive patient information. Publicly available exploit code exists for this vulnerability. The vendor released patched version 5.7.1 to address the issue.

Authentication Bypass E Clinic Healthcare System Echs
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-44012 PHP HIGH PATCH GHSA This Week

Authenticated control-panel users in Craft CMS 5.x can enumerate asset filenames and complete folder hierarchies (volume handles, UIDs, folder names, URIs) across all volumes by sending arbitrary asset IDs to the AssetsController::actionShowInFolder endpoint, bypassing volume-level viewAssets and viewPeerAssets permission checks. The flaw stems from an incomplete February 2026 patch wave that fixed four sibling endpoints but missed this method, introduced 13 days before the patch release. No public exploit identified at time of analysis; vendor-released patch fixes 5.9.18 and later. This information disclosure vulnerability enables reconnaissance for follow-up attacks against restricted asset volumes.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44010 PHP HIGH POC PATCH GHSA This Week

Unauthorized PII disclosure in Craft CMS GraphQL API allows cross-scope address enumeration via missing authorization check. A GraphQL API token scoped to any single low-privilege user group can read all addresses system-wide, including PII from restricted user groups (full names, home addresses, corporate addresses, tax IDs, GPS coordinates). The Address element resolver bypasses schema scope filtering that all other element resolvers enforce. Vendor-released patch: versions 5.9.18 and 4.17.12. Publicly available exploit code exists (detailed PoC in GitHub advisory). Affects all Craft CMS Pro deployments (v4.0.0+) using headless GraphQL APIs with user group scoping-a standard deployment pattern for Next.js/Nuxt/Gatsby frontends.

Authentication Bypass Docker PHP
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-20219 MEDIUM This Month

Insecure direct object reference (IDOR) in Cisco Slido REST API allows authenticated remote attackers to view other users' social profile data and manipulate quiz or poll results. The vulnerability requires valid authentication but no user interaction, affecting confidentiality and integrity of user data and poll integrity. Cisco has released a patched version; no public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Cisco
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42280 npm HIGH PATCH GHSA This Week

Token validation flaw in Auth0.js SDK versions 8.11.0 through 9.32.0 allows authenticated attackers to retrieve user profile information by submitting a valid access token alongside a crafted invalid ID token, bypassing access control rules defined in Auth0 Actions. The vulnerability affects applications that depend on Auth0 Actions for authorization decisions, potentially exposing sensitive user profile data to attackers holding valid but insufficiently privileged access tokens. Vendor-released patch available in version 10.0.0, discovered through coordinated disclosure by security researcher Quan Le.

Authentication Bypass Auth0
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-20167 HIGH This Week

Cisco IoT Field Network Director enables authenticated remote attackers with low-level privileges to crash remotely managed routers by submitting crafted requests through the web-based management interface. The vulnerability causes improper error handling that allows requesting unauthorized files from managed routers, forcing them to reload and creating a denial-of-service condition (CVSS 7.7, Changed Scope). No public exploit or active exploitation reported at time of analysis.

Authentication Bypass Cisco Cisco Iot Field Network Director Iot Fnd
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-20189 MEDIUM This Month

Cisco Prime Infrastructure log file download functionality fails to enforce proper authorization checks, allowing authenticated remote attackers to download arbitrary log files beyond their access level. An attacker with valid web management interface credentials can submit crafted URL requests to the affected download service API to retrieve sensitive logs, resulting in confidential information disclosure. CVSS score of 4.3 reflects low immediate impact but legitimate data exposure risk for organizations using this management platform.

Authentication Bypass Cisco Cisco Prime Infrastructure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-20193 MEDIUM This Month

Cisco Identity Services Engine allows authenticated read-only administrators to bypass role-based access control on RADIUS Policy API endpoints and gain unauthorized read access to sensitive policy details through direct API calls. The vulnerability affects ISE software across versions due to improper RBAC enforcement on API endpoints, enabling privilege escalation from read-only to unauthorized data disclosure. CVSS score is 4.3 with low attack complexity, but exploitation requires valid administrative credentials.

Authentication Bypass Cisco Cisco Identity Services Engine Software
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6863 Go MEDIUM PATCH This Month

Velociraptor versions prior to 0.76.4 allow authenticated users with reader role in the root organization to bypass cross-organization authorization controls via HTTP API GET requests, enabling them to read arbitrary files from other organizations regardless of their permissions in those target organizations. The vulnerability requires high privilege context (authenticated reader in root org) but has high confidentiality impact across organization boundaries. This is a horizontal privilege escalation affecting multi-tenant deployments where organizational isolation is a critical security boundary.

Authentication Bypass Suse
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-52613 MEDIUM This Month

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the application to known security weaknesses. Authenticated local attackers with high complexity conditions can achieve limited information disclosure and integrity compromise (CVSS 4.6). No active exploitation or public POC identified at time of analysis.

Authentication Bypass Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-8027 MEDIUM This Month

Authorization bypass in FlowiseAI Flowise up to version 3.0.12 allows authenticated users to manipulate userId, organizationId, workspaceId, and email parameters in the User Controller Handler, potentially gaining unauthorized access to other users' data or organizational resources. The vulnerability requires valid user authentication and remote network access, resulting in confidentiality impact with low attack complexity. No active exploitation in CISA KEV has been confirmed at time of analysis.

Authentication Bypass Flowise
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-43194 HIGH PATCH This Week

TCP connections through veth interfaces with XDP programs can enter a permanent deadlock state where sender and receiver sequence numbers desynchronize, causing all traffic to stall indefinitely. The vulnerability stems from improper error code handling in GSO (Generic Segmentation Offload) frame transmission when individual segments within a GSO super-frame fail - TCP interprets partial segment loss as complete frame loss, advancing receiver state without sender acknowledgment. Affects Linux kernel versions from 3.18 through 6.19.x with patches available across multiple stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation (KEV) or public exploit code has been identified at time of analysis.

Authentication Bypass Linux Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-59851 LOW Monitor

HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers with high effort to gain limited unauthorized access. The application fails to update or isolate vulnerable dependencies, potentially enabling exploitation of publicly disclosed security flaws in embedded components to bypass authentication or extract sensitive information.

Authentication Bypass Dfxanalytics
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-2306 MEDIUM This Month

Authenticated subscribers can create arbitrary database tables in WordPress installations running Ninja Tables plugin version 5.2.6 and earlier via missing authorization checks on the createFluentCartTable function. This allows low-privileged users to pollute the database and cause resource exhaustion without requiring administrative access, affecting any site where subscribers have plugin interaction permissions.

Authentication Bypass Denial Of Service WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-5753 MEDIUM This Month

Missing authorization in All-in-One WP Migration Unlimited Extension for WordPress versions up to 2.83 allows authenticated subscribers to create scheduled export jobs without capability verification, enabling attackers to exfiltrate full site backups by redirecting notifications to attacker-controlled email addresses and leveraging exposed backup filenames for download. This results in complete site data disclosure including sensitive information accessible to low-privilege authenticated users.

Authentication Bypass Information Disclosure WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3208 MEDIUM This Month

Unauthenticated attackers can retrieve PIX payment QR code images for arbitrary WooCommerce orders via the unprotected 'mp_pix_image' API endpoint in Mercado Pago payments for WooCommerce plugin versions up to 8.7.11, exposing sensitive merchant data including PIX keys, transaction amounts, merchant identity, and Mercado Pago transaction references. The vulnerability requires no authentication, user interaction, or special configuration, and exploits a missing capability check in the WordPress REST API handler. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7573 Go MEDIUM PATCH This Month

Authorization bypass in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows authenticated low-privilege users to retrieve complete ACL policies, roles, and permissions for any user across all organizations by supplying targeted Name and Org parameters. The vulnerability affects any organization running vulnerable versions where users have valid authentication credentials, enabling privilege escalation through unauthorized access to sensitive authorization metadata.

Authentication Bypass Velociraptor
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-34474 HIGH POC Monitor

Remote unauthenticated attackers can retrieve plaintext administrator passwords and WLAN Pre-Shared Keys from ZTE ZXHN H298A (firmware 1.1) and H108N (firmware 2.6) routers via crafted HTTP requests to the web management interface. The vulnerability enables complete network compromise through credential theft without requiring authentication. Public exploit code exists (GitHub Gist), demonstrating active researcher interest, though no CISA KEV listing indicates targeted rather than widespread exploitation. EPSS data unavailable, but the combination of network attack vector, no authentication requirement, and credential exposure presents immediate risk to affected deployments.

Authentication Bypass Zte Information Disclosure
NVD GitHub VulDB Exploit-DB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44221 Maven CRITICAL PATCH GHSA Act Now

Authenticated users in ArcadeDB server versions prior to 26.4.2 can bypass database-scoped authorization and perform read, write, and schema mutation operations across all databases on the same server instance. Two critical implementation flaws combine: uninitialized file access maps treated as allow-all permissions, and newly-created databases via API POST /api/v1/server silently disabling their entire record-level authorization system through omitted security factory configuration. Vendor-released patch 26.4.2 addresses both defects. No public exploit identified at time of analysis, though CVSS 9.0 reflects severe authorization breakdown requiring only low-privilege authenticated access.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-43885 PHP HIGH PATCH GHSA This Week

AVideo version 29.0 and earlier exposes API authentication secrets (APISecret) to unauthenticated remote attackers via a publicly accessible plugin configuration endpoint at objects/plugins.json.php. This vulnerability enables complete bypass of authentication controls protecting sensitive API endpoints including user enumeration (users_list) and other privileged operations. Publicly available exploit code exists (proof-of-concept demonstrated in GitHub advisory GHSA-xr49-f4rh-qcjf). Upstream fix available via commit 1c36f229 but no tagged release version has been independently confirmed at time of analysis.

Authentication Bypass PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-43883 PHP MEDIUM PATCH GHSA This Month

Insecure Direct Object Reference (IDOR) in AVideo's PayPalYPT plugin allows any authenticated user to cancel arbitrary PayPal billing agreements belonging to other users by supplying a victim's agreement ID to the `agreementCancel.json.php` endpoint. An attacker can silently suspend a victim's recurring subscription without authorization, causing revenue loss to the platform operator and service interruption to the victim. The vulnerability exists because the endpoint only checks that the user is logged in, but fails to verify ownership of the agreement being canceled, despite a sister endpoint (`PayPalAgreementCancel.json.php`) implementing the correct authorization check.

Authentication Bypass PHP CSRF
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-43881 PHP MEDIUM PATCH GHSA This Month

Unauthenticated user enumeration in AVideo objects/users.json.php allows remote attackers to disclose all registered user accounts via an isCompany parameter that bypasses admin-only access controls, and a users_id parameter that acts as a sequential-ID existence oracle. An unauthenticated attacker can harvest the complete user directory-including display names, numeric IDs, profile URLs, photos, and active/inactive status-in a single unbounded GET request, enabling credential stuffing and phishing campaigns. The vulnerability affects AVideo through version 29.0; vendor patch available.

Authentication Bypass Oracle CSRF PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42541 Go MEDIUM PATCH GHSA This Month

Kubewarden versions before 1.35.0 permit RBAC reconnaissance attacks when users with AdmissionPolicy or AdmissionPolicyGroup creation privileges craft policies using the unchecked `can_i` host capability. The vulnerability allows enumeration of any user or service account permissions across the cluster via SubjectAccessReview requests executed with policy-server privileges, despite the absence of context-aware resource grants. This information disclosure enables attackers to discover sensitive permission configurations without requiring cluster-wide policy creation rights, a capability not available by default but exploitable when granted.

Authentication Bypass Privilege Escalation Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42334 npm HIGH PATCH GHSA This Week

Authentication bypass in Mongoose 6.x-9.x allows remote attackers to inject malicious MongoDB query operators via the $nor clause when sanitizeFilter is enabled. The vulnerability exists because Mongoose's sanitizeFilter mechanism fails to recursively sanitize the $nor logical operator, allowing injection of operators like $ne, $gt, or $regex that bypass authentication checks or extract unauthorized data. This affects only applications that explicitly enable sanitizeFilter and pass unsanitized user input directly into query methods while relying on sanitizeFilter for protection. Vendor-released patches are available for all supported release lines. No public exploit identified at time of analysis, though exploitation is straightforward for affected configurations.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42610 PHP MEDIUM PATCH GHSA This Month

Sensitive information disclosure in Grav CMS v1.8.0-beta.29 allows low-privileged users with page editing permissions to bypass Twig sandbox restrictions and extract administrative password hashes and security salts via the exposed `grav['accounts']` service. A content editor can inject a Twig template with `{{ grav['accounts'].load('admin').get('hashed_password') }}` to retrieve plaintext Bcrypt hashes accessible for offline brute-force attack. Vendor-released patch available (2.0.0-beta.2 and commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47); publicly available proof-of-concept exists demonstrating practical exploitation.

Authentication Bypass PHP Information Disclosure CSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42843 PHP HIGH PATCH GHSA This Week

Privilege escalation in Grav API Plugin (versions < 1.0.0-beta.15) allows any authenticated user with basic 'api.access' permission to elevate themselves to Super Administrator by sending a crafted PATCH request to modify their own permission configuration. The vulnerability, confirmed by vendor GitHub Security Advisory GHSA-r945-h4vm-h736, stems from inadequate authorization checks in the UsersController::update method, which permits self-editing users to overwrite the 'access' field containing role definitions. Successful exploitation grants complete CMS control including the ability to edit Twig templates outside sandbox restrictions for remote code execution. A detailed proof-of-concept is publicly available, and vendor-released patch is confirmed in version 1.0.0-beta.15.

Authentication Bypass Privilege Escalation PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44166 Go MEDIUM POC PATCH GHSA This Month

PocketBase versions before 0.22.42 and 0.30.0-0.37.3 allow account pre-hijacking via OAuth2 autolinking, where an attacker knowing a victim's email can create an unverified account linked to one OAuth2 provider, then retain access when the victim authenticates with a different provider and the accounts are auto-merged, because previous OAuth2 links are not cleared during the upgrade from unverified to verified status. Publicly available exploit code exists; vendor recommends immediate upgrade to v0.37.4 or v0.22.42.

Authentication Bypass Suse
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-42303 PyPI MEDIUM PATCH GHSA This Month

Authentication bypass in Ethyca Fides allows administrators to unknowingly approve privacy erasure requests without identity verification when both subject identity verification and duplicate privacy request detection are enabled, resulting in unauthorized deletion of data subject records across all configured integrations. The vulnerability exploits a UI/UX flaw in the administrative interface that fails to clearly indicate unverified identity status on duplicate-classified requests, combined with a logic gap that processes unverified requests if approved by an admin. No public exploit code identified at time of analysis, but exploitation requires only an unauthenticated attacker with knowledge of a target's email address and access to the public Privacy Center.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-39402 MEDIUM PATCH This Month

Authorization bypass in LXC's setuid helper lxc-user-nic allows unprivileged users to delete OpenVSwitch-attached network interfaces belonging to other users. The vulnerability exists in the find_line() function's interface name comparison logic, which sets an authorization flag based on name match alone without re-verifying ownership, enabling a tenant to cause denial of service by disconnecting containers on shared infrastructure. This affects multi-tenant deployments using lxc-user-nic with OpenVSwitch bridges and is patched in LXC 7.0.0.

Authentication Bypass Denial Of Service Suse
NVD GitHub VulDB
CVSS 4.0
4.3
EPSS
0.0%
CVE-2026-41950 MEDIUM POC PATCH This Month

Dify before version 1.14.0 allows authenticated users to bypass authorization controls and read arbitrary files uploaded by other users within the same tenant by supplying unauthorized file UUIDs in chat-messages API requests. The vulnerability exploits insufficient permission verification on file access endpoints, enabling attackers to circumvent workspace separation and signed URL protections to retrieve sensitive file contents processed through workflows. Publicly available exploit code exists, and a vendor-released patch (version 1.14.0) is available.

Authentication Bypass Dify
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-33420 MEDIUM PATCH This Month

Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full access permissions due to a missing authorization check on the get_org_collections_details endpoint. An authenticated Manager with accessAll=False and no collection assignments can retrieve collection names, UUIDs, and user-to-collection and group-to-collection mappings for all organization collections, representing a confidentiality breach of sensitive organizational structure data. The vulnerability is limited to authenticated users with specific role attributes and has been patched in version 1.35.5.

Authentication Bypass Vaultwarden
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-42882 Go CRITICAL PATCH GHSA Act Now

Path traversal and authentication bypass in s3-proxy allows remote unauthenticated attackers to read, write, or delete objects in protected S3 namespaces via percent-encoded slashes (%2F) and dot-segment traversal. Three distinct bypass mechanisms exploit mismatches between encoded/decoded path handling: (1) wildcard glob patterns lacking path separators match across directory boundaries, (2) percent-encoded slashes collapse into decoded paths after authentication checks, and (3) dot-segment sequences bypass prefix-based access controls. Vendor-released patches available in commits 1320e4abd and af5ff57d. CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible unauthenticated access, though exploitation requires specific resource path configurations using wildcards or prefix patterns.

Authentication Bypass Path Traversal
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-42565 npm MEDIUM PATCH GHSA This Month

Open redirect vulnerability in @workos/authkit-session allows unauthenticated remote attackers to redirect authenticated users to arbitrary external sites by crafting malicious OAuth state parameters. The AuthService.handleCallback function fails to validate the returnPathname value decoded from the state parameter, enabling attackers to embed external URLs (e.g., https://evil.com, //evil.com) that are returned directly in HTTP Location headers or client-side redirects. This facilitates phishing and social engineering attacks by leveraging trust in the legitimate domain. Patched in version 0.5.1.

Authentication Bypass Open Redirect
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42875 Go MEDIUM PATCH This Month

External Secrets Operator versions prior to 2.4.0 allow namespace isolation bypass when SecretStore resources use CAProvider with ConfigMap type and caProvider.namespace is set, enabling attackers to read CA material from ConfigMaps in other namespaces and infer the existence of sensitive resources across namespace boundaries. This violates multi-tenant trust boundaries in Kubernetes clusters by allowing one tenant to consume CA validation material owned by another namespace.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-27960 PyPI CRITICAL PATCH Act Now

Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including the default administrator, to query the threat intelligence platform's API without providing credentials. This authentication bypass (CWE-287) permits complete unauthorized access to cyber threat intelligence data with CVSS 9.8 critical severity. The vulnerability allows attackers to bypass all authentication controls and assume administrative privileges remotely with low attack complexity. Fixed in version 6.9.13 with workaround available via configuration change. No active exploitation (CISA KEV) or public POC confirmed at time of analysis, though EPSS data was not provided.

Authentication Bypass Privilege Escalation Opencti
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-41417 Maven MEDIUM PATCH This Month

HTTP request smuggling and RTSP request injection in Netty arise from incomplete input validation in DefaultHttpRequest and DefaultFullHttpRequest. When these objects are created with a safe URI and later modified via setUri() with attacker-controlled input, the setUri() method bypasses CRLF validation that is enforced in constructors. HttpRequestEncoder and RtspEncoder then serialize the malicious URI directly into request lines, allowing attackers to inject additional HTTP or RTSP requests. Vendor-released patches: 4.1.133.Final and 4.2.13.Final address the vulnerability by applying consistent validation in setUri().

Authentication Bypass Java Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42864 PyPI CRITICAL PATCH GHSA Act Now

Server-side request forgery combined with missing authentication in firefighter-incident Python package allows unauthenticated remote attackers to exfiltrate AWS IAM credentials from cloud metadata endpoints. The `/api/v2/firefighter/raid/jira_bot` endpoint accepts arbitrary URLs in the `attachments` parameter, fetches them server-side without validation, and uploads responses as Jira attachments — enabling SSRF against internal services including `http://169.254.169.254/` (AWS EC2 Instance Metadata Service). Vendor-released patch (version 0.0.54) enforces authentication and validates attachment URLs to block private/link-local/loopback addresses. No public exploit identified at time of analysis, but exploitation is trivial given detailed advisory with exact vulnerable code paths.

Authentication Bypass SSRF Atlassian
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-42856 npm HIGH PATCH GHSA This Week

Unauthenticated remote access to privileged management functions in Network-AI npm package (versions ≤5.1.2) allows attackers to read and mutate orchestrator configuration, enumerate and control agents, create or revoke security tokens, and adjust global budget ceilings. The MCP HTTP transport binds to 0.0.0.0 by default and accepts JSON-RPC tool invocation requests without authentication, session validation, or origin checks. Public exploit code exists demonstrating enumeration of 22 privileged tools and successful mutation of runtime configuration parameters via simple HTTP POST requests. Vendor-released patch: version 5.1.3 available per GitHub advisory GHSA-fj4g-2p96-q6m3.

Authentication Bypass Docker
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-7844 LOW POC Monitor

Missing authentication in Langchain-Chatchat up to version 0.3.1.3 allows unauthenticated local network attackers to access and manipulate files through the Compatible File Service endpoints (files/list_files, retrieve_file, retrieve_file_content, delete_file) in openai_routes.py without credentials. The vulnerability has a publicly available proof-of-concept exploit and affects confidentiality, integrity, and availability of stored files, though impact is limited to low severity per CVSS scoring; however, the lack of authentication on file operations represents a significant security control failure.

Authentication Bypass Langchain Chatchat
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5766 PyPI MEDIUM PATCH This Month

Django 6.0 before 6.0.5 and 5.2 before 5.2.14 allow remote attackers to bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit by submitting ASGI requests with missing or understated Content-Length headers, potentially loading large files into memory and causing denial of service through resource exhaustion. No active exploitation confirmed, but the vulnerability requires only network access and no authentication, making it trivially exploitable once the bypass is understood.

Authentication Bypass Python Suse Red Hat
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-28510 MEDIUM This Month

Multi-factor authentication bypass in eLabFTW through version 5.4.1 allows attackers with valid primary credentials to complete login using an attacker-controlled TOTP secret, circumventing the second factor requirement and gaining unauthorized account access. The vulnerability stems from inconsistent MFA state preservation across authentication steps. This issue is patched in version 5.4.2.

Authentication Bypass Elabftw
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-43573 npm MEDIUM PATCH This Month

Server-side request forgery policy bypass in OpenClaw npm package (versions < 2026.4.10) allows authenticated remote attackers to interact with or navigate to unauthorized targets through existing-session browser interaction routes. The vulnerability bypasses SSRF navigation guards in routes handling click, type, press, and evaluate actions, enabling cross-scope information disclosure. Vendor-released patch available in version 2026.4.10. No public exploit identified at time of analysis, though EPSS data not available. Reported by security researchers from KeenSecurityLab with detailed technical disclosure.

Authentication Bypass SSRF Openclaw
NVD GitHub
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-43572 npm MEDIUM PATCH This Month

OpenClaw versions 2026.4.10 through 2026.4.13 fail to enforce sender allowlist checks in the Microsoft Teams SSO invoke handler, allowing attackers to bypass authorization controls and access Teams SSO sign-in functionality without proper validation. The vulnerability affects unauthenticated remote attackers and has been patched in version 2026.4.14, which routes SSO invoke handling through the standard sender authorization path used by normal message handling.

Authentication Bypass Microsoft
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-43571 npm HIGH PATCH GHSA This Week

OpenClaw's channel setup catalog lookup mechanism allowed workspace plugins to shadow bundled channel plugins and bypass trust gates during setup-time plugin loading. Low-privileged authenticated attackers on the network can craft malicious workspace plugins that execute without the intended trust verification, enabling arbitrary code execution in the OpenClaw runtime. The vulnerability was responsibly disclosed by security researchers from Keen Security Lab and patched in version 2026.4.10. No public exploit identified at time of analysis, though the fix commit reveals the exact vulnerable lookup logic attackers would target.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-43569 npm HIGH PATCH GHSA This Week

Authentication bypass in OpenClaw before 2026.4.9 enables untrusted workspace plugins to intercept provider authentication credentials during non-interactive onboarding. Malicious plugins can shadow legitimate provider authentication choices, causing the system to auto-enable attacker-controlled code and route sensitive API keys or credentials through untrusted handlers without user consent. Vendor-released patch available (v2026.4.9+). EPSS and KEV data not provided; exploitation requires user interaction (UI:P) and specific attack timing (AT:P), suggesting moderate real-world deployment complexity despite network attack vector.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-43568 npm HIGH PATCH This Week

OpenClaw npm package versions 2026.4.5 through 2026.4.9 allow privilege escalation from write-scoped operators to administrator-level configuration access. Authenticated attackers with 'operator.write' gateway credentials can modify persistent memory dreaming settings via the /dreaming endpoint, bypassing intended admin-only restrictions. Vendor-released patch available (v2026.4.10); no active exploitation confirmed at time of analysis.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-43567 npm HIGH PATCH This Week

Path traversal in OpenClaw's screen_record tool allows authenticated users to write files outside workspace boundaries via crafted outPath parameters, bypassing filesystem security controls. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch available (version 2026.4.10 and later, including current release 2026.4.14). No active exploitation confirmed (CISA KEV negative), but publicly documented vulnerability with working proof-of-concept code in GitHub commit diff. CVSS 7.1 with high integrity impact reflects potential for unauthorized file system modifications outside intended workspace scope.

Authentication Bypass Path Traversal Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-43532 npm MEDIUM PATCH This Month

Path traversal in OpenClaw npm package allows authenticated attackers to expose confidential host-local files via Discord event cover image parameters. Versions 2026.4.7 through 2026.4.9 fail to normalize Discord event cover image paths through sandbox media processing, enabling attackers with low-privilege Discord bot credentials to bypass media sandboxing and inject host-local file references (e.g., file:///workspace/assets/event-cover.png) into channel actions expecting normalized media. This results in high confidentiality impact with scope change, as local filesystem paths outside the intended sandbox can be accessed. Vendor-released patch available (2026.4.10+). No active exploitation confirmed (not in CISA KEV), but public exploit code exists via GitHub commit and advisory.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-43530 npm HIGH PATCH GHSA This Week

Authenticated remote attackers can bypass exec approval mechanisms in OpenClaw npm package versions 2026.2.23 through 2026.4.11 by invoking busybox or toybox multi-call binaries. The vulnerability (CWE-863: Incorrect Authorization) allows attackers to obscure which applet will execute, weakening risk classification for unsafe operations like shell command injection via 'busybox awk BEGIN{system("id")}' or 'toybox ash -c'. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:L) indicates network-accessible exploitation by low-privileged authenticated users. Vendor-released patch available in version 2026.4.12. EPSS and KEV data not provided; no public exploit identified at time of analysis beyond vendor-disclosed commit.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-43529 npm LOW PATCH Monitor

OpenClaw before 2026.4.10 allows local attackers with workspace write access to bypass boundary checks via a time-of-check-time-of-use race condition in the validateScriptFileForShellBleed function. An attacker can swap the target script file between validation and preflight read, causing the validator to inspect a different file than the one that passed the initial workspace boundary check, potentially leaking preflight metadata such as matched tokens or line numbers. No public exploit code identified at time of analysis; patch available in version 2026.4.10.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-43528 npm HIGH PATCH GHSA This Week

Authenticated configuration readers in OpenClaw gateway deployments can extract unredacted sensitive credentials through alias field bypass in versions prior to 2026.4.14. Attackers with legitimate config read permissions exploit sourceConfig and runtimeConfig alias fields to obtain provider API keys, gateway authentication tokens, and channel credentials that the redaction mechanism fails to sanitize. The vulnerability affects npm package 'openclaw' in gateway configurations where authenticated clients have config read access, confirmed fixed by vendor in version 2026.4.14 with patch commit 86734ef. CVSS 7.1 reflects network-accessible attack requiring low privileges with high confidentiality impact; no public exploit identified at time of analysis, though technical details published in GHSA-8372-7vhw-cm6q enable reproduction.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-42439 npm MEDIUM PATCH This Month

Server-side request forgery (SSRF) policy bypass in OpenClaw npm package allows authenticated remote attackers to perform unauthorized browser tab navigation operations, circumventing configured SSRF protections through the /tabs/action endpoint. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch version 2026.4.10 is available (confirmed by GitHub advisory GHSA-rj2p-j66c-mgqh and commit 48c0347). No public exploit identified at time of analysis, though EPSS data not available. The CVSS score of 8.5 with scope change (S:C) indicates potential for significant cross-boundary impact despite requiring low-privilege authentication.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-42438 npm MEDIUM PATCH This Month

Unauthorized local file disclosure in OpenClaw 2026.4.9 allows authenticated attackers with restricted sender/group permissions to bypass policy controls and read arbitrary host files through the media attachment path. Despite sender-scoped 'toolsBySender' or group policy denying read access, the outbound host-media attachment helper failed to honor these restrictions, enabling privilege escalation within multi-tenant deployments. Vendor-released patch available in version 2026.4.10 (commit c949af9) threads sender context through media access resolution to enforce policy boundaries correctly.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-42436 npm MEDIUM PATCH This Month

Authenticated users of OpenClaw (npm package) can bypass server-side request forgery (SSRF) protections to access internal or restricted web pages via browser snapshot, screenshot, and tab routes. The vulnerability exploits incomplete validation after route-driven navigation - while initial requests pass SSRF policy checks, the final browser target after navigation is not re-validated before content is captured and returned. This allows lateral movement to internal endpoints (e.g., cloud metadata services at 169.254.169.254) in environments with restrictive browser SSRF configurations. Vendor-released patch available in OpenClaw 2026.4.14. No active exploitation confirmed (not in CISA KEV), though public exploit code has not been independently verified.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-42435 npm HIGH PATCH This Week

Remote attackers with low-privilege authentication can inject environment variable assignments into OpenClaw 2026.2.22 through 2026.4.11 to bypass shell wrapper detection mechanisms. By manipulating critical shell variables like SHELLOPTS and PS4 at the argv level, attackers achieve high-impact code execution that circumvents security controls. Vendor-released patch available in version 2026.4.12. No active exploitation confirmed (not in CISA KEV), but VulnCheck disclosed this vulnerability with specific technical details and a GitHub commit fix.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42434 npm HIGH PATCH GHSA This Week

Sandbox escape in OpenClaw 2026.4.5 through 2026.4.9 allows low-privileged remote attackers to bypass sandbox boundaries and route code execution to arbitrary remote nodes by overriding exec routing parameters with host=node. This breaks sandboxed agent isolation, enabling privilege escalation and unauthorized access to production infrastructure. VulnCheck publicly disclosed this vulnerability with vendor patch available (commit dffad08). No active exploitation (CISA KEV) confirmed, but public disclosure increases exploitation risk for organizations running vulnerable OpenClaw agent deployments.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-42433 npm HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw before 2026.4.10 allows low-privileged authenticated users with operator.write permissions to mutate persistent Matrix profile configurations that should require admin-level authority. Exploitation enables unauthorized modification of system-wide profile settings through message-tool paths, bypassing role-based access controls (CVSS:4.0 7.1 High, VI:H). Vendor patch available via GitHub commit fe0f686c. No confirmed active exploitation or public POC identified at time of analysis, with EPSS data not yet available for this 2026 CVE.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2023-54347 HIGH POC This Week

OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Openemr
NVD Exploit-DB GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2023-54344 CRITICAL POC Act Now

Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Osgi
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-54342 CRITICAL POC Act Now

Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java RCE
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-42611 MEDIUM This Month

RouterOS fails to properly validate certificate scope across its shared system certificate store, allowing any trusted certificate authority to authenticate in contexts beyond its intended scope. This vulnerability enables partial or full authentication bypass in OpenVPN, CAPsMAN, and 802.1X (Dot1x) services, affecting all RouterOS versions that use the vulnerable shared certificate validation logic. The vulnerability requires network access but no user interaction or authentication, making it remotely exploitable against default configurations.

Authentication Bypass Mikrotik
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3601 MEDIUM This Month

The User Registration & Membership plugin for WordPress versions up to 5.1.4 allows authenticated attackers with Contributor-level access to append shortcode content to arbitrary pages without authorization due to a missing capability check in the embed_form_action() AJAX function. This enables privilege escalation where lower-privileged users can inject content into posts and pages owned by other users or administrators, potentially defacing sites or injecting malicious content.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2729 MEDIUM This Month

Forminator plugin for WordPress versions up to 1.52.0 allows unauthenticated attackers to bypass payment authorization by reusing previously succeeded Stripe PaymentIntent identifiers, enabling submission of high-value paid forms at no cost or reduced cost through payment bypass. The vulnerability affects the public payment processing flow where the plugin fails to verify that the attacker owns or is authorized to use a supplied PaymentIntent, making it possible to complete forms without proper payment validation.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3454 MEDIUM This Month

GenerateBlocks plugin for WordPress up to version 2.2.0 fails to verify object-level authorization on the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint, allowing authenticated Contributor-level users to extract sensitive information from arbitrary posts including author email addresses and post meta values through crafted dynamic tag payloads. The vulnerability checks only for edit_posts capability but does not verify access to specific posts, exposing confidential data across the entire site to low-privilege authenticated users.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6180 MEDIUM PATCH This Month

Race condition in PaperCut MF badge-swipe processing from HP multifunction devices allows unauthorized user login when custom badge-ID post-processing scripts transform truncated badge strings into valid credentials of different users. The vulnerability requires specific network conditions (dropped packets, out-of-order sequence counters, failed sequence reset notifications) and custom script configuration, affecting physical device authentication in networked printing environments. No public exploit identified at time of analysis.

Authentication Bypass HP
NVD VulDB
CVSS 4.0
4.1
EPSS
0.0%
CVE-2026-4362 MEDIUM This Month

ElementsKit Elementor Addons plugin for WordPress versions up to 3.8.2 allows unauthenticated attackers to overwrite Elementor widget content via a missing capability check in the Live_Action::reset() function. By crafting a URL with specific GET parameters (post and action=elementor), attackers can permanently replace any elementskit_widget custom post type's design, text, and configurations with a blank template, causing data loss without requiring authentication or user interaction.

Authentication Bypass WordPress Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-5294 CRITICAL Act Now

Remote code execution in Geeky Bot WordPress plugin versions ≤1.2.2 allows unauthenticated attackers to install arbitrary plugins and execute code on affected sites. The vulnerability exploits a missing authorization check in a nopriv AJAX handler that permits attacker-controlled function dispatch to a plugin installer, enabling download and extraction of malicious ZIP files directly into wp-content/plugins/. With CVSS 9.8 (critical), network-exploitable without authentication, and EPSS data unavailable, this represents a severe risk to all WordPress sites running vulnerable versions until patched.

Authentication Bypass RCE WordPress
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-5722 CRITICAL Act Now

Authentication bypass in MoreConvert Pro for WordPress allows remote unauthenticated attackers to hijack any user account, including administrators, by exploiting token reuse in the guest waitlist verification flow. Attackers obtain a verification token for their own email, change the guest customer email to the target victim's email via the public waitlist API, then use the original token to authenticate as the victim. This critical vulnerability (CVSS 9.8) affects all versions through 1.9.14, with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-34408 CRITICAL Act Now

Password reset bypass in Gambio GX4 e-commerce platform allows remote unauthenticated attackers to set arbitrary passwords for any user account when the account ID is known, leading to complete account takeover. Affects versions 4.0.0.0 through 4.9.2.0, patched in February 2024 security update (2024-02 v1.0.0). SSVC framework rates this as automatable with total technical impact despite EPSS score of 0.02%, indicating high severity for targeted attacks against Gambio installations. No active exploitation confirmed via CISA KEV, but authentication bypass primitives are frequently weaponized in e-commerce platforms.

Authentication Bypass N A
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2024-52911 HIGH This Week

Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7782 LOW POC Monitor

Authorization bypass in CodeCanyon Perfex CRM up to 3.4.1 allows authenticated remote attackers to access projects belonging to other tenants via manipulation of the ID parameter in the Clients::project function. The vulnerability requires valid user credentials but grants access to cross-tenant data with low confidentiality, integrity, and availability impact. Publicly available exploit code exists for this flaw.

Authentication Bypass PHP
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-42257 Ruby MEDIUM PATCH GHSA This Month

Command injection in net-imap library allows attackers to inject arbitrary IMAP commands by supplying unvalidated user input to multiple methods that send raw, unescaped strings to the IMAP server. The #search, #uid_search, #fetch, #uid_fetch, #store, #uid_store, and #setquota methods accept string arguments that bypass normal validation and encoding, enabling CRLF injection to break command context. Applications that dynamically construct search criteria, fetch attributes, or quota limits from user input are at significant risk; a developer passing unsanitized input could allow an attacker to append malicious IMAP commands such as DELETE or other state-modifying operations.

Authentication Bypass Command Injection CSRF Suse
NVD GitHub VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-42571 Go CRITICAL PATCH GHSA Act Now

Authenticated attackers can escalate privileges to administrator in Pelican Web User Interface versions 7.21 through 7.24 by manipulating database records before legitimate admin users log in. This vulnerability was discovered by a Claude coding agent on April 2, 2026, and affects servers with Server.UIAdminUsers or Server.AdminGroups configured where designated admins have not previously authenticated. No public exploit code exists, and Pelican Command Line reports no confirmed exploitation in OSDF-managed services. Vendor patches are available across all affected minor release series (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2), with fix commit 7f73b9c3e677 addressing CWE-863 (Incorrect Authorization).

Authentication Bypass Privilege Escalation Denial Of Service Information Disclosure
NVD GitHub
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-42569 PHP CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote attackers can trigger complete database wipes and data deletion in phpVMS 7.x through 7.0.5 by accessing an exposed legacy importer endpoint at /importer. The vulnerability stems from deprecated import functionality that remained publicly accessible without authentication checks, allowing remote data modification or destruction. Vendor-released patch (v7.0.6) confirmed via GitHub advisory GHSA-fv26-4939-62fh. No CISA KEV listing or public exploit code identified at time of analysis, but trivial exploitation (CVSS AV:N/AC:L/PR:N/UI:N) makes active targeting likely.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-41901 Maven CRITICAL PATCH GHSA Act Now

Server-Side Template Injection (SSTI) in Thymeleaf 3.1.4.RELEASE and earlier allows remote attackers to execute arbitrary code via specially crafted expressions that bypass the template engine's sandbox restrictions. Applications passing unsanitized user input to sandboxed template contexts are vulnerable to full server compromise. Vendor-released patch is available in version 3.1.5.RELEASE. The CVSS 9.0 CRITICAL rating reflects the potential for remote code execution with high confidentiality, integrity, and availability impact, though the AC:H (high attack complexity) indicates exploitation requires specific application patterns where user input flows directly into sandboxed template contexts without validation.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-41893 npm HIGH PATCH GHSA This Week

Credential brute-forcing in Signal K Server versions ≤2.24.0 allows remote unauthenticated attackers to bypass HTTP login rate limiting by sending unlimited password guesses through the WebSocket authentication endpoint at approximately 20 attempts per second. The HTTP login endpoints are protected by express-rate-limit (default: 100 attempts per 10-minute window), but the WebSocket path processes login requests without any throttling, enabling dictionary attacks to complete in minutes. Publicly available exploit code exists demonstrating the bypass technique. Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN, increasing exposure risk.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41888 Go MEDIUM PATCH GHSA This Month

Authorization bypass in Docker Distribution Registry allows remote clients to delete image tags via the DELETE /v2/<name>/manifests/<tag> endpoint even when the operator has explicitly configured storage.delete.enabled: false. The tag deletion code path in registry/handlers/manifests.go bypasses the deletion authorization check present in digest-based manifest deletion, enabling attackers with network access to cause denial of service by removing tags and disrupting supply chain integrity of registries intended to be immutable.

Authentication Bypass Denial Of Service Docker Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-42296 Go HIGH PATCH GHSA This Week

Argo Workflows v3 (< 3.7.14) and v4 (< 4.0.5) allow users to bypass templateReferencing Strict/Secure mode restrictions by setting WorkflowSpec fields like hostNetwork, serviceAccountName, securityContext, tolerations, and volumes. The incomplete fix for CVE-2026-31892 only blocked podSpecPatch but left other security-sensitive fields unvalidated. Authenticated users with create Workflow permission can inject host network access, switch service accounts, modify pod security contexts, or schedule on control-plane nodes despite referencing hardened WorkflowTemplates. Vendor-released patch: v3.7.14 and v4.0.5 (commit 2727f3f). No public exploit identified at time of analysis, but exploitation is straightforward given detailed reproduction steps in the advisory.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42222 Go HIGH GHSA This Week

Unauthenticated bootstrap takeover in nginx-ui 2.3.5 allows remote attackers to hijack the initial installation process via crafted POST requests to /api/install endpoint. An attacker who successfully exploits the installation window gains full administrative control over the nginx-ui instance before legitimate administrators complete setup. No vendor-released patch identified at time of analysis, creating extended exposure risk for newly deployed instances.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42221 Go HIGH PATCH GHSA This Week

Unauthenticated attackers can hijack the administrator account during nginx-ui's first-run installation window by claiming the /api/install endpoint before legitimate operators. This race-condition vulnerability in nginx-ui versions 2.0.0 through 2.3.7 bypasses authentication controls entirely, allowing complete instance takeover with attacker-controlled credentials. The request-encryption mechanism protects only transit confidentiality, not authorization. Attack complexity is rated HIGH due to the narrow time window between deployment and legitimate setup completion. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, but exploitation requires only standard HTTP tools and timing.

Authentication Bypass Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42297 Go HIGH PATCH GHSA This Week

Missing authorization checks in Argo Workflows v4.0.0-4.0.4 allow any authenticated user-even those with fake Bearer tokens-to create, read, update, and delete Kubernetes ConfigMaps containing workflow synchronization limits. The ConfigMap-backed sync provider (server/sync/sync_cm.go) completely omits auth.CanI permission validation on all four CRUD endpoints. Publicly available exploit code exists (detailed PoC in advisory). CVSS 8.5 reflects network-accessible authentication bypass enabling high integrity/availability impact through denial-of-service and arbitrary ConfigMap manipulation. Patch released in version 4.0.5 adding checkConfigMapPermission() calls to validate Kubernetes RBAC before operations.

Authentication Bypass Denial Of Service Information Disclosure Kubernetes
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42051 PHP MEDIUM PATCH GHSA This Month

Missing authorization in Kirby CMS allows authenticated Panel users without access.system permission to retrieve sensitive system information including installed Kirby version and license data via the /api/system REST API endpoint. This information can be leveraged for reconnaissance during subsequent attacks. Vendor-released patches: Kirby 4.9.0 and 5.4.0.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-42174 PHP MEDIUM PATCH GHSA This Month

Missing authorization in Kirby CMS allows authenticated users with file permissions to create, replace, or delete user avatars regardless of whether they hold the required user.update or users.update permissions. This authorization bypass affects Kirby versions up to 4.8.0 and 5.0.0 through 5.3.3, with patches available in Kirby 4.9.0 and 5.4.0. No public exploit code has been identified, and active exploitation is not confirmed.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-42069 PHP HIGH PATCH GHSA This Week

Missing authorization in Kirby CMS allows authenticated Panel users to access sensitive site configuration, user data, and role information regardless of configured permission restrictions. Authenticated attackers with low-privilege Panel accounts can enumerate all users, access the site model, and view role configurations including permission settings-even when site administrators explicitly disabled these capabilities via wildcard permission denial ('*': false). Vendor-released patches in versions 4.9.0 and 5.4.0 add missing permission gates for site.access, user.access/users.access, user.list/users.list, and role information. No public exploit identified at time of analysis, but exploitation requires only authenticated Panel access with network connectivity.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-40243 Go LOW PATCH GHSA Monitor

Broken TLS certificate verification in Incus OVN database connections accepts peer-supplied certificate roots instead of anchoring trust in the configured CA certificate, allowing an attacker positioned on the management network to impersonate the OVN northbound or southbound database. While mTLS prevents full man-in-the-middle attacks and OVN control planes typically run on the same servers as Incus (limiting network attack surface), the flaw collapses the intended CA-based authentication boundary on critical control-plane database connections. Affected versions below 7.0.0 are vulnerable; no active exploitation confirmed in CISA KEV at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41471 HIGH POC Monitor

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

Authentication Bypass WordPress Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-32834 HIGH POC Monitor

Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches.

Authentication Bypass WordPress
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-39852 Maven HIGH PATCH GHSA This Week

Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). Attackers can send requests like '/api/admin;anything' to bypass policies protecting '/api/admin' while still routing to the protected endpoint. Vendor-released patches available across four version branches (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1). No public exploit identified at time of analysis, but the attack technique is straightforward given the detailed GitHub Security Lab advisory (GHSA-rc95-pcm8-65v9).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Site isolation bypass in Google Chrome prior to version 148.0.7778.96 allows a remote attacker with a compromised renderer process to circumvent Chrome's site isolation security boundary through a crafted HTML page. The vulnerability requires user interaction and a pre-compromised renderer, limiting real-world impact despite being triggered remotely. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 3.9
LOW Monitor

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenticated users with user interaction to make unauthorized modifications to critical system components. The vulnerability requires administrative privileges and user consent (CVSS:3.1/AV:N/AC:H/PR:H/UI:R), resulting in limited confidentiality, integrity, and availability impacts. No active exploitation has been publicly reported.

Authentication Bypass Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Missing authentication in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to access the /cdemos/echs/api/v2/patient-records API endpoint and retrieve sensitive patient information. Publicly available exploit code exists for this vulnerability. The vendor released patched version 5.7.1 to address the issue.

Authentication Bypass E Clinic Healthcare System Echs
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated control-panel users in Craft CMS 5.x can enumerate asset filenames and complete folder hierarchies (volume handles, UIDs, folder names, URIs) across all volumes by sending arbitrary asset IDs to the AssetsController::actionShowInFolder endpoint, bypassing volume-level viewAssets and viewPeerAssets permission checks. The flaw stems from an incomplete February 2026 patch wave that fixed four sibling endpoints but missed this method, introduced 13 days before the patch release. No public exploit identified at time of analysis; vendor-released patch fixes 5.9.18 and later. This information disclosure vulnerability enables reconnaissance for follow-up attacks against restricted asset volumes.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Unauthorized PII disclosure in Craft CMS GraphQL API allows cross-scope address enumeration via missing authorization check. A GraphQL API token scoped to any single low-privilege user group can read all addresses system-wide, including PII from restricted user groups (full names, home addresses, corporate addresses, tax IDs, GPS coordinates). The Address element resolver bypasses schema scope filtering that all other element resolvers enforce. Vendor-released patch: versions 5.9.18 and 4.17.12. Publicly available exploit code exists (detailed PoC in GitHub advisory). Affects all Craft CMS Pro deployments (v4.0.0+) using headless GraphQL APIs with user group scoping-a standard deployment pattern for Next.js/Nuxt/Gatsby frontends.

Authentication Bypass Docker PHP
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Insecure direct object reference (IDOR) in Cisco Slido REST API allows authenticated remote attackers to view other users' social profile data and manipulate quiz or poll results. The vulnerability requires valid authentication but no user interaction, affecting confidentiality and integrity of user data and poll integrity. Cisco has released a patched version; no public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Cisco
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Token validation flaw in Auth0.js SDK versions 8.11.0 through 9.32.0 allows authenticated attackers to retrieve user profile information by submitting a valid access token alongside a crafted invalid ID token, bypassing access control rules defined in Auth0 Actions. The vulnerability affects applications that depend on Auth0 Actions for authorization decisions, potentially exposing sensitive user profile data to attackers holding valid but insufficiently privileged access tokens. Vendor-released patch available in version 10.0.0, discovered through coordinated disclosure by security researcher Quan Le.

Authentication Bypass Auth0
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Cisco IoT Field Network Director enables authenticated remote attackers with low-level privileges to crash remotely managed routers by submitting crafted requests through the web-based management interface. The vulnerability causes improper error handling that allows requesting unauthorized files from managed routers, forcing them to reload and creating a denial-of-service condition (CVSS 7.7, Changed Scope). No public exploit or active exploitation reported at time of analysis.

Authentication Bypass Cisco Cisco Iot Field Network Director Iot Fnd
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cisco Prime Infrastructure log file download functionality fails to enforce proper authorization checks, allowing authenticated remote attackers to download arbitrary log files beyond their access level. An attacker with valid web management interface credentials can submit crafted URL requests to the affected download service API to retrieve sensitive logs, resulting in confidential information disclosure. CVSS score of 4.3 reflects low immediate impact but legitimate data exposure risk for organizations using this management platform.

Authentication Bypass Cisco Cisco Prime Infrastructure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cisco Identity Services Engine allows authenticated read-only administrators to bypass role-based access control on RADIUS Policy API endpoints and gain unauthorized read access to sensitive policy details through direct API calls. The vulnerability affects ISE software across versions due to improper RBAC enforcement on API endpoints, enabling privilege escalation from read-only to unauthorized data disclosure. CVSS score is 4.3 with low attack complexity, but exploitation requires valid administrative credentials.

Authentication Bypass Cisco Cisco Identity Services Engine Software
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Velociraptor versions prior to 0.76.4 allow authenticated users with reader role in the root organization to bypass cross-organization authorization controls via HTTP API GET requests, enabling them to read arbitrary files from other organizations regardless of their permissions in those target organizations. The vulnerability requires high privilege context (authenticated reader in root org) but has high confidentiality impact across organization boundaries. This is a horizontal privilege escalation affecting multi-tenant deployments where organizational isolation is a critical security boundary.

Authentication Bypass Suse
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the application to known security weaknesses. Authenticated local attackers with high complexity conditions can achieve limited information disclosure and integrity compromise (CVSS 4.6). No active exploitation or public POC identified at time of analysis.

Authentication Bypass Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in FlowiseAI Flowise up to version 3.0.12 allows authenticated users to manipulate userId, organizationId, workspaceId, and email parameters in the User Controller Handler, potentially gaining unauthorized access to other users' data or organizational resources. The vulnerability requires valid user authentication and remote network access, resulting in confidentiality impact with low attack complexity. No active exploitation in CISA KEV has been confirmed at time of analysis.

Authentication Bypass Flowise
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

TCP connections through veth interfaces with XDP programs can enter a permanent deadlock state where sender and receiver sequence numbers desynchronize, causing all traffic to stall indefinitely. The vulnerability stems from improper error code handling in GSO (Generic Segmentation Offload) frame transmission when individual segments within a GSO super-frame fail - TCP interprets partial segment loss as complete frame loss, advancing receiver state without sender acknowledgment. Affects Linux kernel versions from 3.18 through 6.19.x with patches available across multiple stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation (KEV) or public exploit code has been identified at time of analysis.

Authentication Bypass Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 3.7
LOW Monitor

HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers with high effort to gain limited unauthorized access. The application fails to update or isolate vulnerable dependencies, potentially enabling exploitation of publicly disclosed security flaws in embedded components to bypass authentication or extract sensitive information.

Authentication Bypass Dfxanalytics
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated subscribers can create arbitrary database tables in WordPress installations running Ninja Tables plugin version 5.2.6 and earlier via missing authorization checks on the createFluentCartTable function. This allows low-privileged users to pollute the database and cause resource exhaustion without requiring administrative access, affecting any site where subscribers have plugin interaction permissions.

Authentication Bypass Denial Of Service WordPress
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in All-in-One WP Migration Unlimited Extension for WordPress versions up to 2.83 allows authenticated subscribers to create scheduled export jobs without capability verification, enabling attackers to exfiltrate full site backups by redirecting notifications to attacker-controlled email addresses and leveraging exposed backup filenames for download. This results in complete site data disclosure including sensitive information accessible to low-privilege authenticated users.

Authentication Bypass Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can retrieve PIX payment QR code images for arbitrary WooCommerce orders via the unprotected 'mp_pix_image' API endpoint in Mercado Pago payments for WooCommerce plugin versions up to 8.7.11, exposing sensitive merchant data including PIX keys, transaction amounts, merchant identity, and Mercado Pago transaction references. The vulnerability requires no authentication, user interaction, or special configuration, and exploits a missing capability check in the WordPress REST API handler. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Authorization bypass in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows authenticated low-privilege users to retrieve complete ACL policies, roles, and permissions for any user across all organizations by supplying targeted Name and Org parameters. The vulnerability affects any organization running vulnerable versions where users have valid authentication credentials, enabling privilege escalation through unauthorized access to sensitive authorization metadata.

Authentication Bypass Velociraptor
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC Monitor

Remote unauthenticated attackers can retrieve plaintext administrator passwords and WLAN Pre-Shared Keys from ZTE ZXHN H298A (firmware 1.1) and H108N (firmware 2.6) routers via crafted HTTP requests to the web management interface. The vulnerability enables complete network compromise through credential theft without requiring authentication. Public exploit code exists (GitHub Gist), demonstrating active researcher interest, though no CISA KEV listing indicates targeted rather than widespread exploitation. EPSS data unavailable, but the combination of network attack vector, no authentication requirement, and credential exposure presents immediate risk to affected deployments.

Authentication Bypass Zte Information Disclosure
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Authenticated users in ArcadeDB server versions prior to 26.4.2 can bypass database-scoped authorization and perform read, write, and schema mutation operations across all databases on the same server instance. Two critical implementation flaws combine: uninitialized file access maps treated as allow-all permissions, and newly-created databases via API POST /api/v1/server silently disabling their entire record-level authorization system through omitted security factory configuration. Vendor-released patch 26.4.2 addresses both defects. No public exploit identified at time of analysis, though CVSS 9.0 reflects severe authorization breakdown requiring only low-privilege authenticated access.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

AVideo version 29.0 and earlier exposes API authentication secrets (APISecret) to unauthenticated remote attackers via a publicly accessible plugin configuration endpoint at objects/plugins.json.php. This vulnerability enables complete bypass of authentication controls protecting sensitive API endpoints including user enumeration (users_list) and other privileged operations. Publicly available exploit code exists (proof-of-concept demonstrated in GitHub advisory GHSA-xr49-f4rh-qcjf). Upstream fix available via commit 1c36f229 but no tagged release version has been independently confirmed at time of analysis.

Authentication Bypass PHP Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in AVideo's PayPalYPT plugin allows any authenticated user to cancel arbitrary PayPal billing agreements belonging to other users by supplying a victim's agreement ID to the `agreementCancel.json.php` endpoint. An attacker can silently suspend a victim's recurring subscription without authorization, causing revenue loss to the platform operator and service interruption to the victim. The vulnerability exists because the endpoint only checks that the user is logged in, but fails to verify ownership of the agreement being canceled, despite a sister endpoint (`PayPalAgreementCancel.json.php`) implementing the correct authorization check.

Authentication Bypass PHP CSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated user enumeration in AVideo objects/users.json.php allows remote attackers to disclose all registered user accounts via an isCompany parameter that bypasses admin-only access controls, and a users_id parameter that acts as a sequential-ID existence oracle. An unauthenticated attacker can harvest the complete user directory-including display names, numeric IDs, profile URLs, photos, and active/inactive status-in a single unbounded GET request, enabling credential stuffing and phishing campaigns. The vulnerability affects AVideo through version 29.0; vendor patch available.

Authentication Bypass Oracle CSRF +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Kubewarden versions before 1.35.0 permit RBAC reconnaissance attacks when users with AdmissionPolicy or AdmissionPolicyGroup creation privileges craft policies using the unchecked `can_i` host capability. The vulnerability allows enumeration of any user or service account permissions across the cluster via SubjectAccessReview requests executed with policy-server privileges, despite the absence of context-aware resource grants. This information disclosure enables attackers to discover sensitive permission configurations without requiring cluster-wide policy creation rights, a capability not available by default but exploitable when granted.

Authentication Bypass Privilege Escalation Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication bypass in Mongoose 6.x-9.x allows remote attackers to inject malicious MongoDB query operators via the $nor clause when sanitizeFilter is enabled. The vulnerability exists because Mongoose's sanitizeFilter mechanism fails to recursively sanitize the $nor logical operator, allowing injection of operators like $ne, $gt, or $regex that bypass authentication checks or extract unauthorized data. This affects only applications that explicitly enable sanitizeFilter and pass unsanitized user input directly into query methods while relying on sanitizeFilter for protection. Vendor-released patches are available for all supported release lines. No public exploit identified at time of analysis, though exploitation is straightforward for affected configurations.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Sensitive information disclosure in Grav CMS v1.8.0-beta.29 allows low-privileged users with page editing permissions to bypass Twig sandbox restrictions and extract administrative password hashes and security salts via the exposed `grav['accounts']` service. A content editor can inject a Twig template with `{{ grav['accounts'].load('admin').get('hashed_password') }}` to retrieve plaintext Bcrypt hashes accessible for offline brute-force attack. Vendor-released patch available (2.0.0-beta.2 and commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47); publicly available proof-of-concept exists demonstrating practical exploitation.

Authentication Bypass PHP Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Grav API Plugin (versions < 1.0.0-beta.15) allows any authenticated user with basic 'api.access' permission to elevate themselves to Super Administrator by sending a crafted PATCH request to modify their own permission configuration. The vulnerability, confirmed by vendor GitHub Security Advisory GHSA-r945-h4vm-h736, stems from inadequate authorization checks in the UsersController::update method, which permits self-editing users to overwrite the 'access' field containing role definitions. Successful exploitation grants complete CMS control including the ability to edit Twig templates outside sandbox restrictions for remote code execution. A detailed proof-of-concept is publicly available, and vendor-released patch is confirmed in version 1.0.0-beta.15.

Authentication Bypass Privilege Escalation PHP
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

PocketBase versions before 0.22.42 and 0.30.0-0.37.3 allow account pre-hijacking via OAuth2 autolinking, where an attacker knowing a victim's email can create an unverified account linked to one OAuth2 provider, then retain access when the victim authenticates with a different provider and the accounts are auto-merged, because previous OAuth2 links are not cleared during the upgrade from unverified to verified status. Publicly available exploit code exists; vendor recommends immediate upgrade to v0.37.4 or v0.22.42.

Authentication Bypass Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Authentication bypass in Ethyca Fides allows administrators to unknowingly approve privacy erasure requests without identity verification when both subject identity verification and duplicate privacy request detection are enabled, resulting in unauthorized deletion of data subject records across all configured integrations. The vulnerability exploits a UI/UX flaw in the administrative interface that fails to clearly indicate unverified identity status on duplicate-classified requests, combined with a logic gap that processes unverified requests if approved by an admin. No public exploit code identified at time of analysis, but exploitation requires only an unauthenticated attacker with knowledge of a target's email address and access to the public Privacy Center.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authorization bypass in LXC's setuid helper lxc-user-nic allows unprivileged users to delete OpenVSwitch-attached network interfaces belonging to other users. The vulnerability exists in the find_line() function's interface name comparison logic, which sets an authorization flag based on name match alone without re-verifying ownership, enabling a tenant to cause denial of service by disconnecting containers on shared infrastructure. This affects multi-tenant deployments using lxc-user-nic with OpenVSwitch bridges and is patched in LXC 7.0.0.

Authentication Bypass Denial Of Service Suse
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Dify before version 1.14.0 allows authenticated users to bypass authorization controls and read arbitrary files uploaded by other users within the same tenant by supplying unauthorized file UUIDs in chat-messages API requests. The vulnerability exploits insufficient permission verification on file access endpoints, enabling attackers to circumvent workspace separation and signed URL protections to retrieve sensitive file contents processed through workflows. Publicly available exploit code exists, and a vendor-released patch (version 1.14.0) is available.

Authentication Bypass Dify
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Vaultwarden versions 1.35.4 and earlier expose organization collection metadata to Manager-role users lacking full access permissions due to a missing authorization check on the get_org_collections_details endpoint. An authenticated Manager with accessAll=False and no collection assignments can retrieve collection names, UUIDs, and user-to-collection and group-to-collection mappings for all organization collections, representing a confidentiality breach of sensitive organizational structure data. The vulnerability is limited to authenticated users with specific role attributes and has been patched in version 1.35.5.

Authentication Bypass Vaultwarden
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Path traversal and authentication bypass in s3-proxy allows remote unauthenticated attackers to read, write, or delete objects in protected S3 namespaces via percent-encoded slashes (%2F) and dot-segment traversal. Three distinct bypass mechanisms exploit mismatches between encoded/decoded path handling: (1) wildcard glob patterns lacking path separators match across directory boundaries, (2) percent-encoded slashes collapse into decoded paths after authentication checks, and (3) dot-segment sequences bypass prefix-based access controls. Vendor-released patches available in commits 1320e4abd and af5ff57d. CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible unauthenticated access, though exploitation requires specific resource path configurations using wildcards or prefix patterns.

Authentication Bypass Path Traversal
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Open redirect vulnerability in @workos/authkit-session allows unauthenticated remote attackers to redirect authenticated users to arbitrary external sites by crafting malicious OAuth state parameters. The AuthService.handleCallback function fails to validate the returnPathname value decoded from the state parameter, enabling attackers to embed external URLs (e.g., https://evil.com, //evil.com) that are returned directly in HTTP Location headers or client-side redirects. This facilitates phishing and social engineering attacks by leveraging trust in the legitimate domain. Patched in version 0.5.1.

Authentication Bypass Open Redirect
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

External Secrets Operator versions prior to 2.4.0 allow namespace isolation bypass when SecretStore resources use CAProvider with ConfigMap type and caProvider.namespace is set, enabling attackers to read CA material from ConfigMaps in other namespaces and infer the existence of sensitive resources across namespace boundaries. This violates multi-tenant trust boundaries in Kubernetes clusters by allowing one tenant to consume CA validation material owned by another namespace.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including the default administrator, to query the threat intelligence platform's API without providing credentials. This authentication bypass (CWE-287) permits complete unauthorized access to cyber threat intelligence data with CVSS 9.8 critical severity. The vulnerability allows attackers to bypass all authentication controls and assume administrative privileges remotely with low attack complexity. Fixed in version 6.9.13 with workaround available via configuration change. No active exploitation (CISA KEV) or public POC confirmed at time of analysis, though EPSS data was not provided.

Authentication Bypass Privilege Escalation Opencti
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTTP request smuggling and RTSP request injection in Netty arise from incomplete input validation in DefaultHttpRequest and DefaultFullHttpRequest. When these objects are created with a safe URI and later modified via setUri() with attacker-controlled input, the setUri() method bypasses CRLF validation that is enforced in constructors. HttpRequestEncoder and RtspEncoder then serialize the malicious URI directly into request lines, allowing attackers to inject additional HTTP or RTSP requests. Vendor-released patches: 4.1.133.Final and 4.2.13.Final address the vulnerability by applying consistent validation in setUri().

Authentication Bypass Java Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Server-side request forgery combined with missing authentication in firefighter-incident Python package allows unauthenticated remote attackers to exfiltrate AWS IAM credentials from cloud metadata endpoints. The `/api/v2/firefighter/raid/jira_bot` endpoint accepts arbitrary URLs in the `attachments` parameter, fetches them server-side without validation, and uploads responses as Jira attachments — enabling SSRF against internal services including `http://169.254.169.254/` (AWS EC2 Instance Metadata Service). Vendor-released patch (version 0.0.54) enforces authentication and validates attachment URLs to block private/link-local/loopback addresses. No public exploit identified at time of analysis, but exploitation is trivial given detailed advisory with exact vulnerable code paths.

Authentication Bypass SSRF Atlassian
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated remote access to privileged management functions in Network-AI npm package (versions ≤5.1.2) allows attackers to read and mutate orchestrator configuration, enumerate and control agents, create or revoke security tokens, and adjust global budget ceilings. The MCP HTTP transport binds to 0.0.0.0 by default and accepts JSON-RPC tool invocation requests without authentication, session validation, or origin checks. Public exploit code exists demonstrating enumeration of 22 privileged tools and successful mutation of runtime configuration parameters via simple HTTP POST requests. Vendor-released patch: version 5.1.3 available per GitHub advisory GHSA-fj4g-2p96-q6m3.

Authentication Bypass Docker
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Missing authentication in Langchain-Chatchat up to version 0.3.1.3 allows unauthenticated local network attackers to access and manipulate files through the Compatible File Service endpoints (files/list_files, retrieve_file, retrieve_file_content, delete_file) in openai_routes.py without credentials. The vulnerability has a publicly available proof-of-concept exploit and affects confidentiality, integrity, and availability of stored files, though impact is limited to low severity per CVSS scoring; however, the lack of authentication on file operations represents a significant security control failure.

Authentication Bypass Langchain Chatchat
NVD VulDB GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Django 6.0 before 6.0.5 and 5.2 before 5.2.14 allow remote attackers to bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit by submitting ASGI requests with missing or understated Content-Length headers, potentially loading large files into memory and causing denial of service through resource exhaustion. No active exploitation confirmed, but the vulnerability requires only network access and no authentication, making it trivially exploitable once the bypass is understood.

Authentication Bypass Python Suse +1
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Multi-factor authentication bypass in eLabFTW through version 5.4.1 allows attackers with valid primary credentials to complete login using an attacker-controlled TOTP secret, circumventing the second factor requirement and gaining unauthorized account access. The vulnerability stems from inconsistent MFA state preservation across authentication steps. This issue is patched in version 5.4.2.

Authentication Bypass Elabftw
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-side request forgery policy bypass in OpenClaw npm package (versions < 2026.4.10) allows authenticated remote attackers to interact with or navigate to unauthorized targets through existing-session browser interaction routes. The vulnerability bypasses SSRF navigation guards in routes handling click, type, press, and evaluate actions, enabling cross-scope information disclosure. Vendor-released patch available in version 2026.4.10. No public exploit identified at time of analysis, though EPSS data not available. Reported by security researchers from KeenSecurityLab with detailed technical disclosure.

Authentication Bypass SSRF Openclaw
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw versions 2026.4.10 through 2026.4.13 fail to enforce sender allowlist checks in the Microsoft Teams SSO invoke handler, allowing attackers to bypass authorization controls and access Teams SSO sign-in functionality without proper validation. The vulnerability affects unauthenticated remote attackers and has been patched in version 2026.4.14, which routes SSO invoke handling through the standard sender authorization path used by normal message handling.

Authentication Bypass Microsoft
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

OpenClaw's channel setup catalog lookup mechanism allowed workspace plugins to shadow bundled channel plugins and bypass trust gates during setup-time plugin loading. Low-privileged authenticated attackers on the network can craft malicious workspace plugins that execute without the intended trust verification, enabling arbitrary code execution in the OpenClaw runtime. The vulnerability was responsibly disclosed by security researchers from Keen Security Lab and patched in version 2026.4.10. No public exploit identified at time of analysis, though the fix commit reveals the exact vulnerable lookup logic attackers would target.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authentication bypass in OpenClaw before 2026.4.9 enables untrusted workspace plugins to intercept provider authentication credentials during non-interactive onboarding. Malicious plugins can shadow legitimate provider authentication choices, causing the system to auto-enable attacker-controlled code and route sensitive API keys or credentials through untrusted handlers without user consent. Vendor-released patch available (v2026.4.9+). EPSS and KEV data not provided; exploitation requires user interaction (UI:P) and specific attack timing (AT:P), suggesting moderate real-world deployment complexity despite network attack vector.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw npm package versions 2026.4.5 through 2026.4.9 allow privilege escalation from write-scoped operators to administrator-level configuration access. Authenticated attackers with 'operator.write' gateway credentials can modify persistent memory dreaming settings via the /dreaming endpoint, bypassing intended admin-only restrictions. Vendor-released patch available (v2026.4.10); no active exploitation confirmed at time of analysis.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in OpenClaw's screen_record tool allows authenticated users to write files outside workspace boundaries via crafted outPath parameters, bypassing filesystem security controls. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch available (version 2026.4.10 and later, including current release 2026.4.14). No active exploitation confirmed (CISA KEV negative), but publicly documented vulnerability with working proof-of-concept code in GitHub commit diff. CVSS 7.1 with high integrity impact reflects potential for unauthorized file system modifications outside intended workspace scope.

Authentication Bypass Path Traversal Openclaw
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Path traversal in OpenClaw npm package allows authenticated attackers to expose confidential host-local files via Discord event cover image parameters. Versions 2026.4.7 through 2026.4.9 fail to normalize Discord event cover image paths through sandbox media processing, enabling attackers with low-privilege Discord bot credentials to bypass media sandboxing and inject host-local file references (e.g., file:///workspace/assets/event-cover.png) into channel actions expecting normalized media. This results in high confidentiality impact with scope change, as local filesystem paths outside the intended sandbox can be accessed. Vendor-released patch available (2026.4.10+). No active exploitation confirmed (not in CISA KEV), but public exploit code exists via GitHub commit and advisory.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authenticated remote attackers can bypass exec approval mechanisms in OpenClaw npm package versions 2026.2.23 through 2026.4.11 by invoking busybox or toybox multi-call binaries. The vulnerability (CWE-863: Incorrect Authorization) allows attackers to obscure which applet will execute, weakening risk classification for unsafe operations like shell command injection via 'busybox awk BEGIN{system("id")}' or 'toybox ash -c'. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:L) indicates network-accessible exploitation by low-privileged authenticated users. Vendor-released patch available in version 2026.4.12. EPSS and KEV data not provided; no public exploit identified at time of analysis beyond vendor-disclosed commit.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 2.0
LOW PATCH Monitor

OpenClaw before 2026.4.10 allows local attackers with workspace write access to bypass boundary checks via a time-of-check-time-of-use race condition in the validateScriptFileForShellBleed function. An attacker can swap the target script file between validation and preflight read, causing the validator to inspect a different file than the one that passed the initial workspace boundary check, potentially leaking preflight metadata such as matched tokens or line numbers. No public exploit code identified at time of analysis; patch available in version 2026.4.10.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated configuration readers in OpenClaw gateway deployments can extract unredacted sensitive credentials through alias field bypass in versions prior to 2026.4.14. Attackers with legitimate config read permissions exploit sourceConfig and runtimeConfig alias fields to obtain provider API keys, gateway authentication tokens, and channel credentials that the redaction mechanism fails to sanitize. The vulnerability affects npm package 'openclaw' in gateway configurations where authenticated clients have config read access, confirmed fixed by vendor in version 2026.4.14 with patch commit 86734ef. CVSS 7.1 reflects network-accessible attack requiring low privileges with high confidentiality impact; no public exploit identified at time of analysis, though technical details published in GHSA-8372-7vhw-cm6q enable reproduction.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-side request forgery (SSRF) policy bypass in OpenClaw npm package allows authenticated remote attackers to perform unauthorized browser tab navigation operations, circumventing configured SSRF protections through the /tabs/action endpoint. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch version 2026.4.10 is available (confirmed by GitHub advisory GHSA-rj2p-j66c-mgqh and commit 48c0347). No public exploit identified at time of analysis, though EPSS data not available. The CVSS score of 8.5 with scope change (S:C) indicates potential for significant cross-boundary impact despite requiring low-privilege authentication.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Unauthorized local file disclosure in OpenClaw 2026.4.9 allows authenticated attackers with restricted sender/group permissions to bypass policy controls and read arbitrary host files through the media attachment path. Despite sender-scoped 'toolsBySender' or group policy denying read access, the outbound host-media attachment helper failed to honor these restrictions, enabling privilege escalation within multi-tenant deployments. Vendor-released patch available in version 2026.4.10 (commit c949af9) threads sender context through media access resolution to enforce policy boundaries correctly.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Authenticated users of OpenClaw (npm package) can bypass server-side request forgery (SSRF) protections to access internal or restricted web pages via browser snapshot, screenshot, and tab routes. The vulnerability exploits incomplete validation after route-driven navigation - while initial requests pass SSRF policy checks, the final browser target after navigation is not re-validated before content is captured and returned. This allows lateral movement to internal endpoints (e.g., cloud metadata services at 169.254.169.254) in environments with restrictive browser SSRF configurations. Vendor-released patch available in OpenClaw 2026.4.14. No active exploitation confirmed (not in CISA KEV), though public exploit code has not been independently verified.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote attackers with low-privilege authentication can inject environment variable assignments into OpenClaw 2026.2.22 through 2026.4.11 to bypass shell wrapper detection mechanisms. By manipulating critical shell variables like SHELLOPTS and PS4 at the argv level, attackers achieve high-impact code execution that circumvents security controls. Vendor-released patch available in version 2026.4.12. No active exploitation confirmed (not in CISA KEV), but VulnCheck disclosed this vulnerability with specific technical details and a GitHub commit fix.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Sandbox escape in OpenClaw 2026.4.5 through 2026.4.9 allows low-privileged remote attackers to bypass sandbox boundaries and route code execution to arbitrary remote nodes by overriding exec routing parameters with host=node. This breaks sandboxed agent isolation, enabling privilege escalation and unauthorized access to production infrastructure. VulnCheck publicly disclosed this vulnerability with vendor patch available (commit dffad08). No active exploitation (CISA KEV) confirmed, but public disclosure increases exploitation risk for organizations running vulnerable OpenClaw agent deployments.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.4.10 allows low-privileged authenticated users with operator.write permissions to mutate persistent Matrix profile configurations that should require admin-level authority. Exploitation enables unauthorized modification of system-wide profile settings through message-tool paths, bypassing role-based access controls (CVSS:4.0 7.1 High, VI:H). Vendor patch available via GitHub commit fe0f686c. No confirmed active exploitation or public POC identified at time of analysis, with EPSS data not yet available for this 2026 CVE.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Openemr
NVD Exploit-DB GitHub
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Osgi
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java RCE
NVD Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM This Month

RouterOS fails to properly validate certificate scope across its shared system certificate store, allowing any trusted certificate authority to authenticate in contexts beyond its intended scope. This vulnerability enables partial or full authentication bypass in OpenVPN, CAPsMAN, and 802.1X (Dot1x) services, affecting all RouterOS versions that use the vulnerable shared certificate validation logic. The vulnerability requires network access but no user interaction or authentication, making it remotely exploitable against default configurations.

Authentication Bypass Mikrotik
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The User Registration & Membership plugin for WordPress versions up to 5.1.4 allows authenticated attackers with Contributor-level access to append shortcode content to arbitrary pages without authorization due to a missing capability check in the embed_form_action() AJAX function. This enables privilege escalation where lower-privileged users can inject content into posts and pages owned by other users or administrators, potentially defacing sites or injecting malicious content.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Forminator plugin for WordPress versions up to 1.52.0 allows unauthenticated attackers to bypass payment authorization by reusing previously succeeded Stripe PaymentIntent identifiers, enabling submission of high-value paid forms at no cost or reduced cost through payment bypass. The vulnerability affects the public payment processing flow where the plugin fails to verify that the attacker owns or is authorized to use a supplied PaymentIntent, making it possible to complete forms without proper payment validation.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

GenerateBlocks plugin for WordPress up to version 2.2.0 fails to verify object-level authorization on the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint, allowing authenticated Contributor-level users to extract sensitive information from arbitrary posts including author email addresses and post meta values through crafted dynamic tag payloads. The vulnerability checks only for edit_posts capability but does not verify access to specific posts, exposing confidential data across the entire site to low-privilege authenticated users.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Race condition in PaperCut MF badge-swipe processing from HP multifunction devices allows unauthorized user login when custom badge-ID post-processing scripts transform truncated badge strings into valid credentials of different users. The vulnerability requires specific network conditions (dropped packets, out-of-order sequence counters, failed sequence reset notifications) and custom script configuration, affecting physical device authentication in networked printing environments. No public exploit identified at time of analysis.

Authentication Bypass HP
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

ElementsKit Elementor Addons plugin for WordPress versions up to 3.8.2 allows unauthenticated attackers to overwrite Elementor widget content via a missing capability check in the Live_Action::reset() function. By crafting a URL with specific GET parameters (post and action=elementor), attackers can permanently replace any elementskit_widget custom post type's design, text, and configurations with a blank template, causing data loss without requiring authentication or user interaction.

Authentication Bypass WordPress Elementor
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Geeky Bot WordPress plugin versions ≤1.2.2 allows unauthenticated attackers to install arbitrary plugins and execute code on affected sites. The vulnerability exploits a missing authorization check in a nopriv AJAX handler that permits attacker-controlled function dispatch to a plugin installer, enabling download and extraction of malicious ZIP files directly into wp-content/plugins/. With CVSS 9.8 (critical), network-exploitable without authentication, and EPSS data unavailable, this represents a severe risk to all WordPress sites running vulnerable versions until patched.

Authentication Bypass RCE WordPress
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in MoreConvert Pro for WordPress allows remote unauthenticated attackers to hijack any user account, including administrators, by exploiting token reuse in the guest waitlist verification flow. Attackers obtain a verification token for their own email, change the guest customer email to the target victim's email via the public waitlist API, then use the original token to authenticate as the victim. This critical vulnerability (CVSS 9.8) affects all versions through 1.9.14, with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Password reset bypass in Gambio GX4 e-commerce platform allows remote unauthenticated attackers to set arbitrary passwords for any user account when the account ID is known, leading to complete account takeover. Affects versions 4.0.0.0 through 4.9.2.0, patched in February 2024 security update (2024-02 v1.0.0). SSVC framework rates this as automatable with total technical impact despite EPSS score of 0.02%, indicating high severity for targeted attacks against Gambio installations. No active exploitation confirmed via CISA KEV, but authentication bypass primitives are frequently weaponized in e-commerce platforms.

Authentication Bypass N A
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Authorization bypass in CodeCanyon Perfex CRM up to 3.4.1 allows authenticated remote attackers to access projects belonging to other tenants via manipulation of the ID parameter in the Clients::project function. The vulnerability requires valid user credentials but grants access to cross-tenant data with low confidentiality, integrity, and availability impact. Publicly available exploit code exists for this flaw.

Authentication Bypass PHP
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Command injection in net-imap library allows attackers to inject arbitrary IMAP commands by supplying unvalidated user input to multiple methods that send raw, unescaped strings to the IMAP server. The #search, #uid_search, #fetch, #uid_fetch, #store, #uid_store, and #setquota methods accept string arguments that bypass normal validation and encoding, enabling CRLF injection to break command context. Applications that dynamically construct search criteria, fetch attributes, or quota limits from user input are at significant risk; a developer passing unsanitized input could allow an attacker to append malicious IMAP commands such as DELETE or other state-modifying operations.

Authentication Bypass Command Injection CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Authenticated attackers can escalate privileges to administrator in Pelican Web User Interface versions 7.21 through 7.24 by manipulating database records before legitimate admin users log in. This vulnerability was discovered by a Claude coding agent on April 2, 2026, and affects servers with Server.UIAdminUsers or Server.AdminGroups configured where designated admins have not previously authenticated. No public exploit code exists, and Pelican Command Line reports no confirmed exploitation in OSDF-managed services. Vendor patches are available across all affected minor release series (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2), with fix commit 7f73b9c3e677 addressing CWE-863 (Incorrect Authorization).

Authentication Bypass Privilege Escalation Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

Unauthenticated remote attackers can trigger complete database wipes and data deletion in phpVMS 7.x through 7.0.5 by accessing an exposed legacy importer endpoint at /importer. The vulnerability stems from deprecated import functionality that remained publicly accessible without authentication checks, allowing remote data modification or destruction. Vendor-released patch (v7.0.6) confirmed via GitHub advisory GHSA-fv26-4939-62fh. No CISA KEV listing or public exploit code identified at time of analysis, but trivial exploitation (CVSS AV:N/AC:L/PR:N/UI:N) makes active targeting likely.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Server-Side Template Injection (SSTI) in Thymeleaf 3.1.4.RELEASE and earlier allows remote attackers to execute arbitrary code via specially crafted expressions that bypass the template engine's sandbox restrictions. Applications passing unsanitized user input to sandboxed template contexts are vulnerable to full server compromise. Vendor-released patch is available in version 3.1.5.RELEASE. The CVSS 9.0 CRITICAL rating reflects the potential for remote code execution with high confidentiality, integrity, and availability impact, though the AC:H (high attack complexity) indicates exploitation requires specific application patterns where user input flows directly into sandboxed template contexts without validation.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Credential brute-forcing in Signal K Server versions ≤2.24.0 allows remote unauthenticated attackers to bypass HTTP login rate limiting by sending unlimited password guesses through the WebSocket authentication endpoint at approximately 20 attempts per second. The HTTP login endpoints are protected by express-rate-limit (default: 100 attempts per 10-minute window), but the WebSocket path processes login requests without any throttling, enabling dictionary attacks to complete in minutes. Publicly available exploit code exists demonstrating the bypass technique. Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN, increasing exposure risk.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Authorization bypass in Docker Distribution Registry allows remote clients to delete image tags via the DELETE /v2/<name>/manifests/<tag> endpoint even when the operator has explicitly configured storage.delete.enabled: false. The tag deletion code path in registry/handlers/manifests.go bypasses the deletion authorization check present in digest-based manifest deletion, enabling attackers with network access to cause denial of service by removing tags and disrupting supply chain integrity of registries intended to be immutable.

Authentication Bypass Denial Of Service Docker +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Argo Workflows v3 (< 3.7.14) and v4 (< 4.0.5) allow users to bypass templateReferencing Strict/Secure mode restrictions by setting WorkflowSpec fields like hostNetwork, serviceAccountName, securityContext, tolerations, and volumes. The incomplete fix for CVE-2026-31892 only blocked podSpecPatch but left other security-sensitive fields unvalidated. Authenticated users with create Workflow permission can inject host network access, switch service accounts, modify pod security contexts, or schedule on control-plane nodes despite referencing hardened WorkflowTemplates. Vendor-released patch: v3.7.14 and v4.0.5 (commit 2727f3f). No public exploit identified at time of analysis, but exploitation is straightforward given detailed reproduction steps in the advisory.

Authentication Bypass Kubernetes
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated bootstrap takeover in nginx-ui 2.3.5 allows remote attackers to hijack the initial installation process via crafted POST requests to /api/install endpoint. An attacker who successfully exploits the installation window gains full administrative control over the nginx-ui instance before legitimate administrators complete setup. No vendor-released patch identified at time of analysis, creating extended exposure risk for newly deployed instances.

Authentication Bypass Nginx
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthenticated attackers can hijack the administrator account during nginx-ui's first-run installation window by claiming the /api/install endpoint before legitimate operators. This race-condition vulnerability in nginx-ui versions 2.0.0 through 2.3.7 bypasses authentication controls entirely, allowing complete instance takeover with attacker-controlled credentials. The request-encryption mechanism protects only transit confidentiality, not authorization. Attack complexity is rated HIGH due to the narrow time window between deployment and legitimate setup completion. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, but exploitation requires only standard HTTP tools and timing.

Authentication Bypass Nginx
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Missing authorization checks in Argo Workflows v4.0.0-4.0.4 allow any authenticated user-even those with fake Bearer tokens-to create, read, update, and delete Kubernetes ConfigMaps containing workflow synchronization limits. The ConfigMap-backed sync provider (server/sync/sync_cm.go) completely omits auth.CanI permission validation on all four CRUD endpoints. Publicly available exploit code exists (detailed PoC in advisory). CVSS 8.5 reflects network-accessible authentication bypass enabling high integrity/availability impact through denial-of-service and arbitrary ConfigMap manipulation. Patch released in version 4.0.5 adding checkConfigMapPermission() calls to validate Kubernetes RBAC before operations.

Authentication Bypass Denial Of Service Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization in Kirby CMS allows authenticated Panel users without access.system permission to retrieve sensitive system information including installed Kirby version and license data via the /api/system REST API endpoint. This information can be leveraged for reconnaissance during subsequent attacks. Vendor-released patches: Kirby 4.9.0 and 5.4.0.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization in Kirby CMS allows authenticated users with file permissions to create, replace, or delete user avatars regardless of whether they hold the required user.update or users.update permissions. This authorization bypass affects Kirby versions up to 4.8.0 and 5.0.0 through 5.3.3, with patches available in Kirby 4.9.0 and 5.4.0. No public exploit code has been identified, and active exploitation is not confirmed.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Missing authorization in Kirby CMS allows authenticated Panel users to access sensitive site configuration, user data, and role information regardless of configured permission restrictions. Authenticated attackers with low-privilege Panel accounts can enumerate all users, access the site model, and view role configurations including permission settings-even when site administrators explicitly disabled these capabilities via wildcard permission denial ('*': false). Vendor-released patches in versions 4.9.0 and 5.4.0 add missing permission gates for site.access, user.access/users.access, user.list/users.list, and role information. No public exploit identified at time of analysis, but exploitation requires only authenticated Panel access with network connectivity.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Broken TLS certificate verification in Incus OVN database connections accepts peer-supplied certificate roots instead of anchoring trust in the configured CA certificate, allowing an attacker positioned on the management network to impersonate the OVN northbound or southbound database. While mTLS prevents full man-in-the-middle attacks and OVN control planes typically run on the same servers as Incus (limiting network attack surface), the flaw collapses the intended CA-based authentication boundary on critical control-plane database connections. Affected versions below 7.0.0 are vulnerable; no active exploitation confirmed in CISA KEV at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC Monitor

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

Authentication Bypass WordPress Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC Monitor

Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches.

Authentication Bypass WordPress
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). Attackers can send requests like '/api/admin;anything' to bypass policies protecting '/api/admin' while still routing to the protected endpoint. Vendor-released patches available across four version branches (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1). No public exploit identified at time of analysis, but the attack technique is straightforward given the detailed GitHub Security Lab advisory (GHSA-rc95-pcm8-65v9).

Authentication Bypass
NVD GitHub VulDB
Prev Page 42 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy