Skip to main content

Authentication Bypass

31288 CVEs technique

Monthly

CVE-2026-42051 PHP MEDIUM PATCH GHSA This Month

Missing authorization in Kirby CMS allows authenticated Panel users without access.system permission to retrieve sensitive system information including installed Kirby version and license data via the /api/system REST API endpoint. This information can be leveraged for reconnaissance during subsequent attacks. Vendor-released patches: Kirby 4.9.0 and 5.4.0.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-42174 PHP MEDIUM PATCH GHSA This Month

Missing authorization in Kirby CMS allows authenticated users with file permissions to create, replace, or delete user avatars regardless of whether they hold the required user.update or users.update permissions. This authorization bypass affects Kirby versions up to 4.8.0 and 5.0.0 through 5.3.3, with patches available in Kirby 4.9.0 and 5.4.0. No public exploit code has been identified, and active exploitation is not confirmed.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-42069 PHP HIGH PATCH GHSA This Week

Missing authorization in Kirby CMS allows authenticated Panel users to access sensitive site configuration, user data, and role information regardless of configured permission restrictions. Authenticated attackers with low-privilege Panel accounts can enumerate all users, access the site model, and view role configurations including permission settings-even when site administrators explicitly disabled these capabilities via wildcard permission denial ('*': false). Vendor-released patches in versions 4.9.0 and 5.4.0 add missing permission gates for site.access, user.access/users.access, user.list/users.list, and role information. No public exploit identified at time of analysis, but exploitation requires only authenticated Panel access with network connectivity.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-40243 Go LOW PATCH GHSA Monitor

Broken TLS certificate verification in Incus OVN database connections accepts peer-supplied certificate roots instead of anchoring trust in the configured CA certificate, allowing an attacker positioned on the management network to impersonate the OVN northbound or southbound database. While mTLS prevents full man-in-the-middle attacks and OVN control planes typically run on the same servers as Incus (limiting network attack surface), the flaw collapses the intended CA-based authentication boundary on critical control-plane database connections. Affected versions below 7.0.0 are vulnerable; no active exploitation confirmed in CISA KEV at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41471 HIGH POC Monitor

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

Authentication Bypass WordPress Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-32834 HIGH POC Monitor

Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches.

Authentication Bypass WordPress
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-39852 Maven HIGH PATCH GHSA This Week

Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). Attackers can send requests like '/api/admin;anything' to bypass policies protecting '/api/admin' while still routing to the protected endpoint. Vendor-released patches available across four version branches (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1). No public exploit identified at time of analysis, but the attack technique is straightforward given the detailed GitHub Security Lab advisory (GHSA-rc95-pcm8-65v9).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-42796 CRITICAL PATCH Act Now

Remote code execution in Arelle webserver (versions prior to 2.39.10) allows unauthenticated attackers to execute arbitrary Python code by submitting malicious plugin URLs to the /rest/configure endpoint. The vulnerability stems from the webserver's plugin manager accepting and executing external Python files without authentication or URL validation. A patch is available in version 2.39.10 (GitHub PR #2320). CVSS 9.8 with network vector, no privileges required, and EPSS data not provided. No CISA KEV listing or confirmed active exploitation at time of analysis.

Authentication Bypass Python RCE
NVD GitHub
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-42810 Maven CRITICAL PATCH GHSA Act Now

Wildcard injection in Apache Polaris table names allows authenticated users to escalate privileges and access unauthorized S3 data across tables. By creating tables with literal asterisk characters (e.g., 'f*.t1', '*.*'), attackers bypass IAM policy scoping and obtain temporary S3 credentials that match other tables' storage paths. Confirmed exploitation scenarios include reading Iceberg metadata control files, listing table prefixes, and creating/deleting objects in victim tables' S3 locations - even when the attacker lacks direct Polaris permissions on those tables. Private testing confirmed this on both MinIO and AWS S3 against Polaris 1.4.0. The CVSS 9.4 (Critical) reflects network-accessible exploitation requiring only low privileges (namespace-scoped TABLE_CREATE), with high confidentiality, integrity, and availability impact across system and subsequent components. No public exploit code or CISA KEV listing identified at time of analysis, but the Apache advisory provides detailed attack mechanics.

Authentication Bypass Apache
NVD VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-25293 CRITICAL Act Now

Buffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unauthenticated attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability stems from incorrect authorization logic (CWE-863) that fails to prevent buffer overflow conditions. CVSS score of 9.6 reflects adjacent network attack vector with low complexity and no required privileges or user interaction, with scope change indicating container/hypervisor escape or lateral movement potential. No CISA KEV listing or public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.

Authentication Bypass Buffer Overflow Snapdragon
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-42809 Maven CRITICAL PATCH GHSA Act Now

Apache Polaris issues overly-permissive temporary storage credentials during staged table creation, allowing authenticated attackers to redirect vended credentials to attacker-controlled storage locations. The vulnerability stems from missing validation and overlap checks before credential issuance - attackers supply a custom 'location' parameter or 'write.data.path'/'write.metadata.path' properties that become effective immediately without verification. This enables unauthorized access to arbitrary storage resources beyond intended table boundaries, with CVSS 9.4 severity indicating high impact across confidentiality, integrity, and availability of both vulnerable and subsequent systems.

Authentication Bypass Apache
NVD VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-42812 Maven CRITICAL PATCH GHSA Act Now

Authenticated attackers with table configuration privileges can bypass storage location validation in Apache Polaris by manipulating the write.metadata.path property during ALTER TABLE operations. This forces Polaris to write metadata files to attacker-controlled storage locations without proper validation, then subsequently issue cloud storage credentials for those locations. The vulnerability enables unauthorized access to and potential corruption of data belonging to other tables within the catalog's allowedLocations scope, particularly when polaris.config.allow.unstructured.table.location=true. EPSS data not available; no public exploit identified at time of analysis.

Authentication Bypass Apache
NVD VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-42376 CRITICAL Monitor

Hardcoded telnet backdoor in D-Link DIR-456U Hardware Revision A1 firmware grants remote unauthenticated attackers root shell access using static credentials ('Alphanetworks' / 'whdrv01_dlob_dir456U'). The telnet daemon launches automatically at boot via /etc/init0.d/S80telnetd.sh and validates credentials through strcmp() comparison against hardcoded values in /etc/config/image_sign. Device is End-of-Life with no patches forthcoming. CVSS 9.8 reflects network-accessible unauthenticated remote code execution, though exploitation requires local network access to telnet service.

D-Link Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-42375 CRITICAL Monitor

Remote root shell access via hardcoded telnet backdoor in D-Link DIR-600L Hardware Revision A1 allows network-adjacent attackers to authenticate with publicly known credentials ('Alphanetworks' / 'wrgn35_dlwbr_dir600l') and obtain full administrative control. The backdoor telnet daemon launches automatically at boot with static credentials stored in /etc/alpha_config/image_sign. The device is End-of-Life with no patches forthcoming, creating permanent exposure for deployed units. EPSS data not available; no CISA KEV listing identified, though the trivial exploitation complexity (CVSS AC:L, PR:N) and public disclosure make exploitation highly likely once details are disseminated.

D-Link Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-42374 CRITICAL Monitor

D-Link DIR-600L Hardware Revision B1 routers expose a hardcoded telnet backdoor granting unauthenticated remote attackers root shell access via static credentials ('Alphanetworks' / 'wrgn61_dlwbr_dir600L'). The vulnerability affects End-of-Life devices that will never receive patches, making permanent network isolation or replacement the only remediation options. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and publicly documented credentials, this represents critical risk for any exposed device, though exploitation requires local network access despite the 'Network' attack vector classification.

D-Link Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-42373 CRITICAL Monitor

Hardcoded telnet backdoor in D-Link DIR-605L Hardware Revision B2 firmware enables unauthenticated root access for remote attackers on the local network using static credentials 'Alphanetworks:wrgn76_dlwbr_dir605L'. The telnet daemon starts automatically at boot, validating credentials via strcmp() against hardcoded values in /etc/alpha_config/image_sign, granting complete administrative control to anyone who knows the password. This End-of-Life device will receive no security patches. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted disclosure rather than widespread exploitation campaigns.

D-Link Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-42372 HIGH Monitor

Hardcoded credentials in D-Link DIR-605L Hardware Revision A1 firmware grant root-level telnet access to unauthenticated attackers on adjacent networks. The telnet daemon automatically starts at boot with username 'Alphanetworks' and static password 'wrgn35_dlwbr_dir605l', enabling complete device takeover including network traffic interception, configuration modification, and pivot attacks against internal networks. This End-of-Life product will receive no vendor patch, requiring immediate device replacement. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, with adjacent network attack vector reducing but not eliminating risk for home and small office deployments.

D-Link Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33006 MEDIUM PATCH This Month

Timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows remote unauthenticated attackers to bypass Digest authentication with high attack complexity. The vulnerability exploits measurable timing differences in digest credential validation, enabling credential compromise without valid authentication. Apache has released patched version 2.4.67; no active exploitation has been confirmed, but CISA SSVC framework indicates automatable exploitation is not feasible due to the timing attack's sensitivity requirements.

Suse Authentication Bypass Apache Red Hat Apache HTTP Server
NVD VulDB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-6266 HIGH PATCH This Week

Authentication bypass in Red Hat Ansible Automation Platform 2.6 allows authenticated attackers to hijack arbitrary user accounts, including administrator accounts, via email-based identity provider linking manipulation. The AAP gateway's user auto-link feature matches external IDP identities to existing accounts by email without ownership verification, enabling account takeover when an attacker controls an IDP account with a victim's email address. Red Hat has released patch RHSA-2026:13508. EPSS and KEV data not provided, but the low attack complexity (AC:L) and high confidentiality/integrity impact make this a critical authentication control failure requiring immediate remediation in environments using external identity providers.

Authentication Bypass Red Hat Ansible Automation Platform 2 6 For Rhel 9
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-29200 CRITICAL PATCH Act Now

Tenant administrators in Comet Backup 20.11.0 through 26.1.1 and 26.2.1 can impersonate any end-user account across different tenants on the same server through an insecure direct object reference (IDOR) in an API endpoint. The vulnerability enables complete cross-tenant authentication bypass in multi-tenant deployments, allowing unauthorized access to backup data, configurations, and operations of arbitrary users. With CVSS 9.9 (Critical) rating and network-accessible exploitation requiring no privileges, this represents an immediate risk to managed service providers and multi-tenant Comet Backup installations, though no active exploitation has been confirmed via CISA KEV at time of analysis.

Authentication Bypass Comet Backup
NVD
CVSS 4.0
9.9
EPSS
0.0%
CVE-2026-7723 PyPI MEDIUM POC PATCH This Month

Authentication bypass in Prefect WebSocket endpoint /api/events/in allows unauthenticated remote attackers to send events without valid credentials in versions up to 3.6.13. The vulnerability exploits missing authentication validation on the WebSocket connection handshake, allowing attackers to interact with the events API when authentication is configured. A publicly available exploit exists; vendor patch version 3.6.14 addresses this by implementing mandatory subprotocol-based authentication handshake.

Authentication Bypass Prefect
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7722 PyPI MEDIUM POC PATCH This Month

Authentication bypass in Prefect up to version 3.6.21 allows remote unauthenticated attackers to access the Health Check API endpoint by manipulating the request path suffix matching logic. The vulnerability affects the /api/health endpoint's improper authentication validation using the endswith() function, enabling attackers to craft requests that bypass authentication checks. Publicly available exploit code exists and the vendor has released patch version 3.6.22.

Authentication Bypass Prefect
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7711 PyPI MEDIUM This Month

MindsDB versions up to 26.01 allow remote unauthenticated attackers to bypass authentication and perform unrestricted file uploads via manipulation of the exec function in the BYOM (Bring Your Own Model) handler's proc_wrapper.py component. Publicly available exploit code exists, and the vendor has not responded to early disclosure, leaving deployed instances vulnerable to remote code execution through malicious model uploads.

Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7710 MEDIUM This Month

Authentication bypass in YunaiV yudao-cloud up to version 3.8.0 allows remote unauthenticated attackers to manipulate the mock-token argument in JwtAuthenticationTokenFilter.java, circumventing JWT authentication mechanisms and gaining unauthorized access. The vulnerability affects the Ruoyi-Vue-Pro component, has publicly available exploit code, and impacts confidentiality, integrity, and availability of protected resources with low severity per CVSS 4.0 scoring (CVSS:5.5, AV:N/AC:L/PR:N/UI:N, VC:L/VI:L/VA:L). The vendor has not responded to early disclosure notification.

Java Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7714 MEDIUM POC PATCH This Month

Authentication bypass in Calibre-Web-Automated up to version 4.0.6 allows remote unauthenticated attackers to access admin endpoints in the cps/cwa_functions.py component, specifically affecting Convert Library and EPUB Fixer administrative functions. Multiple endpoints lacking required authentication decorators (@login_required_if_no_ano and @admin_required) permit unauthorized users to trigger book conversions, manage conversion jobs, download logs, and manipulate EPUB files. Publicly available exploit code exists and patch is available from vendor.

Authentication Bypass Calibre Web Automated
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-67796 PyPI HIGH PATCH GHSA This Week

Improper authorization in IKUS Rdiffweb before 2.10.5 allows authenticated attackers with low-privilege API access tokens to read or modify data belonging to other users and tenants without additional authorization checks. The API fails to validate that the authenticated token subject matches the targeted user in requests, enabling horizontal privilege escalation and cross-tenant data access. Fixed in version 2.10.6. EPSS score of 0.02% (4th percentile) indicates low current exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-7702 MEDIUM POC This Month

Authorization bypass in AFFiNE up to version 0.26.3 allows remote unauthenticated attackers to access restricted document previews through the Public Markdown Preview Endpoint (/workspace/:workspaceId/:docId). The allowDocPreview function fails to properly validate access permissions, enabling attackers to retrieve sensitive document content without authentication. Public exploit code is available, and the vendor has not responded to early disclosure attempts.

Authentication Bypass Affine
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7686 MEDIUM POC PATCH This Month

Improper access controls in Adblock Plus up to version 4.36.2 on Chrome allow unauthenticated remote attackers to bypass Premium activation controls via manipulation of the postMessage function in premium.preload.js, granting temporary trial access to Premium features. The vulnerability affects a deprecated legacy activation flow and has publicly available exploit code; however, vendor analysis indicates the practical impact is limited because the licensing server issues only short-lived trial licenses (approximately 24 hours) that expire on next validation against real subscriptions, and the exploit has not been weaponized at scale.

Authentication Bypass Google Chrome
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5337 MEDIUM POC This Month

Frontend File Manager Plugin for WordPress through version 23.6 allows authenticated Subscriber-level users and higher to read arbitrary files belonging to other users via insecure direct object reference (IDOR) in the download endpoint. By manipulating the 'file_id' parameter, attackers can bypass authorization checks and access sensitive data stored by administrators and other privileged users. Publicly available exploit code exists for this vulnerability, though EPSS scoring (0.02%) suggests limited real-world exploitation relative to its high CVSS rating.

Authentication Bypass WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7681 MEDIUM POC This Month

Authorization bypass in jsbroks COCO Annotator up to version 0.11.1 allows remote unauthenticated attackers to modify dataset parameters via manipulation of the DatasetId argument in the Dataset API endpoint backend/webserver/api/datasets.py, enabling unauthorized access to and modification of annotation datasets. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Authentication Bypass Coco Annotator
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7679 MEDIUM POC This Month

Authentication bypass in YunaiV yudao-cloud (versions up to 2026.01) allows remote unauthenticated attackers to obtain unauthorized access tokens via manipulation of the getAccessToken function in OAuth2TokenServiceImpl.java. Public exploit code exists (GitHub PoC available), enabling attackers to bypass authentication controls and gain low-level access to confidential data, integrity, and availability. EPSS risk assessment unavailable, but the combination of network attack vector, low complexity (AC:L), no authentication requirement (PR:N), and publicly available exploit creates immediate exploitation risk. Vendor was notified but did not respond, leaving no official patch timeline.

Java Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7631 LOW POC Monitor

Improper authorization in code-projects Online Hospital Management System 1.0 allows authenticated remote attackers to manipulate the Username parameter in the Registration Handler, bypassing access controls and modifying user authorization. The vulnerability requires valid authentication credentials but results in integrity impact to user accounts. Publicly available exploit code exists for this vulnerability.

Authentication Bypass Online Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2554 HIGH This Week

Authenticated vendors with low-level privileges can delete arbitrary WordPress users, including site administrators, via Insecure Direct Object Reference in WCFM - Frontend Manager for WooCommerce plugin versions up to 6.7.25. The vulnerability resides in the 'wcfm_delete_wcfm_customer' function which fails to validate user-controlled 'customerid' parameters, allowing privilege escalation through unauthorized user deletion. Patch available in version 6.7.26 per Trac changeset 3483695. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 8.1 (High) reflects significant real-world impact if exploited by malicious vendors on WooCommerce marketplaces.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-7630 MEDIUM POC PATCH This Month

InnoShop e-commerce platform versions up to 0.7.8 allow unauthenticated remote attackers to bypass authentication controls in the installation endpoint via improper authentication handling in InstallServiceProvider::boot. The vulnerability permits unauthorized access to installation functionality even after initial setup is complete, enabling attackers to achieve partial confidentiality, integrity, and availability impact. Publicly available exploit code exists (GitHub issue #314), and vendor has released patch commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9.

Authentication Bypass PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-4100 HIGH This Week

Authenticated attackers with Subscriber-level access can disrupt all Stripe payment processing in Paid Memberships Pro for WordPress versions up to 3.6.5 by deleting, creating, or rebuilding webhook configurations. Missing capability checks on three AJAX handlers (pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, pmpro_stripe_rebuild_webhook) allow low-privilege users to break subscription renewals, cancellation handling, and failed payment management for the entire site. Patch available in PR #3615 implementing proper authorization checks requiring manage_options or pmpro_paymentsettings capabilities plus nonce validation. EPSS data not provided; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.

Authentication Bypass WordPress
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-7491 HIGH PATCH This Week

Insecure Direct Object Reference in Zyosoft School App allows authenticated remote attackers to escalate privileges horizontally by manipulating object identifiers in API requests, enabling unauthorized read and write access to other users' personal data including student records, grades, and account information. The vulnerability requires only low-level authentication (PR:L) with no user interaction and poses high confidentiality and integrity risk to multi-tenant educational data. EPSS and KEV data not available; exploitation complexity is low (AC:L) making this accessible to moderately skilled attackers once credentials are obtained.

Authentication Bypass School App
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-4024 MEDIUM This Month

Unauthenticated attackers can modify form action metadata on WordPress posts through the Royal Addons for Elementor plugin (versions up to 1.7.1056) due to a missing capability check on the wpr_update_form_action_meta AJAX endpoint. The endpoint registers on both wp_ajax and wp_ajax_nopriv hooks, is accessible without authentication, and relies on a nonce that is publicly exposed in frontend JavaScript, allowing attackers to bypass the nonce protection and alter email, Mailchimp, and webhook settings on any post. This enables attackers to hijack form submissions, exfiltrate data via modified webhook URLs, or redirect emails to attacker-controlled addresses without any user interaction or special configuration required.

Authentication Bypass WordPress Elementor
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6449 MEDIUM This Month

Unauthenticated attackers can approve any WordPress booking in 'waiting' status via the admin-ajax endpoint in Amelia plugin versions up to 2.1.2, due to a logical short-circuit flaw that skips token validation when the booking status matches a specific condition. An attacker can craft a direct request to the publicly-accessible endpoint to approve arbitrary bookings without authentication. This impacts all installations with pending bookings and exposes the booking workflow integrity across WordPress sites using this plugin.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4650 MEDIUM This Month

Unauthenticated attackers can bypass authorization controls in FundPress WordPress Donation Plugin versions up to 2.0.8 to arbitrarily modify donation statuses via the donate_action_status() AJAX handler, which lacks nonce verification and capability checks despite being exposed to unauthenticated users. By enumerating sequential donation IDs and sending crafted POST requests, attackers can mark donations as completed, pending, or cancelled, potentially triggering email notifications and corrupting donation records without any user interaction or authentication.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7458 CRITICAL Act Now

Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.

PHP WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6963 HIGH This Week

Missing capability check in WP Mail Gateway plugin for WordPress (versions ≤1.8) allows authenticated attackers with Subscriber-level privileges to modify SMTP settings via the wmg_save_provider_config AJAX action, enabling mail redirection. Attackers exploit this by redirecting password reset emails to attacker-controlled servers, then using intercepted credentials to escalate privileges to Administrator. CVSS 8.8 (High) reflects the severe impact despite requiring initial low-level authentication. No active exploitation confirmed via CISA KEV, but Wordfence reporting indicates discovery by security researchers and likely inclusion in their threat intelligence feeds.

Authentication Bypass WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-14726 MEDIUM POC This Month

Unauthenticated attackers can access and modify plugin settings in the Widgets for Social Photo Feed WordPress plugin through missing capability checks on two REST API endpoints, allowing unauthorized data access and configuration changes in all versions up to and including 1.8. The vulnerability requires only network access with no user interaction, making it trivially exploitable by remote attackers without authentication credentials.

Authentication Bypass WordPress Information Disclosure
NVD VulDB GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7638 MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the profile avatar of any WordPress user, including administrators, via an Insecure Direct Object Reference in the App Builder - Create Native Android & iOS Apps On The Flight plugin versions up to 5.6.0. The `/wp-json/app-builder/v1/upload-avatar` endpoint fails to validate that the authenticated user owns the target account before processing avatar uploads, allowing privilege escalation and account compromise through arbitrary user_id parameter submission in POST requests. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google WordPress Apple
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-43504 MEDIUM PATCH This Month

Improper access control in Prosody's mod_proxy65 module allows unauthenticated relaying of traffic when the module enters a paused state, enabling attackers to bypass authentication and impact data integrity and availability across affected versions. Prosody before 0.12.6 and versions 1.0.0 through 13.0.0 before 13.0.5 are vulnerable when mod_proxy65 is explicitly enabled; no public exploit code or active exploitation has been confirmed at time of analysis, though the network-accessible vulnerability with no authentication requirement and low complexity presents meaningful real-world risk.

Authentication Bypass Prosody
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31719 HIGH PATCH This Week

Integrity verification bypass in Linux kernel crypto subsystem's Kerberos 5 encryption module allows remote unauthenticated attackers to bypass cryptographic hash checks when asynchronous decryption completes. The vulnerability stems from incorrect callback chaining that skips krb5enc_dispatch_decrypt_hash() verification entirely during async operations. Exploitation likelihood is low (EPSS 2%, percentile 4%) despite high CVSS severity, though EUVD classifies this as an authentication bypass affecting Linux 6.15+ with patches available for stable branches 6.18.25, 7.0.2, and mainline 7.1-rc1.

Red Hat Suse Authentication Bypass Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31700 HIGH PATCH This Week

Time-of-check-time-of-use (TOCTOU) race condition in Linux kernel's TPACKET transmission path allows local authenticated attackers with low privileges to bypass vnet_hdr validation checks and potentially achieve privilege escalation, code execution, or system compromise. The vulnerability affects packet socket implementations when PACKET_VNET_HDR is enabled, where concurrent userspace threads can modify mmap'd ring buffer data between kernel validation and use. Vendor-released patches are available for stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though the high CVSS 7.8 reflects significant local impact potential.

Race Condition Authentication Bypass Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43050 HIGH PATCH This Week

Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.

Authentication Bypass Use After Free Memory Corruption Linux Red Hat +1
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-31769 HIGH PATCH This Week

Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.

Red Hat Suse Authentication Bypass Linux Use After Free +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31733 MEDIUM PATCH This Month

A denial of service condition in the Linux kernel scheduler extension (sched_ext) subsystem allows local authenticated attackers to trigger a kernel warning and potential crash via improper handling of stale direct dispatch state in the ddsp_dsq_id field. When a task's direct dispatch verdict is not properly cleared across all code paths that consume or cancel such verdicts, a subsequent wakeup operation calling ops.select_cpu() with scx_bpf_dsq_insert() triggers a spurious WARN_ON_ONCE() in mark_direct_dispatch(), exposing the availability impact of the vulnerability. The issue affects Linux kernels with sched_ext enabled and requires local access with low privilege (non-root user capable of triggering task scheduling operations).

Red Hat Suse Authentication Bypass Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-3143 MEDIUM This Month

Unauthenticated attackers can cancel pending rollbacks in Total Upkeep WordPress Backup Plugin by BoldGrid (versions up to 1.17.1) due to missing capability checks on the wp_ajax_cli_cancel AJAX function, allowing malicious users to prevent automatic recovery from failed WordPress updates. CVSS 5.3 (network-accessible, low complexity) reflects the integrity impact and lack of authentication requirement, though real-world impact depends on whether rollback operations are actively pending during an update failure.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7579 PyPI MEDIUM POC This Month

Hard-coded credentials in AstrBot Dashboard (versions ≤4.16.0) enable remote unauthenticated attackers to bypass authentication and gain partial system access. The vulnerability resides in astrbot/dashboard/routes/auth.py, allowing complete authentication bypass without network complexity or user interaction. A public exploit exists on GitHub, and the vendor has not responded to responsible disclosure attempts, leaving users exposed to credential-based attacks with moderate impact across confidentiality, integrity, and availability (CVSS 7.3). EPSS data not available; KEV status negative indicates no confirmed widespread exploitation despite public POC.

Authentication Bypass Astrbot
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7567 CRITICAL POC Act Now

Authentication bypass in the Temporary Login WordPress plugin (versions ≤1.0.0) allows remote unauthenticated attackers to authenticate as any temporary login user via a single crafted GET request. The vulnerability exploits a type juggling flaw where passing 'temp-login-token' as an array bypasses validation checks and causes WordPress to return all users with temporary login tokens, enabling complete account takeover without knowledge of valid credentials. CVSS 9.8 (Critical) with network attack vector and no prerequisites. EPSS data not available; exploitation requires the presence of active temporary login accounts created by site administrators.

Authentication Bypass WordPress
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-37526 HIGH This Week

Local privilege escalation in AGL app-framework-binder (afb-daemon) through v19.90.0 allows any low-privileged process to execute privileged supervision commands without authentication via an unprotected abstract Unix socket. Attackers can terminate the daemon (DoS), execute arbitrary API calls, close user sessions, or exfiltrate global configuration data. The vulnerability stems from commit b8c9d5de384 (2017-06-29) implementing 8 supervision commands with zero credential verification, acknowledged by developers as lacking DAC protection. EPSS data unavailable, not in CISA KEV, but technical details are publicly documented with proof-of-concept reference.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43001 PyPI HIGH PATCH GHSA This Week

Cross-project privilege escalation in OpenStack Keystone (releases 13 through 29) lets a holder of an unrestricted application credential for one project mint an EC2-type credential targeting a different project, because POST /v3/credentials never validates that the caller-supplied project_id matches the authenticating app credential's project. Exchanging that EC2 credential at /v3/ec2tokens then yields a Keystone token scoped to the second project while retaining the original app_cred_id, enabling lateral movement across tenants. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the authorization flaw (CWE-863) is confirmed and patched by upstream and distributors.

Authentication Bypass Microsoft Keystone
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-7510 LOW Monitor

Authorization bypass in OWASP DefectDojo up to version 2.55.4 allows authenticated users to manipulate objects in Benchmark, Engagement, Product, and Survey components by directly accessing resources via unvalidated object IDs, bypassing ownership checks. The vulnerability affects multiple endpoints that retrieve objects without verifying the requesting user has authorization to access the specific resource, enabling lateral privilege escalation and unauthorized data modification. Publicly disclosed exploit code exists, and the vulnerability requires network access with valid authentication credentials to exploit.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7505 MEDIUM POC PATCH This Month

Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privileged methods including configuration exfiltration, heartbeat manipulation, and agent mutation via WebSocket connections. Versions up to 3.8.5 implement a fail-open authorization policy where unclassified RPC methods default to viewer-level access and authentication failures fall back to authenticated viewer sessions. Public exploit code exists (GitHub issue #866) demonstrating unauthorized method invocation. Vendor-released patch: version 3.9.0 implements fail-closed authorization with explicit method classification and rejects connections lacking valid credentials.

Authentication Bypass Goclaw Goclaw Lite
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-28909 MEDIUM This Month

Credential exposure in Apple container allows unauthenticated remote attackers to steal registry credentials in plaintext when users connect to malicious registries with hostnames matching specific bypass patterns. The vulnerability affects container versions prior to 0.12.3 and requires user interaction to establish a connection to a malicious registry. EPSS score of 0.02% indicates low real-world exploitation probability despite moderate CVSS severity.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2311 MEDIUM PATCH This Month

IBM i 7.2-7.6 contains an invalid authorization check in the Web Administration GUI that allows authenticated high-privilege users with administrator access to trigger privilege escalation, enabling user-controlled code execution with administrator privileges. The vulnerability requires high privileges and user interaction (CVSS:H for confidentiality, integrity, and availability), but is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified as of the analysis date.

Authentication Bypass IBM Privilege Escalation
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6542 MEDIUM PATCH This Month

IBM Langflow OSS 1.0.0 through 1.8.4 allows authenticated users to read transaction logs and vertex build data from other users' flows via direct flow_id manipulation, enabling unauthorized information disclosure and deletion of other users' persisted build data. The vulnerability requires valid user authentication (PR:L) but no additional complexity, affecting all deployments of affected versions.

Authentication Bypass IBM
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7502 LOW POC PATCH Monitor

LinkStack up to version 4.8.6 contains an authorization bypass vulnerability in the saveLink function of UserController.php that allows authenticated attackers to modify links belonging to other users via insecure direct object references (IDOR). The vulnerability affects the Management Endpoint and enables remote attackers with valid credentials to manipulate or delete arbitrary user links, with publicly available exploit code and an unmerged patch awaiting acceptance.

Authentication Bypass PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-42137 PHP HIGH PATCH GHSA This Week

Authenticated users with restricted permissions in Kirby CMS can access pages and files they should not be able to view, bypassing configured access controls in the Panel and REST API. This affects Kirby installations where administrators have explicitly disabled `pages.access`, `pages.list`, `files.access`, or `files.list` permissions for specific user roles through blueprints. The vulnerability allows information disclosure of content models that should be hidden, though write operations remain protected. Patched versions 4.9.0 and 5.4.0 are available from the vendor. No public exploit identified at time of analysis, with EPSS data unavailable for this recent disclosure.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-42461 Go HIGH PATCH GHSA This Week

Arcane's Huma backend exposes four GET endpoints (`/api/templates*`) without authentication, allowing remote unauthenticated attackers to read all stored Docker Compose templates including plaintext environment files containing database passwords, API keys, and OAuth secrets. The vulnerability affects Arcane backend versions prior to 1.18.0. Because Arcane's "Save as Template" workflow persists production secrets verbatim into these templates, this is not theoretical information disclosure but direct credential theft. The frontend correctly treats these paths as authenticated, revealing a backend authorization gap (CWE-862). Vendor-released patch available in version 1.18.0. No active exploitation or public exploit code identified at time of analysis, though the attack is trivial (CVSS:4.0 AV:N/AC:L/PR:N).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-4503 HIGH PATCH This Week

Unauthenticated remote disclosure of user-uploaded images in IBM Langflow Desktop 1.0.0-1.8.4 allows network attackers to enumerate and access other users' private images through predictable object references. With CVSS 7.5 (High) reflecting unauthenticated network exploitation, and EPSS data not provided, risk depends on whether installations expose the vulnerable endpoint to untrusted networks. No KEV listing or public exploit code identified at time of analysis, suggesting discovery through vendor security review rather than active exploitation.

Authentication Bypass IBM
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42560 Go CRITICAL PATCH GHSA Act Now

Identity collision in the go-pkgz/auth Patreon OAuth provider allows any Patreon-authenticated user to impersonate every other Patreon user in the same application. The Patreon provider hashes an uninitialized variable instead of the actual Patreon account ID, assigning the constant value patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709 to all users. Applications using token.User.ID as the stable account key can experience cross-account access, privilege escalation, and data leakage. Vendor-released patch available in versions 1.25.2 and 2.1.2. No evidence of active exploitation or public POC beyond the vendor's disclosure, but the vulnerability is trivially exploitable with remote unauthenticated access to any affected application.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-42354 PyPI CRITICAL PATCH GHSA Act Now

Account takeover via SAML SSO authentication bypass in Sentry allows attackers to hijack arbitrary user accounts when controlling a malicious SAML Identity Provider within multi-organization instances. Attackers with permissions to configure SSO settings in one organization can link a victim's email address to their malicious IdP, then authenticate as that victim across the instance. The vulnerability was responsibly disclosed via bug bounty, patched in version 26.4.1 (deployed to SaaS in April 2026), and requires knowledge of the victim's email address plus multi-organization deployment (SENTRY_SINGLE_ORGANIZATION = False). No public exploit identified at time of analysis, though technical details and patch code are public via GitHub advisory GHSA-rcmw-7mc7-3rj7.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-7435 HIGH This Week

SQL injection in SSCMS v7.4.0 enables high-privileged attackers to execute arbitrary SQL statements via the stl:sqlContent tag's queryString attribute. Attackers with administrative access can craft encrypted payloads to the /api/stl/actions/dynamic endpoint, bypassing parameterization controls to achieve database compromise, authentication bypass, or complete data exfiltration. EPSS data not available; no confirmed active exploitation (CISA KEV negative); public exploit code availability unknown but detailed technical advisory published by VulnCheck increases weaponization risk.

Authentication Bypass SQLi Sscms
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-40603 MEDIUM This Month

Chartbrew 4.9.0 fails to properly enforce project-level access controls on a legacy dashboard route, allowing any authenticated team member to read another team member's project report data and extract stored report passwords. The vulnerability affects users without explicit project access but with team membership, who can leverage the unprotected endpoint to view sensitive dashboard configurations and credentials. Patched in version 5.0.0.

Authentication Bypass Chartbrew
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40601 HIGH This Week

Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoint. The POST /api/chart/:chart_id/query endpoint lacks authentication checks and fails to validate whether charts belong to public reports or if sharing policies permit access. Attackers possessing a chart identifier can retrieve sensitive data from private dashboards without credentials. EPSS data not available. Not listed in CISA KEV. Vendor-confirmed vulnerability with patch released in version 5.0.0.

Authentication Bypass Chartbrew
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40600 HIGH This Week

Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own due to insufficient authorization checks. An attacker with legitimate access to one project can manipulate SharePolicy records (visibility settings, passwords, allowed parameters, expiration dates) for dashboards in any other project within the same Chartbrew instance. While CVSS rates this 8.1 HIGH, real-world risk depends heavily on multi-tenancy deployment: single-organization instances face lower insider threat exposure than multi-tenant SaaS scenarios. EPSS data not available. No public exploit identified at time of analysis, though exploitation requires only basic authenticated API access.

Authentication Bypass Chartbrew
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40595 HIGH This Week

Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart export routes. Attackers who know a chart identifier in any public project can read or export charts that were intentionally excluded from public reports, bypassing SharePolicy access controls. The vulnerability requires only network access and a valid chart ID, with no authentication or user interaction needed. Patched in version 5.0.0 per vendor advisory GHSA-mq7q-6xh6-5649. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L).

Authentication Bypass Chartbrew
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-35514 MEDIUM This Month

Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create a fully active account with valid JWT via the unprotected POST /user/invited endpoint, circumventing the signupRestricted configuration that normally blocks new registrations. An attacker receives a functional JWT token immediately without email verification, granting full authenticated access even when the instance restricts signups to invited users only. The vulnerability was patched in version 5.0.0.

Authentication Bypass Chartbrew
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-40904 HIGH This Week

Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, data requests, and database connections belonging to other projects within the same team. Attackers with credentials to any single project can read, modify, create, and delete data assets across all sibling projects by exploiting missing project-level authorization checks on multiple API endpoints. This enables cross-project data exfiltration and unauthorized execution of victim database queries remotely with low complexity (EPSS not provided, no CISA KEV listing, vendor-patched in v5.0.0).

Authentication Bypass Chartbrew
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32148 HIGH PATCH This Week

Silent dependency checksum bypass in hexpm/hex package manager (versions 0.16.0 through 2.4.1) allows attackers to substitute malicious dependencies without detection. The Hex.RemoteConverger module fails to verify lockfile checksums due to a string-versus-atom type mismatch in the verification logic, causing the security check to be silently skipped. Attackers who can poison local package caches or compromise registry responses can deliver modified packages that overwrite mix.lock without raising alerts. SSVC framework indicates proof-of-concept exists, attack is non-automatable (requires user interaction and precise timing), with total technical impact. Fixed in version 2.4.2 (commit d7528c8).

Authentication Bypass Hex
NVD GitHub
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-3833 HIGH PATCH This Week

Certificate name-constraints bypass in GnuTLS allows a remote attacker to craft a leaf certificate whose Subject Alternative Name differs only in letter casing from a constrained dNSName or rfc822Name, causing GnuTLS to accept a certificate that its excludedSubtrees/permittedSubtrees policy should reject. The flaw stems from case-sensitive comparison of name-constraint labels and enables unauthorized access, impersonation, or information disclosure across software (notably Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4) that relies on GnuTLS for X.509 validation. SSVC notes a public proof-of-concept exists, though EPSS exploitation probability is very low (0.03%, 9th percentile) and the issue is not in CISA KEV.

Authentication Bypass Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +4
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-42032 PyPI MEDIUM PATCH GHSA This Month

Authorization bypass in CKAN's datastore_search_sql function allows unauthenticated attackers to access private DataStore resources and extract PostgreSQL system information. CKAN versions prior to 2.10.10 and 2.11.0-2.11.4 are affected. The vulnerability exists in a feature that is disabled by default but can be enabled via configuration, limiting baseline exposure but creating significant risk for deployments that enable SQL search functionality.

Authentication Bypass PostgreSQL
NVD GitHub VulDB
CVSS 4.0
6.7
EPSS
0.0%
CVE-2026-41654 PyPI MEDIUM PATCH GHSA This Month

Authenticated Server-Side Request Forgery (SSRF) in Weblate before 5.17.1 allows users with project.add permission to import crafted project backup ZIPs containing malicious repository URLs pointing to private addresses or using non-allowlisted schemes (file://, git://) that bypass URL validation. The vulnerability exists because bulk_create() circumvents Django's full_clean() validator; attackers can write arbitrary URLs into .git/config, enabling SSRF attacks against internal systems or protocol exploitation.

Python Authentication Bypass Suse
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-4670 CRITICAL PATCH Act Now

Authentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. Affects all versions before 2025.0.9, all 2024.x versions before 2024.1.8, and all versions prior to 2024.0.0. Progress Software has released patches for all supported versions. CVSS 9.8 critical severity with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit or active exploitation confirmed at time of analysis, though the authentication bypass nature and MOVEit's history as a high-value target make this a priority remediation candidate.

Authentication Bypass Moveit Automation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-2892 HIGH This Week

Unauthenticated attackers can bypass Stripe payment gates in Otter Blocks for WordPress ≤3.1.4 by forging the 'o_stripe_data' cookie with publicly visible product IDs from checkout block HTML source, gaining unauthorized access to premium content. The plugin's 'get_customer_data' method accepts unsigned cookie data without server-side Stripe API verification for one-time purchases, enabling trivial exploitation with no authentication required. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from accessing gated content. EPSS data unavailable; no active exploitation or POC confirmed at time of analysis, but the attack requires only basic HTTP cookie manipulation skills.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7399 HIGH This Week

Remote authenticated attackers can bypass authorization controls in MeWare PDKS through user-controlled key manipulation, enabling privilege escalation to access and modify sensitive data without proper permissions. Affecting PDKS versions from V16.20200313 to VMYR_3.5.2025117, this vulnerability allows low-privileged users to abuse authorization mechanisms via network access without user interaction. No confirmed active exploitation or public exploit code identified at time of analysis, with EPSS data unavailable for risk quantification.

Authentication Bypass Pdks
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-6498 MEDIUM This Month

Five Star Restaurant Reservations plugin for WordPress versions up to 2.7.16 allows unauthenticated attackers to bypass payment verification through PHP type juggling in the valid_payment() function. The vulnerability exists in the rtb_stripe_pmt_succeed AJAX handler, which uses loose comparison (==) between attacker-supplied payment_id and the booking's stripe_payment_intent_id. When the intent ID is null (before Stripe intent creation), an empty payment_id parameter passes validation, enabling attackers to mark payment-pending bookings as paid without completing actual Stripe payments. This permits unauthorized order fulfillment and revenue loss for affected WordPress sites.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13030 PyPI LOW Monitor

Remote code execution in django-mdeditor (all versions prior to commit 3e80f9e) allows unauthenticated attackers to upload malicious files via the image upload endpoint. The vulnerability combines missing authentication (CWE-306) with insufficient filename sanitization, enabling arbitrary code execution when uploaded files are accessed. Exploit code is publicly available (CVSS E:P), though user interaction is required (UI:R). EPSS data not available, not listed in CISA KEV at time of analysis.

Authentication Bypass RCE Python
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-7468 MEDIUM POC This Month

Improper access controls in 1024-lab smart-admin up to version 3.30.0 allow remote unauthenticated attackers to gain unauthorized access to the Druid demo interface at /smart-admin-api/druid/index.html, potentially exposing sensitive data or administrative functionality. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 (low confidentiality/integrity impact), though the vendor has not yet acknowledged or patched the issue despite early notification.

Authentication Bypass Smart Admin
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-36959 HIGH This Week

Brute-force attacks against U-SPEED N300 router V1.0.0 can compromise administrator credentials due to missing rate limiting on the /api/login endpoint. Local network attackers can execute unlimited authentication attempts without account lockout, enabling credential compromise and unauthorized access to router management. SSVC indicates proof-of-concept exists and the attack is automatable with partial technical impact. CVSS 7.5 reflects network accessibility, but the vulnerability description specifies 'local network' access requirement, suggesting the actual attack vector may be more constrained than the AV:N metric indicates.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-41671 PHP MEDIUM PATCH GHSA This Month

## Summary The OIDC token introspection endpoint (`/modules/sso/index.php/oidc/introspect`) always returns `{"active": true}` for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (`/oidc/revoke`) returns `{"revoked": true}` without actually revoking any token, preventing resource servers from invalidating compromised credentials. ## Details The vulnerability is in `src/SSO/Service/OIDCService.php`, lines 604-619: ```php public function handleIntrospectionRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["active" => true]); } public function handleRevocationRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["revoked" => true]); } ``` The introspection endpoint is routed at `modules/sso/index.php`, line 58-59: ```php } elseif (strpos($requestUri, '/oidc/introspect') !== false) { $response = $oidcService->handleIntrospectionRequest(); ``` The router comment at line 35 says "Login checks will be done in the individual endpoint handler functions!" but neither `handleIntrospectionRequest` nor `handleRevocationRequest` perform any authentication or authorization checks. Per RFC 7662 (OAuth 2.0 Token Introspection), the introspection endpoint: 1. MUST authenticate the calling resource server (Section 2.1) 2. MUST validate the submitted token against its database 3. MUST return `{"active": false}` for invalid, expired, or revoked tokens The current implementation violates all three requirements. **Attack flow:** 1. Attacker obtains a resource server's endpoint URL that uses Admidio as its OIDC provider 2. Attacker crafts any arbitrary string as a Bearer token 3. Resource server sends the fabricated token to `/oidc/introspect` for validation 4. Admidio returns `{"active": true}` without any checks 5. Resource server accepts the fabricated token as valid and grants access **The revocation bypass compounds this:** If a legitimate token is stolen, the resource server or client application cannot revoke it. Calling `/oidc/revoke` returns success without actually revoking the token in the database, so the stolen token remains usable indefinitely (until its expiry time). ## PoC ```bash # Step 1: Confirm the introspection endpoint exists and always returns active # No valid token needed - any string works curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=COMPLETELY_FABRICATED_TOKEN_12345" # Expected response: {"active":true} # Step 2: Try with an empty token curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=" # Expected response: {"active":true} # Step 3: Demonstrate that revocation is also broken curl -X POST https://TARGET/modules/sso/index.php/oidc/revoke \ -d "token=any_valid_token_here" # Expected response: {"revoked":true} # But the token is NOT actually revoked in the database # Step 4: Verify the token is still active after "revocation" curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=any_valid_token_here" # Still returns: {"active":true} ``` ## Impact - **Authentication Bypass on Resource Servers**: Any application (wiki, CMS, project management tool, etc.) configured to validate tokens against this Admidio OIDC introspection endpoint will accept completely fabricated tokens. An attacker can impersonate any user on all connected resource servers. - **Inability to Revoke Compromised Tokens**: If a legitimate access token is leaked or stolen, there is no way to revoke it through the standard OIDC revocation flow. The token remains valid until its 1-hour expiry. - **Scope Change (S:C)**: The vulnerability in the Admidio authorization server directly impacts the security of all connected resource servers (different security authority), which is why the CVSS scope is Changed. ## Recommended Fix Replace the stub implementations with proper token introspection and revocation logic: ```php public function handleIntrospectionRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // 1. Authenticate the resource server (RFC 7662 Section 2.1) // The resource server MUST authenticate using client credentials $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } // 2. Get and validate the token $tokenValue = $request->getParsedBody()['token'] ?? ''; if (empty($tokenValue)) { return new JsonResponse(['active' => false]); } try { // Validate the token using the resource server $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); // Check if token is revoked if ($this->accessTokenRepository->isAccessTokenRevoked($tokenId)) { return new JsonResponse(['active' => false]); } $token = $this->accessTokenRepository->getToken($tokenId); // Check expiry if ($token->getExpiryDateTime() < new \DateTimeImmutable()) { return new JsonResponse(['active' => false]); } return new JsonResponse([ 'active' => true, 'sub' => $token->getUserIdentifier(), 'client_id' => $token->getClient()->getIdentifier(), 'exp' => $token->getExpiryDateTime()->getTimestamp(), 'scope' => implode(' ', array_map(fn($s) => $s->getIdentifier(), $token->getScopes())), ]); } catch (\Exception $e) { return new JsonResponse(['active' => false]); } } public function handleRevocationRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // Authenticate the client $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } $tokenValue = $request->getParsedBody()['token'] ?? ''; if (!empty($tokenValue)) { try { $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); $this->accessTokenRepository->revokeAccessToken($tokenId); } catch (\Exception $e) { // RFC 7009: The server responds with HTTP 200 even for invalid tokens } } return new JsonResponse([], 200); } ```

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-41662 PHP MEDIUM PATCH GHSA This Month

Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.

PHP Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-41660 PHP HIGH PATCH GHSA This Week

Inverted authorization logic in Admidio's two-factor authentication reset module allows non-admin users with profile edit permissions to strip TOTP protection from administrator accounts while paradoxically blocking users from resetting their own 2FA. A group leader holding 'hasRightEditProfile()' rights on an admin account can send a single POST request to /adm_program/modules/profile/two_factor_authentication.php with the admin's UUID, disabling the admin's 2FA and reducing account security to password-only. This vulnerability affects Admidio versions ≤5.0.8; patched version 5.0.9 corrects the inverted comparison operator. Public exploit code exists via the GitHub advisory's proof-of-concept. No confirmed active exploitation (not in CISA KEV).

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-41658 PHP MEDIUM PATCH GHSA This Month

Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.

Authentication Bypass PHP CSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41657 PHP MEDIUM PATCH GHSA This Month

Admidio 5.0.8 and earlier allows user managers with rol_edit_user permission to bypass multi-tenant organization isolation and retrieve complete member directories across all organizations by directly calling the contacts_data.php endpoint with mem_show_filter=3, exploiting a permission check mismatch between the frontend UI (which correctly requires isAdministrator() and contacts_show_all setting) and the backend API endpoint (which only requires the weaker isAdministratorUsers() check). Affected data includes full names, email addresses, login names, UUIDs, and all configured profile fields from unauthorized organizations. This is confirmed actively exploited vulnerability with patch available in version 5.0.9.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-42226 npm HIGH PATCH GHSA This Week

Authenticated users with shared workflow access in n8n can exfiltrate other users' API credentials by injecting foreign credential IDs into dynamic-node-parameters endpoint requests. The vulnerability forces the n8n backend to decrypt and replay stolen credentials against attacker-controlled URLs, enabling credential theft across workflow collaborators. Affects npm package n8n versions <1.123.33 and 2.17.0-2.17.4, with vendor-confirmed patches available in 1.123.33 and 2.17.5. No public exploit identified at time of analysis, though CVSS 8.5 with scope change (S:C) reflects the multi-tenant credential boundary violation.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-42227 npm MEDIUM PATCH GHSA This Month

Insecure Direct Object Reference (IDOR) in n8n's public API variables endpoint allows authenticated users with variable:list API key scope to read project variables from any project regardless of membership by manipulating the projectId query parameter. The API handler bypassed project membership authorization checks present in the enterprise service layer, enabling cross-project secret disclosure. This affects only licensed enterprise or team deployments with multiple projects and variables feature enabled. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization in Kirby CMS allows authenticated Panel users without access.system permission to retrieve sensitive system information including installed Kirby version and license data via the /api/system REST API endpoint. This information can be leveraged for reconnaissance during subsequent attacks. Vendor-released patches: Kirby 4.9.0 and 5.4.0.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization in Kirby CMS allows authenticated users with file permissions to create, replace, or delete user avatars regardless of whether they hold the required user.update or users.update permissions. This authorization bypass affects Kirby versions up to 4.8.0 and 5.0.0 through 5.3.3, with patches available in Kirby 4.9.0 and 5.4.0. No public exploit code has been identified, and active exploitation is not confirmed.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Missing authorization in Kirby CMS allows authenticated Panel users to access sensitive site configuration, user data, and role information regardless of configured permission restrictions. Authenticated attackers with low-privilege Panel accounts can enumerate all users, access the site model, and view role configurations including permission settings-even when site administrators explicitly disabled these capabilities via wildcard permission denial ('*': false). Vendor-released patches in versions 4.9.0 and 5.4.0 add missing permission gates for site.access, user.access/users.access, user.list/users.list, and role information. No public exploit identified at time of analysis, but exploitation requires only authenticated Panel access with network connectivity.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Broken TLS certificate verification in Incus OVN database connections accepts peer-supplied certificate roots instead of anchoring trust in the configured CA certificate, allowing an attacker positioned on the management network to impersonate the OVN northbound or southbound database. While mTLS prevents full man-in-the-middle attacks and OVN control planes typically run on the same servers as Incus (limiting network attack surface), the flaw collapses the intended CA-based authentication boundary on critical control-plane database connections. Affected versions below 7.0.0 are vulnerable; no active exploitation confirmed in CISA KEV at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC Monitor

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

Authentication Bypass WordPress Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC Monitor

Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches.

Authentication Bypass WordPress
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). Attackers can send requests like '/api/admin;anything' to bypass policies protecting '/api/admin' while still routing to the protected endpoint. Vendor-released patches available across four version branches (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1). No public exploit identified at time of analysis, but the attack technique is straightforward given the detailed GitHub Security Lab advisory (GHSA-rc95-pcm8-65v9).

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Remote code execution in Arelle webserver (versions prior to 2.39.10) allows unauthenticated attackers to execute arbitrary Python code by submitting malicious plugin URLs to the /rest/configure endpoint. The vulnerability stems from the webserver's plugin manager accepting and executing external Python files without authentication or URL validation. A patch is available in version 2.39.10 (GitHub PR #2320). CVSS 9.8 with network vector, no privileges required, and EPSS data not provided. No CISA KEV listing or confirmed active exploitation at time of analysis.

Authentication Bypass Python RCE
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Wildcard injection in Apache Polaris table names allows authenticated users to escalate privileges and access unauthorized S3 data across tables. By creating tables with literal asterisk characters (e.g., 'f*.t1', '*.*'), attackers bypass IAM policy scoping and obtain temporary S3 credentials that match other tables' storage paths. Confirmed exploitation scenarios include reading Iceberg metadata control files, listing table prefixes, and creating/deleting objects in victim tables' S3 locations - even when the attacker lacks direct Polaris permissions on those tables. Private testing confirmed this on both MinIO and AWS S3 against Polaris 1.4.0. The CVSS 9.4 (Critical) reflects network-accessible exploitation requiring only low privileges (namespace-scoped TABLE_CREATE), with high confidentiality, integrity, and availability impact across system and subsequent components. No public exploit code or CISA KEV listing identified at time of analysis, but the Apache advisory provides detailed attack mechanics.

Authentication Bypass Apache
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Buffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unauthenticated attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability stems from incorrect authorization logic (CWE-863) that fails to prevent buffer overflow conditions. CVSS score of 9.6 reflects adjacent network attack vector with low complexity and no required privileges or user interaction, with scope change indicating container/hypervisor escape or lateral movement potential. No CISA KEV listing or public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.

Authentication Bypass Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Apache Polaris issues overly-permissive temporary storage credentials during staged table creation, allowing authenticated attackers to redirect vended credentials to attacker-controlled storage locations. The vulnerability stems from missing validation and overlap checks before credential issuance - attackers supply a custom 'location' parameter or 'write.data.path'/'write.metadata.path' properties that become effective immediately without verification. This enables unauthorized access to arbitrary storage resources beyond intended table boundaries, with CVSS 9.4 severity indicating high impact across confidentiality, integrity, and availability of both vulnerable and subsequent systems.

Authentication Bypass Apache
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Authenticated attackers with table configuration privileges can bypass storage location validation in Apache Polaris by manipulating the write.metadata.path property during ALTER TABLE operations. This forces Polaris to write metadata files to attacker-controlled storage locations without proper validation, then subsequently issue cloud storage credentials for those locations. The vulnerability enables unauthorized access to and potential corruption of data belonging to other tables within the catalog's allowedLocations scope, particularly when polaris.config.allow.unstructured.table.location=true. EPSS data not available; no public exploit identified at time of analysis.

Authentication Bypass Apache
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Monitor

Hardcoded telnet backdoor in D-Link DIR-456U Hardware Revision A1 firmware grants remote unauthenticated attackers root shell access using static credentials ('Alphanetworks' / 'whdrv01_dlob_dir456U'). The telnet daemon launches automatically at boot via /etc/init0.d/S80telnetd.sh and validates credentials through strcmp() comparison against hardcoded values in /etc/config/image_sign. Device is End-of-Life with no patches forthcoming. CVSS 9.8 reflects network-accessible unauthenticated remote code execution, though exploitation requires local network access to telnet service.

D-Link Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Monitor

Remote root shell access via hardcoded telnet backdoor in D-Link DIR-600L Hardware Revision A1 allows network-adjacent attackers to authenticate with publicly known credentials ('Alphanetworks' / 'wrgn35_dlwbr_dir600l') and obtain full administrative control. The backdoor telnet daemon launches automatically at boot with static credentials stored in /etc/alpha_config/image_sign. The device is End-of-Life with no patches forthcoming, creating permanent exposure for deployed units. EPSS data not available; no CISA KEV listing identified, though the trivial exploitation complexity (CVSS AC:L, PR:N) and public disclosure make exploitation highly likely once details are disseminated.

D-Link Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Monitor

D-Link DIR-600L Hardware Revision B1 routers expose a hardcoded telnet backdoor granting unauthenticated remote attackers root shell access via static credentials ('Alphanetworks' / 'wrgn61_dlwbr_dir600L'). The vulnerability affects End-of-Life devices that will never receive patches, making permanent network isolation or replacement the only remediation options. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and publicly documented credentials, this represents critical risk for any exposed device, though exploitation requires local network access despite the 'Network' attack vector classification.

D-Link Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Monitor

Hardcoded telnet backdoor in D-Link DIR-605L Hardware Revision B2 firmware enables unauthenticated root access for remote attackers on the local network using static credentials 'Alphanetworks:wrgn76_dlwbr_dir605L'. The telnet daemon starts automatically at boot, validating credentials via strcmp() against hardcoded values in /etc/alpha_config/image_sign, granting complete administrative control to anyone who knows the password. This End-of-Life device will receive no security patches. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted disclosure rather than widespread exploitation campaigns.

D-Link Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH Monitor

Hardcoded credentials in D-Link DIR-605L Hardware Revision A1 firmware grant root-level telnet access to unauthenticated attackers on adjacent networks. The telnet daemon automatically starts at boot with username 'Alphanetworks' and static password 'wrgn35_dlwbr_dir605l', enabling complete device takeover including network traffic interception, configuration modification, and pivot attacks against internal networks. This End-of-Life product will receive no vendor patch, requiring immediate device replacement. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, with adjacent network attack vector reducing but not eliminating risk for home and small office deployments.

D-Link Authentication Bypass
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows remote unauthenticated attackers to bypass Digest authentication with high attack complexity. The vulnerability exploits measurable timing differences in digest credential validation, enabling credential compromise without valid authentication. Apache has released patched version 2.4.67; no active exploitation has been confirmed, but CISA SSVC framework indicates automatable exploitation is not feasible due to the timing attack's sensitivity requirements.

Suse Authentication Bypass Apache +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Authentication bypass in Red Hat Ansible Automation Platform 2.6 allows authenticated attackers to hijack arbitrary user accounts, including administrator accounts, via email-based identity provider linking manipulation. The AAP gateway's user auto-link feature matches external IDP identities to existing accounts by email without ownership verification, enabling account takeover when an attacker controls an IDP account with a victim's email address. Red Hat has released patch RHSA-2026:13508. EPSS and KEV data not provided, but the low attack complexity (AC:L) and high confidentiality/integrity impact make this a critical authentication control failure requiring immediate remediation in environments using external identity providers.

Authentication Bypass Red Hat Ansible Automation Platform 2 6 For Rhel 9
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Tenant administrators in Comet Backup 20.11.0 through 26.1.1 and 26.2.1 can impersonate any end-user account across different tenants on the same server through an insecure direct object reference (IDOR) in an API endpoint. The vulnerability enables complete cross-tenant authentication bypass in multi-tenant deployments, allowing unauthorized access to backup data, configurations, and operations of arbitrary users. With CVSS 9.9 (Critical) rating and network-accessible exploitation requiring no privileges, this represents an immediate risk to managed service providers and multi-tenant Comet Backup installations, though no active exploitation has been confirmed via CISA KEV at time of analysis.

Authentication Bypass Comet Backup
NVD
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Authentication bypass in Prefect WebSocket endpoint /api/events/in allows unauthenticated remote attackers to send events without valid credentials in versions up to 3.6.13. The vulnerability exploits missing authentication validation on the WebSocket connection handshake, allowing attackers to interact with the events API when authentication is configured. A publicly available exploit exists; vendor patch version 3.6.14 addresses this by implementing mandatory subprotocol-based authentication handshake.

Authentication Bypass Prefect
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Authentication bypass in Prefect up to version 3.6.21 allows remote unauthenticated attackers to access the Health Check API endpoint by manipulating the request path suffix matching logic. The vulnerability affects the /api/health endpoint's improper authentication validation using the endswith() function, enabling attackers to craft requests that bypass authentication checks. Publicly available exploit code exists and the vendor has released patch version 3.6.22.

Authentication Bypass Prefect
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

MindsDB versions up to 26.01 allow remote unauthenticated attackers to bypass authentication and perform unrestricted file uploads via manipulation of the exec function in the BYOM (Bring Your Own Model) handler's proc_wrapper.py component. Publicly available exploit code exists, and the vendor has not responded to early disclosure, leaving deployed instances vulnerable to remote code execution through malicious model uploads.

Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Authentication bypass in YunaiV yudao-cloud up to version 3.8.0 allows remote unauthenticated attackers to manipulate the mock-token argument in JwtAuthenticationTokenFilter.java, circumventing JWT authentication mechanisms and gaining unauthorized access. The vulnerability affects the Ruoyi-Vue-Pro component, has publicly available exploit code, and impacts confidentiality, integrity, and availability of protected resources with low severity per CVSS 4.0 scoring (CVSS:5.5, AV:N/AC:L/PR:N/UI:N, VC:L/VI:L/VA:L). The vendor has not responded to early disclosure notification.

Java Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Authentication bypass in Calibre-Web-Automated up to version 4.0.6 allows remote unauthenticated attackers to access admin endpoints in the cps/cwa_functions.py component, specifically affecting Convert Library and EPUB Fixer administrative functions. Multiple endpoints lacking required authentication decorators (@login_required_if_no_ano and @admin_required) permit unauthorized users to trigger book conversions, manage conversion jobs, download logs, and manipulate EPUB files. Publicly available exploit code exists and patch is available from vendor.

Authentication Bypass Calibre Web Automated
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Improper authorization in IKUS Rdiffweb before 2.10.5 allows authenticated attackers with low-privilege API access tokens to read or modify data belonging to other users and tenants without additional authorization checks. The API fails to validate that the authenticated token subject matches the targeted user in requests, enabling horizontal privilege escalation and cross-tenant data access. Fixed in version 2.10.6. EPSS score of 0.02% (4th percentile) indicates low current exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authorization bypass in AFFiNE up to version 0.26.3 allows remote unauthenticated attackers to access restricted document previews through the Public Markdown Preview Endpoint (/workspace/:workspaceId/:docId). The allowDocPreview function fails to properly validate access permissions, enabling attackers to retrieve sensitive document content without authentication. Public exploit code is available, and the vendor has not responded to early disclosure attempts.

Authentication Bypass Affine
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Improper access controls in Adblock Plus up to version 4.36.2 on Chrome allow unauthenticated remote attackers to bypass Premium activation controls via manipulation of the postMessage function in premium.preload.js, granting temporary trial access to Premium features. The vulnerability affects a deprecated legacy activation flow and has publicly available exploit code; however, vendor analysis indicates the practical impact is limited because the licensing server issues only short-lived trial licenses (approximately 24 hours) that expire on next validation against real subscriptions, and the exploit has not been weaponized at scale.

Authentication Bypass Google Chrome
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Frontend File Manager Plugin for WordPress through version 23.6 allows authenticated Subscriber-level users and higher to read arbitrary files belonging to other users via insecure direct object reference (IDOR) in the download endpoint. By manipulating the 'file_id' parameter, attackers can bypass authorization checks and access sensitive data stored by administrators and other privileged users. Publicly available exploit code exists for this vulnerability, though EPSS scoring (0.02%) suggests limited real-world exploitation relative to its high CVSS rating.

Authentication Bypass WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authorization bypass in jsbroks COCO Annotator up to version 0.11.1 allows remote unauthenticated attackers to modify dataset parameters via manipulation of the DatasetId argument in the Dataset API endpoint backend/webserver/api/datasets.py, enabling unauthorized access to and modification of annotation datasets. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Authentication Bypass Coco Annotator
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in YunaiV yudao-cloud (versions up to 2026.01) allows remote unauthenticated attackers to obtain unauthorized access tokens via manipulation of the getAccessToken function in OAuth2TokenServiceImpl.java. Public exploit code exists (GitHub PoC available), enabling attackers to bypass authentication controls and gain low-level access to confidential data, integrity, and availability. EPSS risk assessment unavailable, but the combination of network attack vector, low complexity (AC:L), no authentication requirement (PR:N), and publicly available exploit creates immediate exploitation risk. Vendor was notified but did not respond, leaving no official patch timeline.

Java Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper authorization in code-projects Online Hospital Management System 1.0 allows authenticated remote attackers to manipulate the Username parameter in the Registration Handler, bypassing access controls and modifying user authorization. The vulnerability requires valid authentication credentials but results in integrity impact to user accounts. Publicly available exploit code exists for this vulnerability.

Authentication Bypass Online Hospital Management System
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated vendors with low-level privileges can delete arbitrary WordPress users, including site administrators, via Insecure Direct Object Reference in WCFM - Frontend Manager for WooCommerce plugin versions up to 6.7.25. The vulnerability resides in the 'wcfm_delete_wcfm_customer' function which fails to validate user-controlled 'customerid' parameters, allowing privilege escalation through unauthorized user deletion. Patch available in version 6.7.26 per Trac changeset 3483695. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 8.1 (High) reflects significant real-world impact if exploited by malicious vendors on WooCommerce marketplaces.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

InnoShop e-commerce platform versions up to 0.7.8 allow unauthenticated remote attackers to bypass authentication controls in the installation endpoint via improper authentication handling in InstallServiceProvider::boot. The vulnerability permits unauthorized access to installation functionality even after initial setup is complete, enabling attackers to achieve partial confidentiality, integrity, and availability impact. Publicly available exploit code exists (GitHub issue #314), and vendor has released patch commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9.

Authentication Bypass PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated attackers with Subscriber-level access can disrupt all Stripe payment processing in Paid Memberships Pro for WordPress versions up to 3.6.5 by deleting, creating, or rebuilding webhook configurations. Missing capability checks on three AJAX handlers (pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, pmpro_stripe_rebuild_webhook) allow low-privilege users to break subscription renewals, cancellation handling, and failed payment management for the entire site. Patch available in PR #3615 implementing proper authorization checks requiring manage_options or pmpro_paymentsettings capabilities plus nonce validation. EPSS data not provided; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.

Authentication Bypass WordPress
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Insecure Direct Object Reference in Zyosoft School App allows authenticated remote attackers to escalate privileges horizontally by manipulating object identifiers in API requests, enabling unauthorized read and write access to other users' personal data including student records, grades, and account information. The vulnerability requires only low-level authentication (PR:L) with no user interaction and poses high confidentiality and integrity risk to multi-tenant educational data. EPSS and KEV data not available; exploitation complexity is low (AC:L) making this accessible to moderately skilled attackers once credentials are obtained.

Authentication Bypass School App
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify form action metadata on WordPress posts through the Royal Addons for Elementor plugin (versions up to 1.7.1056) due to a missing capability check on the wpr_update_form_action_meta AJAX endpoint. The endpoint registers on both wp_ajax and wp_ajax_nopriv hooks, is accessible without authentication, and relies on a nonce that is publicly exposed in frontend JavaScript, allowing attackers to bypass the nonce protection and alter email, Mailchimp, and webhook settings on any post. This enables attackers to hijack form submissions, exfiltrate data via modified webhook URLs, or redirect emails to attacker-controlled addresses without any user interaction or special configuration required.

Authentication Bypass WordPress Elementor
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can approve any WordPress booking in 'waiting' status via the admin-ajax endpoint in Amelia plugin versions up to 2.1.2, due to a logical short-circuit flaw that skips token validation when the booking status matches a specific condition. An attacker can craft a direct request to the publicly-accessible endpoint to approve arbitrary bookings without authentication. This impacts all installations with pending bookings and exposes the booking workflow integrity across WordPress sites using this plugin.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can bypass authorization controls in FundPress WordPress Donation Plugin versions up to 2.0.8 to arbitrarily modify donation statuses via the donate_action_status() AJAX handler, which lacks nonce verification and capability checks despite being exposed to unauthenticated users. By enumerating sequential donation IDs and sending crafted POST requests, attackers can mark donations as completed, pending, or cancelled, potentially triggering email notifications and corrupting donation records without any user interaction or authentication.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.

PHP WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Missing capability check in WP Mail Gateway plugin for WordPress (versions ≤1.8) allows authenticated attackers with Subscriber-level privileges to modify SMTP settings via the wmg_save_provider_config AJAX action, enabling mail redirection. Attackers exploit this by redirecting password reset emails to attacker-controlled servers, then using intercepted credentials to escalate privileges to Administrator. CVSS 8.8 (High) reflects the severe impact despite requiring initial low-level authentication. No active exploitation confirmed via CISA KEV, but Wordfence reporting indicates discovery by security researchers and likely inclusion in their threat intelligence feeds.

Authentication Bypass WordPress Privilege Escalation
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Unauthenticated attackers can access and modify plugin settings in the Widgets for Social Photo Feed WordPress plugin through missing capability checks on two REST API endpoints, allowing unauthorized data access and configuration changes in all versions up to and including 1.8. The vulnerability requires only network access with no user interaction, making it trivially exploitable by remote attackers without authentication credentials.

Authentication Bypass WordPress Information Disclosure
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the profile avatar of any WordPress user, including administrators, via an Insecure Direct Object Reference in the App Builder - Create Native Android & iOS Apps On The Flight plugin versions up to 5.6.0. The `/wp-json/app-builder/v1/upload-avatar` endpoint fails to validate that the authenticated user owns the target account before processing avatar uploads, allowing privilege escalation and account compromise through arbitrary user_id parameter submission in POST requests. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google WordPress +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper access control in Prosody's mod_proxy65 module allows unauthenticated relaying of traffic when the module enters a paused state, enabling attackers to bypass authentication and impact data integrity and availability across affected versions. Prosody before 0.12.6 and versions 1.0.0 through 13.0.0 before 13.0.5 are vulnerable when mod_proxy65 is explicitly enabled; no public exploit code or active exploitation has been confirmed at time of analysis, though the network-accessible vulnerability with no authentication requirement and low complexity presents meaningful real-world risk.

Authentication Bypass Prosody
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Integrity verification bypass in Linux kernel crypto subsystem's Kerberos 5 encryption module allows remote unauthenticated attackers to bypass cryptographic hash checks when asynchronous decryption completes. The vulnerability stems from incorrect callback chaining that skips krb5enc_dispatch_decrypt_hash() verification entirely during async operations. Exploitation likelihood is low (EPSS 2%, percentile 4%) despite high CVSS severity, though EUVD classifies this as an authentication bypass affecting Linux 6.15+ with patches available for stable branches 6.18.25, 7.0.2, and mainline 7.1-rc1.

Red Hat Suse Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Time-of-check-time-of-use (TOCTOU) race condition in Linux kernel's TPACKET transmission path allows local authenticated attackers with low privileges to bypass vnet_hdr validation checks and potentially achieve privilege escalation, code execution, or system compromise. The vulnerability affects packet socket implementations when PACKET_VNET_HDR is enabled, where concurrent userspace threads can modify mmap'd ring buffer data between kernel validation and use. Vendor-released patches are available for stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though the high CVSS 7.8 reflects significant local impact potential.

Race Condition Authentication Bypass Linux
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.

Authentication Bypass Use After Free Memory Corruption +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel GPIB subsystem allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers when concurrent IBCLOSEDEV calls free descriptors still in use by I/O operations. EPSS probability is very low (0.02%, 4th percentile), indicating minimal observed exploitation activity. Vendor patches available for stable branches 6.18.22, 6.19.12, and mainline 7.0 via commits cae26eff, 28c75dd1, and d1857f82.

Red Hat Suse Authentication Bypass +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A denial of service condition in the Linux kernel scheduler extension (sched_ext) subsystem allows local authenticated attackers to trigger a kernel warning and potential crash via improper handling of stale direct dispatch state in the ddsp_dsq_id field. When a task's direct dispatch verdict is not properly cleared across all code paths that consume or cancel such verdicts, a subsequent wakeup operation calling ops.select_cpu() with scx_bpf_dsq_insert() triggers a spurious WARN_ON_ONCE() in mark_direct_dispatch(), exposing the availability impact of the vulnerability. The issue affects Linux kernels with sched_ext enabled and requires local access with low privilege (non-root user capable of triggering task scheduling operations).

Red Hat Suse Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can cancel pending rollbacks in Total Upkeep WordPress Backup Plugin by BoldGrid (versions up to 1.17.1) due to missing capability checks on the wp_ajax_cli_cancel AJAX function, allowing malicious users to prevent automatic recovery from failed WordPress updates. CVSS 5.3 (network-accessible, low complexity) reflects the integrity impact and lack of authentication requirement, though real-world impact depends on whether rollback operations are actively pending during an update failure.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Hard-coded credentials in AstrBot Dashboard (versions ≤4.16.0) enable remote unauthenticated attackers to bypass authentication and gain partial system access. The vulnerability resides in astrbot/dashboard/routes/auth.py, allowing complete authentication bypass without network complexity or user interaction. A public exploit exists on GitHub, and the vendor has not responded to responsible disclosure attempts, leaving users exposed to credential-based attacks with moderate impact across confidentiality, integrity, and availability (CVSS 7.3). EPSS data not available; KEV status negative indicates no confirmed widespread exploitation despite public POC.

Authentication Bypass Astrbot
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Authentication bypass in the Temporary Login WordPress plugin (versions ≤1.0.0) allows remote unauthenticated attackers to authenticate as any temporary login user via a single crafted GET request. The vulnerability exploits a type juggling flaw where passing 'temp-login-token' as an array bypasses validation checks and causes WordPress to return all users with temporary login tokens, enabling complete account takeover without knowledge of valid credentials. CVSS 9.8 (Critical) with network attack vector and no prerequisites. EPSS data not available; exploitation requires the presence of active temporary login accounts created by site administrators.

Authentication Bypass WordPress
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in AGL app-framework-binder (afb-daemon) through v19.90.0 allows any low-privileged process to execute privileged supervision commands without authentication via an unprotected abstract Unix socket. Attackers can terminate the daemon (DoS), execute arbitrary API calls, close user sessions, or exfiltrate global configuration data. The vulnerability stems from commit b8c9d5de384 (2017-06-29) implementing 8 supervision commands with zero credential verification, acknowledged by developers as lacking DAC protection. EPSS data unavailable, not in CISA KEV, but technical details are publicly documented with proof-of-concept reference.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Cross-project privilege escalation in OpenStack Keystone (releases 13 through 29) lets a holder of an unrestricted application credential for one project mint an EC2-type credential targeting a different project, because POST /v3/credentials never validates that the caller-supplied project_id matches the authenticating app credential's project. Exchanging that EC2 credential at /v3/ec2tokens then yields a Keystone token scoped to the second project while retaining the original app_cred_id, enabling lateral movement across tenants. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the authorization flaw (CWE-863) is confirmed and patched by upstream and distributors.

Authentication Bypass Microsoft Keystone
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Authorization bypass in OWASP DefectDojo up to version 2.55.4 allows authenticated users to manipulate objects in Benchmark, Engagement, Product, and Survey components by directly accessing resources via unvalidated object IDs, bypassing ownership checks. The vulnerability affects multiple endpoints that retrieve objects without verifying the requesting user has authorization to access the specific resource, enabling lateral privilege escalation and unauthorized data modification. Publicly disclosed exploit code exists, and the vulnerability requires network access with valid authentication credentials to exploit.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privileged methods including configuration exfiltration, heartbeat manipulation, and agent mutation via WebSocket connections. Versions up to 3.8.5 implement a fail-open authorization policy where unclassified RPC methods default to viewer-level access and authentication failures fall back to authenticated viewer sessions. Public exploit code exists (GitHub issue #866) demonstrating unauthorized method invocation. Vendor-released patch: version 3.9.0 implements fail-closed authorization with explicit method classification and rejects connections lacking valid credentials.

Authentication Bypass Goclaw Goclaw Lite
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Credential exposure in Apple container allows unauthenticated remote attackers to steal registry credentials in plaintext when users connect to malicious registries with hostnames matching specific bypass patterns. The vulnerability affects container versions prior to 0.12.3 and requires user interaction to establish a connection to a malicious registry. EPSS score of 0.02% indicates low real-world exploitation probability despite moderate CVSS severity.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

IBM i 7.2-7.6 contains an invalid authorization check in the Web Administration GUI that allows authenticated high-privilege users with administrator access to trigger privilege escalation, enabling user-controlled code execution with administrator privileges. The vulnerability requires high privileges and user interaction (CVSS:H for confidentiality, integrity, and availability), but is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified as of the analysis date.

Authentication Bypass IBM Privilege Escalation
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM Langflow OSS 1.0.0 through 1.8.4 allows authenticated users to read transaction logs and vertex build data from other users' flows via direct flow_id manipulation, enabling unauthorized information disclosure and deletion of other users' persisted build data. The vulnerability requires valid user authentication (PR:L) but no additional complexity, affecting all deployments of affected versions.

Authentication Bypass IBM
NVD
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

LinkStack up to version 4.8.6 contains an authorization bypass vulnerability in the saveLink function of UserController.php that allows authenticated attackers to modify links belonging to other users via insecure direct object references (IDOR). The vulnerability affects the Management Endpoint and enables remote attackers with valid credentials to manipulate or delete arbitrary user links, with publicly available exploit code and an unmerged patch awaiting acceptance.

Authentication Bypass PHP
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated users with restricted permissions in Kirby CMS can access pages and files they should not be able to view, bypassing configured access controls in the Panel and REST API. This affects Kirby installations where administrators have explicitly disabled `pages.access`, `pages.list`, `files.access`, or `files.list` permissions for specific user roles through blueprints. The vulnerability allows information disclosure of content models that should be hidden, though write operations remain protected. Patched versions 4.9.0 and 5.4.0 are available from the vendor. No public exploit identified at time of analysis, with EPSS data unavailable for this recent disclosure.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arcane's Huma backend exposes four GET endpoints (`/api/templates*`) without authentication, allowing remote unauthenticated attackers to read all stored Docker Compose templates including plaintext environment files containing database passwords, API keys, and OAuth secrets. The vulnerability affects Arcane backend versions prior to 1.18.0. Because Arcane's "Save as Template" workflow persists production secrets verbatim into these templates, this is not theoretical information disclosure but direct credential theft. The frontend correctly treats these paths as authenticated, revealing a backend authorization gap (CWE-862). Vendor-released patch available in version 1.18.0. No active exploitation or public exploit code identified at time of analysis, though the attack is trivial (CVSS:4.0 AV:N/AC:L/PR:N).

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated remote disclosure of user-uploaded images in IBM Langflow Desktop 1.0.0-1.8.4 allows network attackers to enumerate and access other users' private images through predictable object references. With CVSS 7.5 (High) reflecting unauthenticated network exploitation, and EPSS data not provided, risk depends on whether installations expose the vulnerable endpoint to untrusted networks. No KEV listing or public exploit code identified at time of analysis, suggesting discovery through vendor security review rather than active exploitation.

Authentication Bypass IBM
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Identity collision in the go-pkgz/auth Patreon OAuth provider allows any Patreon-authenticated user to impersonate every other Patreon user in the same application. The Patreon provider hashes an uninitialized variable instead of the actual Patreon account ID, assigning the constant value patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709 to all users. Applications using token.User.ID as the stable account key can experience cross-account access, privilege escalation, and data leakage. Vendor-released patch available in versions 1.25.2 and 2.1.2. No evidence of active exploitation or public POC beyond the vendor's disclosure, but the vulnerability is trivially exploitable with remote unauthenticated access to any affected application.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Account takeover via SAML SSO authentication bypass in Sentry allows attackers to hijack arbitrary user accounts when controlling a malicious SAML Identity Provider within multi-organization instances. Attackers with permissions to configure SSO settings in one organization can link a victim's email address to their malicious IdP, then authenticate as that victim across the instance. The vulnerability was responsibly disclosed via bug bounty, patched in version 26.4.1 (deployed to SaaS in April 2026), and requires knowledge of the victim's email address plus multi-organization deployment (SENTRY_SINGLE_ORGANIZATION = False). No public exploit identified at time of analysis, though technical details and patch code are public via GitHub advisory GHSA-rcmw-7mc7-3rj7.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

SQL injection in SSCMS v7.4.0 enables high-privileged attackers to execute arbitrary SQL statements via the stl:sqlContent tag's queryString attribute. Attackers with administrative access can craft encrypted payloads to the /api/stl/actions/dynamic endpoint, bypassing parameterization controls to achieve database compromise, authentication bypass, or complete data exfiltration. EPSS data not available; no confirmed active exploitation (CISA KEV negative); public exploit code availability unknown but detailed technical advisory published by VulnCheck increases weaponization risk.

Authentication Bypass SQLi Sscms
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Chartbrew 4.9.0 fails to properly enforce project-level access controls on a legacy dashboard route, allowing any authenticated team member to read another team member's project report data and extract stored report passwords. The vulnerability affects users without explicit project access but with team membership, who can leverage the unprotected endpoint to view sensitive dashboard configurations and credentials. Patched in version 5.0.0.

Authentication Bypass Chartbrew
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoint. The POST /api/chart/:chart_id/query endpoint lacks authentication checks and fails to validate whether charts belong to public reports or if sharing policies permit access. Attackers possessing a chart identifier can retrieve sensitive data from private dashboards without credentials. EPSS data not available. Not listed in CISA KEV. Vendor-confirmed vulnerability with patch released in version 5.0.0.

Authentication Bypass Chartbrew
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own due to insufficient authorization checks. An attacker with legitimate access to one project can manipulate SharePolicy records (visibility settings, passwords, allowed parameters, expiration dates) for dashboards in any other project within the same Chartbrew instance. While CVSS rates this 8.1 HIGH, real-world risk depends heavily on multi-tenancy deployment: single-organization instances face lower insider threat exposure than multi-tenant SaaS scenarios. EPSS data not available. No public exploit identified at time of analysis, though exploitation requires only basic authenticated API access.

Authentication Bypass Chartbrew
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart export routes. Attackers who know a chart identifier in any public project can read or export charts that were intentionally excluded from public reports, bypassing SharePolicy access controls. The vulnerability requires only network access and a valid chart ID, with no authentication or user interaction needed. Patched in version 5.0.0 per vendor advisory GHSA-mq7q-6xh6-5649. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L).

Authentication Bypass Chartbrew
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create a fully active account with valid JWT via the unprotected POST /user/invited endpoint, circumventing the signupRestricted configuration that normally blocks new registrations. An attacker receives a functional JWT token immediately without email verification, granting full authenticated access even when the instance restricts signups to invited users only. The vulnerability was patched in version 5.0.0.

Authentication Bypass Chartbrew
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, data requests, and database connections belonging to other projects within the same team. Attackers with credentials to any single project can read, modify, create, and delete data assets across all sibling projects by exploiting missing project-level authorization checks on multiple API endpoints. This enables cross-project data exfiltration and unauthorized execution of victim database queries remotely with low complexity (EPSS not provided, no CISA KEV listing, vendor-patched in v5.0.0).

Authentication Bypass Chartbrew
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Silent dependency checksum bypass in hexpm/hex package manager (versions 0.16.0 through 2.4.1) allows attackers to substitute malicious dependencies without detection. The Hex.RemoteConverger module fails to verify lockfile checksums due to a string-versus-atom type mismatch in the verification logic, causing the security check to be silently skipped. Attackers who can poison local package caches or compromise registry responses can deliver modified packages that overwrite mix.lock without raising alerts. SSVC framework indicates proof-of-concept exists, attack is non-automatable (requires user interaction and precise timing), with total technical impact. Fixed in version 2.4.2 (commit d7528c8).

Authentication Bypass Hex
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Certificate name-constraints bypass in GnuTLS allows a remote attacker to craft a leaf certificate whose Subject Alternative Name differs only in letter casing from a constrained dNSName or rfc822Name, causing GnuTLS to accept a certificate that its excludedSubtrees/permittedSubtrees policy should reject. The flaw stems from case-sensitive comparison of name-constraint labels and enables unauthorized access, impersonation, or information disclosure across software (notably Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4) that relies on GnuTLS for X.509 validation. SSVC notes a public proof-of-concept exists, though EPSS exploitation probability is very low (0.03%, 9th percentile) and the issue is not in CISA KEV.

Authentication Bypass Information Disclosure Red Hat Enterprise Linux 10 +6
NVD VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Authorization bypass in CKAN's datastore_search_sql function allows unauthenticated attackers to access private DataStore resources and extract PostgreSQL system information. CKAN versions prior to 2.10.10 and 2.11.0-2.11.4 are affected. The vulnerability exists in a feature that is disabled by default but can be enabled via configuration, limiting baseline exposure but creating significant risk for deployments that enable SQL search functionality.

Authentication Bypass PostgreSQL
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authenticated Server-Side Request Forgery (SSRF) in Weblate before 5.17.1 allows users with project.add permission to import crafted project backup ZIPs containing malicious repository URLs pointing to private addresses or using non-allowlisted schemes (file://, git://) that bypass URL validation. The vulnerability exists because bulk_create() circumvents Django's full_clean() validator; attackers can write arbitrary URLs into .git/config, enabling SSRF attacks against internal systems or protocol exploitation.

Python Authentication Bypass Suse
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Progress MOVEit Automation allows remote unauthenticated attackers to completely circumvent authentication controls and gain unauthorized access with high impact to confidentiality, integrity, and availability. Affects all versions before 2025.0.9, all 2024.x versions before 2024.1.8, and all versions prior to 2024.0.0. Progress Software has released patches for all supported versions. CVSS 9.8 critical severity with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit or active exploitation confirmed at time of analysis, though the authentication bypass nature and MOVEit's history as a high-value target make this a priority remediation candidate.

Authentication Bypass Moveit Automation
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can bypass Stripe payment gates in Otter Blocks for WordPress ≤3.1.4 by forging the 'o_stripe_data' cookie with publicly visible product IDs from checkout block HTML source, gaining unauthorized access to premium content. The plugin's 'get_customer_data' method accepts unsigned cookie data without server-side Stripe API verification for one-time purchases, enabling trivial exploitation with no authentication required. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from accessing gated content. EPSS data unavailable; no active exploitation or POC confirmed at time of analysis, but the attack requires only basic HTTP cookie manipulation skills.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Remote authenticated attackers can bypass authorization controls in MeWare PDKS through user-controlled key manipulation, enabling privilege escalation to access and modify sensitive data without proper permissions. Affecting PDKS versions from V16.20200313 to VMYR_3.5.2025117, this vulnerability allows low-privileged users to abuse authorization mechanisms via network access without user interaction. No confirmed active exploitation or public exploit code identified at time of analysis, with EPSS data unavailable for risk quantification.

Authentication Bypass Pdks
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Five Star Restaurant Reservations plugin for WordPress versions up to 2.7.16 allows unauthenticated attackers to bypass payment verification through PHP type juggling in the valid_payment() function. The vulnerability exists in the rtb_stripe_pmt_succeed AJAX handler, which uses loose comparison (==) between attacker-supplied payment_id and the booking's stripe_payment_intent_id. When the intent ID is null (before Stripe intent creation), an empty payment_id parameter passes validation, enabling attackers to mark payment-pending bookings as paid without completing actual Stripe payments. This permits unauthorized order fulfillment and revenue loss for affected WordPress sites.

WordPress Authentication Bypass PHP
NVD
EPSS 0% CVSS 2.0
LOW Monitor

Remote code execution in django-mdeditor (all versions prior to commit 3e80f9e) allows unauthenticated attackers to upload malicious files via the image upload endpoint. The vulnerability combines missing authentication (CWE-306) with insufficient filename sanitization, enabling arbitrary code execution when uploaded files are accessed. Exploit code is publicly available (CVSS E:P), though user interaction is required (UI:R). EPSS data not available, not listed in CISA KEV at time of analysis.

Authentication Bypass RCE Python
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper access controls in 1024-lab smart-admin up to version 3.30.0 allow remote unauthenticated attackers to gain unauthorized access to the Druid demo interface at /smart-admin-api/druid/index.html, potentially exposing sensitive data or administrative functionality. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 (low confidentiality/integrity impact), though the vendor has not yet acknowledged or patched the issue despite early notification.

Authentication Bypass Smart Admin
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Brute-force attacks against U-SPEED N300 router V1.0.0 can compromise administrator credentials due to missing rate limiting on the /api/login endpoint. Local network attackers can execute unlimited authentication attempts without account lockout, enabling credential compromise and unauthorized access to router management. SSVC indicates proof-of-concept exists and the attack is automatable with partial technical impact. CVSS 7.5 reflects network accessibility, but the vulnerability description specifies 'local network' access requirement, suggesting the actual attack vector may be more constrained than the AV:N metric indicates.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

## Summary The OIDC token introspection endpoint (`/modules/sso/index.php/oidc/introspect`) always returns `{"active": true}` for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (`/oidc/revoke`) returns `{"revoked": true}` without actually revoking any token, preventing resource servers from invalidating compromised credentials. ## Details The vulnerability is in `src/SSO/Service/OIDCService.php`, lines 604-619: ```php public function handleIntrospectionRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["active" => true]); } public function handleRevocationRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["revoked" => true]); } ``` The introspection endpoint is routed at `modules/sso/index.php`, line 58-59: ```php } elseif (strpos($requestUri, '/oidc/introspect') !== false) { $response = $oidcService->handleIntrospectionRequest(); ``` The router comment at line 35 says "Login checks will be done in the individual endpoint handler functions!" but neither `handleIntrospectionRequest` nor `handleRevocationRequest` perform any authentication or authorization checks. Per RFC 7662 (OAuth 2.0 Token Introspection), the introspection endpoint: 1. MUST authenticate the calling resource server (Section 2.1) 2. MUST validate the submitted token against its database 3. MUST return `{"active": false}` for invalid, expired, or revoked tokens The current implementation violates all three requirements. **Attack flow:** 1. Attacker obtains a resource server's endpoint URL that uses Admidio as its OIDC provider 2. Attacker crafts any arbitrary string as a Bearer token 3. Resource server sends the fabricated token to `/oidc/introspect` for validation 4. Admidio returns `{"active": true}` without any checks 5. Resource server accepts the fabricated token as valid and grants access **The revocation bypass compounds this:** If a legitimate token is stolen, the resource server or client application cannot revoke it. Calling `/oidc/revoke` returns success without actually revoking the token in the database, so the stolen token remains usable indefinitely (until its expiry time). ## PoC ```bash # Step 1: Confirm the introspection endpoint exists and always returns active # No valid token needed - any string works curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=COMPLETELY_FABRICATED_TOKEN_12345" # Expected response: {"active":true} # Step 2: Try with an empty token curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=" # Expected response: {"active":true} # Step 3: Demonstrate that revocation is also broken curl -X POST https://TARGET/modules/sso/index.php/oidc/revoke \ -d "token=any_valid_token_here" # Expected response: {"revoked":true} # But the token is NOT actually revoked in the database # Step 4: Verify the token is still active after "revocation" curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=any_valid_token_here" # Still returns: {"active":true} ``` ## Impact - **Authentication Bypass on Resource Servers**: Any application (wiki, CMS, project management tool, etc.) configured to validate tokens against this Admidio OIDC introspection endpoint will accept completely fabricated tokens. An attacker can impersonate any user on all connected resource servers. - **Inability to Revoke Compromised Tokens**: If a legitimate access token is leaked or stolen, there is no way to revoke it through the standard OIDC revocation flow. The token remains valid until its 1-hour expiry. - **Scope Change (S:C)**: The vulnerability in the Admidio authorization server directly impacts the security of all connected resource servers (different security authority), which is why the CVSS scope is Changed. ## Recommended Fix Replace the stub implementations with proper token introspection and revocation logic: ```php public function handleIntrospectionRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // 1. Authenticate the resource server (RFC 7662 Section 2.1) // The resource server MUST authenticate using client credentials $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } // 2. Get and validate the token $tokenValue = $request->getParsedBody()['token'] ?? ''; if (empty($tokenValue)) { return new JsonResponse(['active' => false]); } try { // Validate the token using the resource server $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); // Check if token is revoked if ($this->accessTokenRepository->isAccessTokenRevoked($tokenId)) { return new JsonResponse(['active' => false]); } $token = $this->accessTokenRepository->getToken($tokenId); // Check expiry if ($token->getExpiryDateTime() < new \DateTimeImmutable()) { return new JsonResponse(['active' => false]); } return new JsonResponse([ 'active' => true, 'sub' => $token->getUserIdentifier(), 'client_id' => $token->getClient()->getIdentifier(), 'exp' => $token->getExpiryDateTime()->getTimestamp(), 'scope' => implode(' ', array_map(fn($s) => $s->getIdentifier(), $token->getScopes())), ]); } catch (\Exception $e) { return new JsonResponse(['active' => false]); } } public function handleRevocationRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // Authenticate the client $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } $tokenValue = $request->getParsedBody()['token'] ?? ''; if (!empty($tokenValue)) { try { $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); $this->accessTokenRepository->revokeAccessToken($tokenId); } catch (\Exception $e) { // RFC 7009: The server responds with HTTP 200 even for invalid tokens } } return new JsonResponse([], 200); } ```

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.

PHP Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Inverted authorization logic in Admidio's two-factor authentication reset module allows non-admin users with profile edit permissions to strip TOTP protection from administrator accounts while paradoxically blocking users from resetting their own 2FA. A group leader holding 'hasRightEditProfile()' rights on an admin account can send a single POST request to /adm_program/modules/profile/two_factor_authentication.php with the admin's UUID, disabling the admin's 2FA and reducing account security to password-only. This vulnerability affects Admidio versions ≤5.0.8; patched version 5.0.9 corrects the inverted comparison operator. Public exploit code exists via the GitHub advisory's proof-of-concept. No confirmed active exploitation (not in CISA KEV).

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.

Authentication Bypass PHP CSRF
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Admidio 5.0.8 and earlier allows user managers with rol_edit_user permission to bypass multi-tenant organization isolation and retrieve complete member directories across all organizations by directly calling the contacts_data.php endpoint with mem_show_filter=3, exploiting a permission check mismatch between the frontend UI (which correctly requires isAdministrator() and contacts_show_all setting) and the backend API endpoint (which only requires the weaker isAdministratorUsers() check). Affected data includes full names, email addresses, login names, UUIDs, and all configured profile fields from unauthorized organizations. This is confirmed actively exploited vulnerability with patch available in version 5.0.9.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated users with shared workflow access in n8n can exfiltrate other users' API credentials by injecting foreign credential IDs into dynamic-node-parameters endpoint requests. The vulnerability forces the n8n backend to decrypt and replay stolen credentials against attacker-controlled URLs, enabling credential theft across workflow collaborators. Affects npm package n8n versions <1.123.33 and 2.17.0-2.17.4, with vendor-confirmed patches available in 1.123.33 and 2.17.5. No public exploit identified at time of analysis, though CVSS 8.5 with scope change (S:C) reflects the multi-tenant credential boundary violation.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in n8n's public API variables endpoint allows authenticated users with variable:list API key scope to read project variables from any project regardless of membership by manipulating the projectId query parameter. The API handler bypassed project membership authorization checks present in the enterprise service layer, enabling cross-project secret disclosure. This affects only licensed enterprise or team deployments with multiple projects and variables feature enabled. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1.

Authentication Bypass
NVD GitHub VulDB
Prev Page 43 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy