Skip to main content

Authentication Bypass

31296 CVEs technique

Monthly

CVE-2026-36959 HIGH This Week

Brute-force attacks against U-SPEED N300 router V1.0.0 can compromise administrator credentials due to missing rate limiting on the /api/login endpoint. Local network attackers can execute unlimited authentication attempts without account lockout, enabling credential compromise and unauthorized access to router management. SSVC indicates proof-of-concept exists and the attack is automatable with partial technical impact. CVSS 7.5 reflects network accessibility, but the vulnerability description specifies 'local network' access requirement, suggesting the actual attack vector may be more constrained than the AV:N metric indicates.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-41671 PHP MEDIUM PATCH GHSA This Month

## Summary The OIDC token introspection endpoint (`/modules/sso/index.php/oidc/introspect`) always returns `{"active": true}` for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (`/oidc/revoke`) returns `{"revoked": true}` without actually revoking any token, preventing resource servers from invalidating compromised credentials. ## Details The vulnerability is in `src/SSO/Service/OIDCService.php`, lines 604-619: ```php public function handleIntrospectionRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["active" => true]); } public function handleRevocationRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["revoked" => true]); } ``` The introspection endpoint is routed at `modules/sso/index.php`, line 58-59: ```php } elseif (strpos($requestUri, '/oidc/introspect') !== false) { $response = $oidcService->handleIntrospectionRequest(); ``` The router comment at line 35 says "Login checks will be done in the individual endpoint handler functions!" but neither `handleIntrospectionRequest` nor `handleRevocationRequest` perform any authentication or authorization checks. Per RFC 7662 (OAuth 2.0 Token Introspection), the introspection endpoint: 1. MUST authenticate the calling resource server (Section 2.1) 2. MUST validate the submitted token against its database 3. MUST return `{"active": false}` for invalid, expired, or revoked tokens The current implementation violates all three requirements. **Attack flow:** 1. Attacker obtains a resource server's endpoint URL that uses Admidio as its OIDC provider 2. Attacker crafts any arbitrary string as a Bearer token 3. Resource server sends the fabricated token to `/oidc/introspect` for validation 4. Admidio returns `{"active": true}` without any checks 5. Resource server accepts the fabricated token as valid and grants access **The revocation bypass compounds this:** If a legitimate token is stolen, the resource server or client application cannot revoke it. Calling `/oidc/revoke` returns success without actually revoking the token in the database, so the stolen token remains usable indefinitely (until its expiry time). ## PoC ```bash # Step 1: Confirm the introspection endpoint exists and always returns active # No valid token needed - any string works curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=COMPLETELY_FABRICATED_TOKEN_12345" # Expected response: {"active":true} # Step 2: Try with an empty token curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=" # Expected response: {"active":true} # Step 3: Demonstrate that revocation is also broken curl -X POST https://TARGET/modules/sso/index.php/oidc/revoke \ -d "token=any_valid_token_here" # Expected response: {"revoked":true} # But the token is NOT actually revoked in the database # Step 4: Verify the token is still active after "revocation" curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=any_valid_token_here" # Still returns: {"active":true} ``` ## Impact - **Authentication Bypass on Resource Servers**: Any application (wiki, CMS, project management tool, etc.) configured to validate tokens against this Admidio OIDC introspection endpoint will accept completely fabricated tokens. An attacker can impersonate any user on all connected resource servers. - **Inability to Revoke Compromised Tokens**: If a legitimate access token is leaked or stolen, there is no way to revoke it through the standard OIDC revocation flow. The token remains valid until its 1-hour expiry. - **Scope Change (S:C)**: The vulnerability in the Admidio authorization server directly impacts the security of all connected resource servers (different security authority), which is why the CVSS scope is Changed. ## Recommended Fix Replace the stub implementations with proper token introspection and revocation logic: ```php public function handleIntrospectionRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // 1. Authenticate the resource server (RFC 7662 Section 2.1) // The resource server MUST authenticate using client credentials $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } // 2. Get and validate the token $tokenValue = $request->getParsedBody()['token'] ?? ''; if (empty($tokenValue)) { return new JsonResponse(['active' => false]); } try { // Validate the token using the resource server $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); // Check if token is revoked if ($this->accessTokenRepository->isAccessTokenRevoked($tokenId)) { return new JsonResponse(['active' => false]); } $token = $this->accessTokenRepository->getToken($tokenId); // Check expiry if ($token->getExpiryDateTime() < new \DateTimeImmutable()) { return new JsonResponse(['active' => false]); } return new JsonResponse([ 'active' => true, 'sub' => $token->getUserIdentifier(), 'client_id' => $token->getClient()->getIdentifier(), 'exp' => $token->getExpiryDateTime()->getTimestamp(), 'scope' => implode(' ', array_map(fn($s) => $s->getIdentifier(), $token->getScopes())), ]); } catch (\Exception $e) { return new JsonResponse(['active' => false]); } } public function handleRevocationRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // Authenticate the client $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } $tokenValue = $request->getParsedBody()['token'] ?? ''; if (!empty($tokenValue)) { try { $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); $this->accessTokenRepository->revokeAccessToken($tokenId); } catch (\Exception $e) { // RFC 7009: The server responds with HTTP 200 even for invalid tokens } } return new JsonResponse([], 200); } ```

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-41662 PHP MEDIUM PATCH GHSA This Month

Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.

PHP Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-41660 PHP HIGH PATCH GHSA This Week

Inverted authorization logic in Admidio's two-factor authentication reset module allows non-admin users with profile edit permissions to strip TOTP protection from administrator accounts while paradoxically blocking users from resetting their own 2FA. A group leader holding 'hasRightEditProfile()' rights on an admin account can send a single POST request to /adm_program/modules/profile/two_factor_authentication.php with the admin's UUID, disabling the admin's 2FA and reducing account security to password-only. This vulnerability affects Admidio versions ≤5.0.8; patched version 5.0.9 corrects the inverted comparison operator. Public exploit code exists via the GitHub advisory's proof-of-concept. No confirmed active exploitation (not in CISA KEV).

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-41658 PHP MEDIUM PATCH GHSA This Month

Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.

Authentication Bypass PHP CSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41657 PHP MEDIUM PATCH GHSA This Month

Admidio 5.0.8 and earlier allows user managers with rol_edit_user permission to bypass multi-tenant organization isolation and retrieve complete member directories across all organizations by directly calling the contacts_data.php endpoint with mem_show_filter=3, exploiting a permission check mismatch between the frontend UI (which correctly requires isAdministrator() and contacts_show_all setting) and the backend API endpoint (which only requires the weaker isAdministratorUsers() check). Affected data includes full names, email addresses, login names, UUIDs, and all configured profile fields from unauthorized organizations. This is confirmed actively exploited vulnerability with patch available in version 5.0.9.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-42226 npm HIGH PATCH GHSA This Week

Authenticated users with shared workflow access in n8n can exfiltrate other users' API credentials by injecting foreign credential IDs into dynamic-node-parameters endpoint requests. The vulnerability forces the n8n backend to decrypt and replay stolen credentials against attacker-controlled URLs, enabling credential theft across workflow collaborators. Affects npm package n8n versions <1.123.33 and 2.17.0-2.17.4, with vendor-confirmed patches available in 1.123.33 and 2.17.5. No public exploit identified at time of analysis, though CVSS 8.5 with scope change (S:C) reflects the multi-tenant credential boundary violation.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-42227 npm MEDIUM PATCH GHSA This Month

Insecure Direct Object Reference (IDOR) in n8n's public API variables endpoint allows authenticated users with variable:list API key scope to read project variables from any project regardless of membership by manipulating the projectId query parameter. The API handler bypassed project membership authorization checks present in the enterprise service layer, enabling cross-project secret disclosure. This affects only licensed enterprise or team deployments with multiple projects and variables feature enabled. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-42228 npm MEDIUM PATCH GHSA This Month

n8n Chat Trigger's Hosted Chat feature fails to verify WebSocket connection authorization on the /chat endpoint, allowing unauthenticated remote attackers to hijack workflow executions in waiting state by obtaining the execution ID, intercept intended user prompts, and submit arbitrary input to influence downstream workflow behavior. This affects instances configured with authentication set to None. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1. No public exploit code identified at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2018-25318 CRITICAL POC Act Now

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2018-25317 CRITICAL POC Act Now

Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2018-25316 CRITICAL POC Act Now

Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2018-25298 MEDIUM POC This Month

Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Authentication Bypass Merge Pacs
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-7422 HIGH PATCH This Week

Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint. To mitigate this issue, users should upgrade to the fixed version when available.

Authentication Bypass Freertos Plus Tcp
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-26206 MEDIUM PATCH This Month

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the configured threshold (max_login_attempts, default 50) is enforced correctly for sequential requests, a parallel burst allows significantly more failed login attempts to be processed before the IP block is applied. This enables an attacker to perform more password guesses than the configured policy intends (e.g., 100 attempts processed where 50 should be allowed). This issue has been patched in version 4.14.4.

Authentication Bypass Wazuh
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5712 HIGH PATCH This Week

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.

Authentication Bypass Identityiq
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-41940 CRITICAL POC KEV EUVD KEV PATCH THREAT NEWS Act Now

Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites.

Authentication Bypass Cpanel Whm Wp Squared
NVD GitHub VulDB Exploit-DB
CVSS 4.0
9.3
EPSS
16.5%
Threat
5.4
CVE-2026-42522 Maven MEDIUM PATCH This Month

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.

Jenkins Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42519 Maven MEDIUM PATCH This Month

A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths.

Jenkins Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-5140 HIGH PATCH This Week

Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus allows Authentication Bypass. This issue affects Pardus: from <=0.6.4 before 0.8.0.

Authentication Bypass Pardus
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-42648 MEDIUM This Month

Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.22.

Authentication Bypass Spectra
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42642 MEDIUM This Month

Missing Authorization vulnerability in StellarWP GiveWP give allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through <= 4.14.5.

Authentication Bypass Givewp
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4019 MEDIUM This Month

The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts.

WordPress Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42517 HIGH This Week

This vulnerability exists in e-Sushrut due to the use of reversible Base64 encoding for protecting sensitive data. An authenticated attacker could exploit this vulnerability by decoding and manipulating Base64-encoded parameters in the request URL to gain unauthorized access to sensitive information on the targeted system.

Information Disclosure Authentication Bypass
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-42516 HIGH This Week

This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system.

Authentication Bypass
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-42515 HIGH This Week

This vulnerability exists in e-Sushrut due to improper access control in resource access validation. An authenticated attacker could exploit this vulnerability by manipulating parameter in the API request URL to gain unauthorized access to sensitive information of patients on the targeted system.

Authentication Bypass E Sushrut Hospital Management Information System Hmis
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-42514 HIGH This Week

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target user and gain unauthorized access to user accounts on the targeted system.

Authentication Bypass E Sushrut Hospital Management Information System Hmis
NVD VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-42513 HIGH This Week

This vulnerability exists in e-Sushrut due to improper authentication logic that relies on client-side response parameters to determine authentication status. A remote attacker could exploit this vulnerability by intercepting and modifying the server response. Successful exploitation of this vulnerability could allow the attacker to bypass authentication and gain unauthorized access to user accounts on the targeted system.

Authentication Bypass E Sushrut Hospital Management Information System Hmis
NVD
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-42412 MEDIUM This Month

Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.3.1.

Authentication Bypass Wp User Frontend
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42377 HIGH This Week

Missing Authorization vulnerability in Brainstorm Force SureForms Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SureForms Pro: from n/a through 2.8.0.

Authentication Bypass Sureforms Pro
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-50328 HIGH This Week

B1 Free Archiver v1.5.86 strips Mark of the Web (MotW) protections from files extracted from internet-downloaded archives, allowing untrusted executables to run without Windows Defender SmartScreen warnings. Attackers can deliver malware via email attachments or malicious downloads that, when extracted using this archiver, bypass Windows security prompts entirely. EPSS exploitation probability is minimal (0.01%) with no active exploitation or public POC identified, suggesting limited real-world targeting despite the 7.3 CVSS score and theoretical RCE capability.

RCE Microsoft Authentication Bypass
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-35579 Go HIGH PATCH GHSA This Week

### Summary The gRPC, QUIC, DoH, and DoH3 transports in CoreDNS incorrectly handle TSIG authentication. For gRPC and QUIC, CoreDNS checks whether the TSIG key name exists in the config, but does not actually verify the TSIG HMAC. If the key name matches, `tsigStatus` remains nil and the tsig plugin treats the request as "verified". For DoH and DoH3, the issue is worse: TSIG is not verified at all. The DoH response writer has `TsigStatus()` hardcoded to return nil, so any request containing a TSIG record is treated as authenticated, even if the key name is invalid and the MAC is garbage. As a result, attackers may bypass TSIG authentication on affected transports and access TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic updates, or other TSIG-gated plugin behavior. ### Details In `server_grpc.go` and `server_quic.go`, the TSIG handling checks whether the TSIG key name exists, but does not call `dns.TsigVerify()`. Relevant code before fix: ```go if tsig := msg.IsTsig(); tsig != nil { if s.tsigSecret == nil { w.tsigStatus = dns.ErrSecret } else if _, ok := s.tsigSecret[tsig.Hdr.Name]; !ok { w.tsigStatus = dns.ErrSecret } // key found -> nothing happens -> tsigStatus stays nil -> "verified" } ``` This means that for gRPC and QUIC, a request with a known TSIG key name but an invalid MAC is accepted as authenticated. PRs #7943 and #7947 partially addressed this area by adding key name checks for gRPC and QUIC, but did not add HMAC verification. The DoH and DoH3 paths have an even weaker failure mode. In `https.go`, `DoHWriter.TsigStatus()` returned nil unconditionally: ```go func (d *DoHWriter) TsigStatus() error { return nil } ``` In `server_https.go`, the incoming DNS message is unpacked from the HTTP request and passed directly into `ServeDNS()` without checking `msg.IsTsig()`, without looking up the TSIG key name, and without calling `dns.TsigVerify()`. The same pattern exists in the DoH3 path in `server_https3.go`. The effective DoH/DoH3 flow before the fix was: 1. HTTP or HTTP/3 request arrives. 2. DNS message is unpacked from the request. 3. A `DoHWriter` is created. 4. The message is passed to `ServeDNS()`. 5. The tsig plugin checks `w.TsigStatus()`. 6. `TsigStatus()` returns nil. 7. nil is interpreted as successful TSIG verification. This means that for DoH and DoH3, CoreDNS did not even require a valid TSIG key name. Any TSIG record was enough to satisfy the tsig plugin, regardless of key name or MAC contents. ### PoC Setup: built CoreDNS from master at commit `12d9457` and also verified against the v1.14.2 release binary. Configured a single test zone with 9 records and `tsig { require all }`. Listeners used the same TSIG configuration and key: - TCP on port 1053, using the normal `dns.Server` path where TSIG HMAC verification works correctly - gRPC on port 1443, using manual TSIG handling - DoH on port 8443 - DoH3 with the same TSIG configuration #### gRPC / QUIC behavior A test client sent AXFR requests over gRPC with a valid TSIG key name but forged MAC values. The same requests were sent over TCP for comparison. | MAC used | gRPC | TCP | |----------|------|-----| | 32 zero bytes | BYPASS, 9 records returned | BADSIG | | 32 random bytes | BYPASS, 9 records returned | BADSIG | | HMAC computed with wrong secret | BYPASS, 9 records returned | BADSIG | | truncated to 16 bytes | BYPASS, 9 records returned | BADSIG | | single byte `0x41` | BYPASS, 9 records returned | BADSIG | | empty MAC | BYPASS, 9 records returned | BADSIG | | wrong key name + zero MAC | REJECTED, NOTAUTH/BADKEY | REJECTED, NOTAUTH/BADKEY | 6 out of 7 forged TSIG requests bypassed authentication over gRPC and returned a full zone transfer. The only rejected case was the wrong key name, because the gRPC path checked whether the key name existed. The same class applied to QUIC. #### DoH / DoH3 behavior For DoH, a test client sent DNS queries over HTTPS POST to `/dns-query` with forged TSIG records. These requests were also compared against TCP. | TSIG variant | DoH result | TCP result | |-------------|------------|------------| | 32 zero bytes | BYPASS, NOERROR | BADSIG | | 32 random bytes | BYPASS, NOERROR | BADSIG | | HMAC computed with wrong secret | BYPASS, NOERROR | BADSIG | | truncated to 16 bytes | BYPASS, NOERROR | BADSIG | | single byte `0x41` | BYPASS, NOERROR | BADSIG | | empty MAC | BYPASS, NOERROR | BADSIG | | bad key name | BYPASS, NOERROR | NOTAUTH/BADKEY | | no TSIG record | REJECTED, REFUSED | REJECTED, REFUSED | 7 out of 8 cases bypassed authentication over DoH. Every request containing a TSIG record was accepted, including requests with an invalid key name. An AXFR request over DoH with a forged TSIG record using a zero-byte MAC returned the full test zone. The same pattern applies to DoH3 because it used the same `DoHWriter` TSIG behavior and did not verify TSIG before passing the message into the plugin chain. To confirm that the tsig plugin itself was enforcing policy, requests with no TSIG record were rejected with `REFUSED`. The bypass happens because the transport layer reports successful TSIG verification when verification either did not happen or only checked the key name. ### Impact An unauthenticated network attacker may bypass TSIG authentication on affected CoreDNS transports. Depending on configuration, this may allow an attacker to: - perform AXFR or IXFR zone transfers over affected transports - dump TSIG-protected zone data - submit dynamic DNS updates if enabled - bypass other TSIG-gated plugin behavior - authenticate over DoH or DoH3 without knowing a valid TSIG key name The DoH and DoH3 variants have a lower exploitation bar than gRPC and QUIC because the attacker does not need to know a configured TSIG key name. Any TSIG record is treated as valid. ### Affected transports - gRPC - QUIC - DoH - DoH3 ### Workarounds If upgrading is not immediately possible: - Disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required. - Restrict network-level access to affected transport ports to trusted sources only. - Avoid exposing TSIG-protected functionality such as AXFR, IXFR, or dynamic updates over affected transports. ### Fix Affected transports must verify TSIG before passing the DNS message into the plugin chain. For requests containing a TSIG record, the transport should: 1. check whether TSIG secrets are configured 2. verify that the TSIG key name exists 3. call `dns.TsigVerify()` against the original wire-format message 4. store the resulting status in the response writer 5. return that status from `TsigStatus()` A successful key name lookup alone is not sufficient. A nil TSIG status must only be returned after successful HMAC verification.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-33190 Go HIGH PATCH GHSA This Week

### Summary CoreDNS' tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer's TsigStatus() instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG (NOTAUTH), while the same invalid-TSIG request is accepted over DoT (tls://) and DoH (https://), allowing a client without the shared secret to satisfy require all. The same bug class affects DoH3, DoQ, and gRPC. ### Details The tsig plugin decides whether an incoming TSIG was valid by consulting w.TsigStatus(): tsigStatus := w.TsigStatus(); if tsigStatus != nil { ... NOTAUTH ... } (plugin/tsig/tsig.go) Two affected transports are shown directly in the PoC: - DoH: DoHWriter.TsigStatus() always returns nil (core/dnsserver/https.go), and the HTTP server passes unpacked DNS messages directly into the plugin chain. - DoT: the TLS server builds a dns.Server without setting TsigSecret (core/dnsserver/server_tls.go), unlike plain DNS/TCP/UDP which sets TsigSecret: s.tsigSecret (core/dnsserver/server.go). The same transport-family bug pattern also appears on other transports: - DoH3 reuses the DoH writer path (core/dnsserver/server_https3.go -> core/dnsserver/https.go), so it inherits the same TsigStatus() == nil behavior. - DoQ uses DoQWriter.TsigStatus() error { return nil } (core/dnsserver/quic.go). - gRPC uses gRPCresponse.TsigStatus() error { return nil } (core/dnsserver/server_grpc.go). The attached PoC was kept deliberately small (baseline TCP+DoT+DoH only) for convenience. ### PoC 1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well) 2. Run python3 ./tsig-repro.py 3. Expected output: *** Start CoreDNS *** Corefile: /tmp/vh-f001-tsig-doh-dot-bypass/Corefile Log: /tmp/vh-f001-tsig-doh-dot-bypass/coredns.log *** Baseline (plain TCP) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=9 (expected NOTAUTH=9) *** Candidate (DoT) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=0 ancount=1 (expected NOERROR=0 and ancount>0) *** Candidate (DoH) *** no_tsig http=200 rcode=5 (expected REFUSED=5) invalid_tsig http=200 rcode=0 ancount=1 (expected NOERROR=0 and ancount>0) *** OK *** TSIG bypass reproduced: plain TCP rejects invalid TSIG, while DoT and DoH accept it. Results: /tmp/vh-f001-tsig-doh-dot-bypass/results.json ### Impact Unauthenticated remote clients can bypass TSIG-based authentication/authorization on first-class encrypted transports, enabling access to whatever the deployment intended to restrict behind tsig { require all } (e.g., zone data/privileged queries, etc.).

Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-33489 Go HIGH PATCH GHSA This Week

### Summary CoreDNS' transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. A permissive parent-zone transfer rule can override a restrictive subzone rule (name-dependent), allowing an unauthorized client to perform AXFR/IXFR for the subzone and retrieve its zone contents. ### Details In plugin/transfer/transfer.go, stanza selection is implemented by longestMatch(), which is documented as "longest zone match wins", but it actually chooses the winner via a lexicographic string comparison: - zone := "" // longest zone match wins (plugin/transfer/transfer.go) - if z > zone { zone = z; x = xfr } (plugin/transfer/transfer.go) So, a parent zone like example.org. can beat a child zone like a.example.org. purely due to lexicographic ordering ("example.org." > "a.example.org."), even though the child zone is the longer/more specific suffix match. The bypass is data-dependent (some child labels will win, some will lose), making it operationally non-intuitive. ### PoC 1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well) 2. Run python3 ./acl-repro.py 3. Expected output: *** Baseline (only subzone transfer rule) *** axfr a.example.org.: rcode=5 ancount=0 (expected REFUSED=5) *** Candidate (add permissive parent transfer rule) *** axfr a.example.org.: rcode=0 ancount=5 (expected NOERROR=0 with ancount>0) *** OK *** Subzone transfer ACL bypass reproduced: adding a permissive parent-zone stanza can override a stricter child-zone stanza due to lexicographic zone selection. ### Impact Unauthorized zone transfer can expose full zone contents to a remote network client that was intended to be denied by a subzone-specific transfer policy.

Suse Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-32699 PHP MEDIUM GHSA This Month

### Summary The application fails to validate the ```nick``` parameter during a ```POST``` request to the ```EditUser``` controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption. ### Details The vulnerability exists in the user update logic. When a ```POST``` request is sent to ```/EditUser```, the backend processes the ```nick``` form-data parameter without checking if it matches the original value or if the user has the privilege to change a unique identifier that is intended to be immutable. ### PoC ***1.*** Log in to the dashboard as any user (e.g. admin user). ***2.*** Go to your Profile by clicking your username/avatar in the top right. ***3.*** Open Burp Suite and ensure Intercept is ON. ***5.*** Click the Save button in the UI. ***6.*** In Burp Suite, locate ```nick``` in the body: <img width="1915" height="1013" alt="Screenshot_2026-03-04_05_26_32" src="https://github.com/user-attachments/assets/aea4e6fd-beba-4a47-96da-8b9bd9075681" /> ***7.*** Change the value admin to Vulnerable (or any other string). ***8.*** Click Forward in Burp Suite. The application will log the user out. It is possible to now log back in using the username "Vulnerable" and the original password. ### Impact An attacker can effectively sabotage the system’s audit trail, performing malicious actions and then renaming their account to evade detection or frame other users. This breakdown in accountability facilitates identity impersonation and risks data corruption, as internal references to the original username become orphaned, undermining the overall integrity of the multi-user environment. ### Result #### Before <img width="1920" height="996" alt="Screenshot_2026-03-04_05_25_30" src="https://github.com/user-attachments/assets/3b2d34e5-a2b9-4da9-9a56-963fe1a8fd65" /> #### After <img width="1920" height="955" alt="Screenshot_2026-03-04_05_27_00" src="https://github.com/user-attachments/assets/af1de0ef-2b55-4d29-9557-29ee26a3775a" />

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-7360 LOW PATCH Monitor

Insufficient validation of untrusted input. in Compositing in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Google Authentication Bypass Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-41649 HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.

Authentication Bypass Outline
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-41446 CRITICAL PATCH Act Now

Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with access to the device label or documentation containing these values can authenticate to the several endpoints and execute arbitrary commands as root on the device.

Authentication Bypass
NVD
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-42432 npm HIGH PATCH GHSA This Week

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-42431 npm HIGH PATCH This Week

OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-42429 npm MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-42426 npm HIGH PATCH This Week

OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42423 npm HIGH PATCH This Week

OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-42422 npm HIGH PATCH This Week

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-42421 npm LOW PATCH Monitor

OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41916 npm LOW PATCH Monitor

OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-41913 npm MEDIUM PATCH This Month

OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent intended rate-limiting protections on Tailscale-capable paths.

Authentication Bypass Race Condition Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-41910 npm LOW PATCH Monitor

OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-41406 npm LOW PATCH Monitor

OpenClaw before version 2026.3.31 contains a sender allowlist bypass vulnerability allowing remote attackers to access restricted messages by exploiting quoted, root, and thread context message retrieval mechanisms. The vulnerability affects default configurations and requires user interaction (CVSS UI:P), making it a moderate-risk authentication bypass that undermines message access controls.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41404 npm HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw's trusted-proxy authentication mode allows low-privileged authenticated users to gain operator.admin privileges by declaring operator scopes on non-Control-UI clients. The incomplete scope-clearing mechanism fails to sanitize self-declared scopes when identity-bearing authentication paths process requests, enabling attackers to bypass authorization checks and achieve full administrative access. Vendor patch available via commit 8b88b927 in version 2026.3.31; no confirmed active exploitation (not in CISA KEV) but publicly disclosed with detailed GitHub security advisory increasing attack feasibility.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-41403 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer, allowing attackers to bypass the allowRemoteViewer access control restriction. Unauthenticated remote attackers can exploit this authentication bypass by sending specially crafted proxied requests that are incorrectly identified as local traffic, gaining unauthorized access to the diffs viewer functionality. The vulnerability requires network access and specific timing/proximity conditions (per CVSS AT:P vector), but once exploited results in confidentiality impact through unauthorized information disclosure.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-41402 npm LOW PATCH Monitor

OpenClaw before version 2026.3.31 allows authenticated attackers to bypass webhook replay protection through overly broad cache keying, enabling delivery of duplicate webhook messages to unintended sibling targets when the same messageId is reused. The vulnerability exploits insufficient scope isolation in the webhook replay cache deduplication mechanism, allowing message replay across organizational boundaries within a single authentication context.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41398 npm LOW PATCH Monitor

OpenClaw before version 2026.4.2 improperly trusts local-network pages in its iOS A2UI bridge, allowing attackers to inject unauthorized agent.request commands by serving malicious content from local-network or tailnet hosts. This can pollute session state and consume user budget without authentication, though exploitation requires user interaction and proximity to the target network.

Apple Authentication Bypass
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-41397 npm HIGH PATCH GHSA This Week

Sandbox escape in OpenClaw file synchronization before version 2026.3.31 enables remote authenticated attackers to read and write arbitrary files outside intended boundaries via crafted symlinks during mirror sync operations. The vulnerability exploits CWE-59 (Improper Link Resolution Before File Access) with attack complexity rated High and requires low privileges, indicating targeted exploitation scenarios. Vendor patches available via GitHub commits c02ee8a and 3b9dab0, with CVSS 7.6 reflecting high confidentiality and integrity impact but no availability impact. No active exploitation or public POC identified at time of analysis beyond vendor disclosure.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.6
EPSS
0.1%
CVE-2026-41395 npm HIGH PATCH GHSA This Week

Webhook replay attacks in OpenClaw before 2026.3.28 allow remote attackers to trigger duplicate voice-call processing by reordering query parameters in captured Plivo V3 signed webhooks. The vulnerability stems from inconsistent canonicalization: signature verification sorts query parameters before validation, but replay detection hashes the raw URL with original parameter ordering. Attackers possessing a single valid signed webhook can bypass replay cache indefinitely by permuting query string order, causing repeated execution of voice-call workflows without requiring authentication or cryptographic breaks. No public exploit identified at time of analysis, though attack complexity is low (CVSS AC:L) with network vector (AV:N) requiring no privileges (PR:N).

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-41394 npm HIGH PATCH This Week

Authentication bypass in OpenClaw allows remote unauthenticated attackers to execute privileged runtime operations intended for authorized operators. The vulnerability exists in plugin-auth HTTP routes that incorrectly grant operator-level write scopes without authentication checks. Attackers can remotely exploit this flaw with low complexity (CVSS:4.0 AV:N/AC:L/PR:N) to modify runtime configurations and perform administrative actions. Vendor-released patch available as of commit 2a1db0c (March 31, 2026). No active exploitation confirmed in CISA KEV, though EPSS data unavailable for risk calibration.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-41392 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows local authenticated users with user interaction to bypass exec allowlist restrictions via shell initialization file options (--rcfile, --init-file, --startup-file), enabling them to load attacker-controlled initialization files and achieve high-impact unauthorized access to confined resources. Exploitation requires local access, low privileges, user interaction, and specific timing conditions, but bypasses a critical security control intended to restrict executable trust.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-41391 npm MEDIUM PATCH GHSA This Month

OpenClaw before version 2026.3.31 allows local authenticated attackers to redirect Python package-index traffic by injecting malicious URLs through unsanitized PIP_INDEX_URL and UV_INDEX_URL environment variables, enabling interception or manipulation of package management operations. The vulnerability requires local access and authentication but can result in high integrity impact through compromised package delivery. No active exploitation has been publicly confirmed, but the attack surface is direct and the remediation is straightforward.

Python Authentication Bypass
NVD GitHub
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-41390 npm HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.3.28 allows local authenticated attackers to bypass execution allowlist controls via wrapper binary persistence. When users grant trust to wrapped commands (e.g., via /usr/bin/script), OpenClaw fails to distinguish the wrapper from the underlying executable, allowing attackers to reuse the wrapper's persistent trust to execute arbitrary unauthorized programs. No active exploitation confirmed (CISA KEV: not listed), but VulnCheck has published technical advisory details. EPSS data not available.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-41388 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows remote attackers to bypass configuration revocation controls by restarting the application, which rehydrates revoked Tlon configuration settings from disk state due to improper handling of empty-array settings during startup migration. An attacker with network access and the ability to trigger application restarts can restore previously revoked authentication or authorization configurations without explicit re-enablement, potentially compromising intended security controls.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-41385 npm HIGH PATCH This Week

Plaintext private key storage in OpenClaw versions before 2026.3.31 exposes Nostr protocol signing keys through configuration retrieval methods. Authenticated attackers with network access can exploit redaction bypass in config.get methods to extract unencrypted private keys, enabling full impersonation of the compromised Nostr identity for signing and authentication operations. Vendor patch available via GitHub commit 57700d716f660591fb6e09727f3ca8041fa48b9d. EPSS and KEV data not available, but the authentication bypass tag and network attack vector indicate elevated risk for multi-tenant or shared OpenClaw deployments.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41382 npm LOW PATCH Monitor

OpenClaw before version 2026.3.31 allows authenticated attackers to bypass authorization controls on Discord voice channels through exploitation of stale-role validation gaps and improper channel name validation, enabling unauthorized access to restricted voice channels that should be protected by member and channel allowlists. The vulnerability requires valid Discord credentials but enables privilege escalation within voice channel access controls. No public exploit code has been identified at the time of analysis.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41381 npm LOW PATCH Monitor

OpenClaw before version 2026.3.31 contains an access control bypass in its Discord voice manager that allows authenticated attackers to send voice ingress requests before channel allowlist authorization checks are enforced, gaining unauthorized access to restricted voice channels. The vulnerability exploits a race condition or authorization sequencing flaw in the voice channel access control mechanism, affecting deployments with member-level access restrictions.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41379 npm HIGH PATCH This Week

Privilege escalation in OpenClaw versions prior to 2026.3.28 enables authenticated operators with write permissions to modify administrator-only voice configuration settings through the chat.send endpoint. This vulnerability allows low-privileged operator accounts to manipulate sensitive Talk Voice configuration persistence, bypassing intended role-based access controls. A vendor-released patch is available via commit e34694733fc64931ed4a543c73d84ad3435d5df1. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, though the targeted nature (authenticated internal operators) suggests lower mass-exploitation risk than the CVSS 7.1 score might imply.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-41378 npm HIGH PATCH GHSA This Week

Remote code execution in OpenClaw gateway versions before 2026.3.31 allows attackers with trusted paired node credentials (role=node) to escalate privileges and execute arbitrary code on the gateway by abusing unrestricted agent.request dispatch functionality. The vulnerability stems from insufficient access controls on node.event agent requests, enabling low-privilege paired nodes to invoke gateway-side tools without restriction. EPSS exploitation probability and KEV status not yet available for this recently disclosed vulnerability, but a vendor patch and exploit details are publicly documented.

Authentication Bypass Privilege Escalation RCE Openclaw
NVD GitHub
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-41376 npm LOW PATCH Monitor

OpenClaw before version 2026.3.31 fails to properly validate message senders in Matrix thread root and reply context handling, allowing remote unauthenticated attackers to bypass sender allowlists and access filtered messages. The vulnerability requires user interaction and has low attack complexity, but impact is limited to information disclosure of message context that should have been restricted by access controls.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41375 npm HIGH PATCH This Week

Authorization bypass in OpenClaw phone channel endpoints allows authenticated low-privilege users to arm or disarm phone-based alarm channels without required administrative rights. Versions prior to 2026.3.28 fail to validate operator.admin scope for /phone arm and /phone disarm API endpoints when accessed through external channels (CWE-863). Patch released via GitHub commit aa66ae1fc, with CVSS 7.1 reflecting network-accessible integrity impact requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV); exploit development straightforward given simple API authorization flaw.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-24178 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass in NVIDIA NVFlare Dashboard allows remote unauthenticated attackers to escalate privileges through user-controlled key manipulation in the authentication system. The vulnerability affects the NVIDIA Flare SDK and enables complete system compromise including arbitrary code execution, data tampering, information disclosure, and denial of service. With a CVSS score of 9.8 (critical severity) and maximum exploitability metrics (AV:N/AC:L/PR:N/UI:N), this represents a severe security flaw requiring immediate remediation, though no active exploitation (KEV) or public exploit code has been identified at time of analysis.

RCE Authentication Bypass Nvidia Information Disclosure Privilege Escalation +1
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-3893 CRITICAL PATCH CISA Act Now

Carlson Software VASCO-B GNSS receivers allow remote unauthenticated attackers to fully access and modify device configuration and operational functions due to complete absence of authentication controls (CWE-306). The network-accessible interface requires no credentials, enabling attackers to compromise device integrity and availability with low attack complexity. EPSS and KEV status not provided in available data; exploitation requires only network connectivity to the device management interface, typical in surveying and precision agriculture deployments where GNSS receivers may be exposed on operational networks.

Authentication Bypass Vasco B Gnss Receiver
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-7292 LOW POC Monitor

Improper authorization in o2oa up to version 10.0 allows remote attackers to bypass authentication via the syncFile function in NodeAgent.java, leading to unauthorized access to file operations. The vulnerability requires high attack complexity and has publicly available exploit code, though no active exploitation in the wild has been confirmed at this time.

Java Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-38651 Go HIGH PATCH GHSA This Week

Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information

Jwt Attack Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-5781 HIGH This Week

Privilege escalation in MphRx Minerva V3.6.0 allows authenticated users with user modification privileges to gain administrator access by manipulating the 'identifier' field in direct HTTP requests to the '/minerva/moUser/update' endpoint. While the vulnerability requires existing low-level authenticated access and cannot be exploited through the graphical interface, the CVSS v4.0 score of 8.5 reflects high impact across confidentiality, integrity, and availability in the subsequent system context (SC:H/SI:H/SA:H). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE.

Authentication Bypass Minerva
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5780 HIGH This Week

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to enumerate and exfiltrate sensitive user data across the entire application by manipulating user IDs in the '/minerva/moUser/show/' endpoint. The CVSS 4.0 score of 8.5 reflects high confidentiality impact to both vulnerable (VC:H) and subsequent (SC:H) systems, with subsequent high integrity (SI:H) and availability (SA:H) impacts indicating potential for lateral movement or privilege escalation after initial data disclosure. Coordinated disclosure by INCIBE-CERT suggests vendor notification occurred, though no public exploit code is currently identified and EPSS/KEV data are unavailable for this 2026 CVE.

Authentication Bypass Minerva
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5779 CRITICAL Act Now

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to modify arbitrary user profiles via the '/minerva/user/updateUserProfile' endpoint, enabling account takeover by changing victim email addresses and triggering password reset flows. Reported by INCIBE-CERT with authentication bypass tags, indicating likely real-world discovery during security assessment. CVSS 9.4 reflects high confidentiality, integrity, and scope impacts (VC:H/VI:H/SC:H/SI:H), though the PR:L requirement (low-privileged authenticated access) limits initial attack surface to users with valid credentials.

Authentication Bypass Minerva
NVD VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-40551 HIGH Monitor

Client-side authentication bypass in mpGabinet 23.12.19 and earlier allows local authenticated attackers to impersonate arbitrary users by patching the application binary. An attacker with legitimate low-privilege access to the system can manipulate the compiled application code to skip login verification entirely, gaining unauthorized access as any user including administrators. EPSS score not available for this 2026 CVE; no active exploitation or public POC confirmed at time of analysis.

Authentication Bypass Mpgabinet
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-6706 MEDIUM This Month

Improper access control in the vault documentation feature in Devolutions Server 2026.1.14.0 and earlier allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request.

Authentication Bypass Hashicorp
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5944 MEDIUM PATCH This Month

Unauthenticated network attackers can access an exposed API passthrough endpoint on TCP port 7373 in Cisco Intersight Device Connector for Nutanix Prism Central, enabling enumeration of cluster metadata and invocation of cluster maintenance workflows that may disrupt active workloads. The vulnerability stems from missing authentication controls on a network-accessible service endpoint and carries a CVSS 6.7 score reflecting high availability impact despite limited confidentiality and integrity exposure. No public exploit code or active exploitation has been confirmed, but the attack requires no special conditions beyond network access to the deployment environment.

Cisco Authentication Bypass
NVD VulDB
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-3323 HIGH This Week

Remote unauthenticated access to sensitive data in VEGA VEGAPULS 6X Two-Wire industrial sensors exposes hashed credentials and access codes via unsecured configuration interface. Network-accessible interface (AV:N/AC:L/PR:N/UI:N) allows attackers to extract authentication materials without any prerequisites, enabling credential cracking and potential lateral movement in industrial networks. EPSS and KEV data not available; CERTVDE advisory confirms vulnerability in Ethernet-APL enabled industrial level measurement devices running PROFINET, Modbus TCP, and OPC UA protocols. No public exploit identified at time of analysis, though exploitation trivial due to lack of authentication requirement.

Authentication Bypass Vegapuls 6X Two Wire Profinet Modbus Tcp Opc Ua Ethernet Apl
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-54013 HIGH PATCH This Week

Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Authentication Bypass Qnd 8080R
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-40966 Maven MEDIUM PATCH This Month

Spring AI fails to properly isolate conversation contexts when user-supplied input is passed directly as conversationId to VectorStoreChatMemoryAdvisor, allowing remote unauthenticated attackers to inject filter logic that exfiltrates sensitive data from other users' chat histories, including secrets and credentials. Exploitation requires moderately complex attack construction (AC:H) but no user interaction, affecting only applications with the specific vulnerable configuration pattern.

Java Authentication Bypass
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-41372 npm MEDIUM PATCH This Month

OpenClaw before version 2026.4.2 fails to normalize trailing-dot localhost hostnames in Chrome DevTools Protocol (CDP) discovery responses, allowing attackers to bypass loopback address protections. An unauthenticated remote attacker can craft malicious CDP discovery responses that return 'localhost.' (with trailing dot) instead of the standard 'localhost', causing the browser control mechanism to treat it as a different hostname and redirect authenticated browser sessions to attacker-controlled endpoints, potentially exposing sensitive browser state and authentication tokens.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41371 npm HIGH PATCH This Week

Privilege escalation in OpenClaw chat.send API allows low-privileged gateway callers with write scope to execute admin-only session management operations. Attackers can forcibly reset user sessions, rotate session IDs, and archive chat transcripts without admin authorization by exploiting broken access control in the chat messaging path. This enables session hijacking and data manipulation attacks against legitimate users. Reported by VulnCheck disclosure team with vendor security advisory published; no public exploit or active exploitation confirmed at time of analysis.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-41367 npm MEDIUM PATCH This Month

OpenClaw versions 2026.2.14 through 2026.3.24 fail to enforce guild and channel policy gates on Discord button and component interactions, allowing authenticated users to trigger privileged component actions from contexts where those actions should be blocked. The vulnerability bypasses channel policy enforcement via policy gate inconsistency, enabling privilege escalation within Discord servers where OpenClaw is deployed.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-41365 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows authenticated remote attackers to bypass sender allowlist filters when retrieving MS Teams thread history via Microsoft Graph API, enabling access to messages that should be restricted by security policies. The vulnerability affects organizations using OpenClaw's Teams integration and has been patched as of the specified version.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-40976 Maven CRITICAL PATCH GHSA Act Now

Authentication bypass in Spring Boot 4.0.0-4.0.5 allows remote unauthenticated attackers to access all application endpoints, bypassing default web security filters entirely. Affects servlet-based applications using spring-boot-actuator-autoconfigure without custom Spring Security configuration and without spring-boot-health dependency. Vendor patch released (upgrade to 4.0.6+). No public exploit code identified at time of analysis, but CVSS 9.1 with network attack vector (AV:N/AC:L/PR:N) indicates trivial exploitation once configuration prerequisites are met.

Java Authentication Bypass Spring Boot
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27785 HIGH CISA Act Now

Hard-coded credentials in Milesight AIOT camera firmware allow adjacent network attackers to gain full system access without authentication. CISA ICS-CERT has published an advisory, indicating industrial/IoT deployment concern. The CVSS 7.7 score reflects adjacent network vector (AV:A) with low complexity (AC:L) and no authentication required (PR:N), enabling complete compromise of confidentiality, integrity, and availability on vulnerable devices. Firmware-level credential hardcoding (CWE-798) cannot be disabled through configuration changes, making patching critical for exposed industrial camera deployments.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-28747 HIGH CISA Act Now

A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.

Authentication Bypass Ms Cxx63 Pd Ms Cxx64 Xpd Ms Cxx73 Xpd Ms Cxx75 Xxpd +29
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-7145 MEDIUM This Month

A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-7144 LOW POC Monitor

A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-41464 HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.

PHP Information Disclosure Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
7.1
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH This Week

Brute-force attacks against U-SPEED N300 router V1.0.0 can compromise administrator credentials due to missing rate limiting on the /api/login endpoint. Local network attackers can execute unlimited authentication attempts without account lockout, enabling credential compromise and unauthorized access to router management. SSVC indicates proof-of-concept exists and the attack is automatable with partial technical impact. CVSS 7.5 reflects network accessibility, but the vulnerability description specifies 'local network' access requirement, suggesting the actual attack vector may be more constrained than the AV:N metric indicates.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

## Summary The OIDC token introspection endpoint (`/modules/sso/index.php/oidc/introspect`) always returns `{"active": true}` for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (`/oidc/revoke`) returns `{"revoked": true}` without actually revoking any token, preventing resource servers from invalidating compromised credentials. ## Details The vulnerability is in `src/SSO/Service/OIDCService.php`, lines 604-619: ```php public function handleIntrospectionRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["active" => true]); } public function handleRevocationRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["revoked" => true]); } ``` The introspection endpoint is routed at `modules/sso/index.php`, line 58-59: ```php } elseif (strpos($requestUri, '/oidc/introspect') !== false) { $response = $oidcService->handleIntrospectionRequest(); ``` The router comment at line 35 says "Login checks will be done in the individual endpoint handler functions!" but neither `handleIntrospectionRequest` nor `handleRevocationRequest` perform any authentication or authorization checks. Per RFC 7662 (OAuth 2.0 Token Introspection), the introspection endpoint: 1. MUST authenticate the calling resource server (Section 2.1) 2. MUST validate the submitted token against its database 3. MUST return `{"active": false}` for invalid, expired, or revoked tokens The current implementation violates all three requirements. **Attack flow:** 1. Attacker obtains a resource server's endpoint URL that uses Admidio as its OIDC provider 2. Attacker crafts any arbitrary string as a Bearer token 3. Resource server sends the fabricated token to `/oidc/introspect` for validation 4. Admidio returns `{"active": true}` without any checks 5. Resource server accepts the fabricated token as valid and grants access **The revocation bypass compounds this:** If a legitimate token is stolen, the resource server or client application cannot revoke it. Calling `/oidc/revoke` returns success without actually revoking the token in the database, so the stolen token remains usable indefinitely (until its expiry time). ## PoC ```bash # Step 1: Confirm the introspection endpoint exists and always returns active # No valid token needed - any string works curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=COMPLETELY_FABRICATED_TOKEN_12345" # Expected response: {"active":true} # Step 2: Try with an empty token curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=" # Expected response: {"active":true} # Step 3: Demonstrate that revocation is also broken curl -X POST https://TARGET/modules/sso/index.php/oidc/revoke \ -d "token=any_valid_token_here" # Expected response: {"revoked":true} # But the token is NOT actually revoked in the database # Step 4: Verify the token is still active after "revocation" curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=any_valid_token_here" # Still returns: {"active":true} ``` ## Impact - **Authentication Bypass on Resource Servers**: Any application (wiki, CMS, project management tool, etc.) configured to validate tokens against this Admidio OIDC introspection endpoint will accept completely fabricated tokens. An attacker can impersonate any user on all connected resource servers. - **Inability to Revoke Compromised Tokens**: If a legitimate access token is leaked or stolen, there is no way to revoke it through the standard OIDC revocation flow. The token remains valid until its 1-hour expiry. - **Scope Change (S:C)**: The vulnerability in the Admidio authorization server directly impacts the security of all connected resource servers (different security authority), which is why the CVSS scope is Changed. ## Recommended Fix Replace the stub implementations with proper token introspection and revocation logic: ```php public function handleIntrospectionRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // 1. Authenticate the resource server (RFC 7662 Section 2.1) // The resource server MUST authenticate using client credentials $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } // 2. Get and validate the token $tokenValue = $request->getParsedBody()['token'] ?? ''; if (empty($tokenValue)) { return new JsonResponse(['active' => false]); } try { // Validate the token using the resource server $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); // Check if token is revoked if ($this->accessTokenRepository->isAccessTokenRevoked($tokenId)) { return new JsonResponse(['active' => false]); } $token = $this->accessTokenRepository->getToken($tokenId); // Check expiry if ($token->getExpiryDateTime() < new \DateTimeImmutable()) { return new JsonResponse(['active' => false]); } return new JsonResponse([ 'active' => true, 'sub' => $token->getUserIdentifier(), 'client_id' => $token->getClient()->getIdentifier(), 'exp' => $token->getExpiryDateTime()->getTimestamp(), 'scope' => implode(' ', array_map(fn($s) => $s->getIdentifier(), $token->getScopes())), ]); } catch (\Exception $e) { return new JsonResponse(['active' => false]); } } public function handleRevocationRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // Authenticate the client $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } $tokenValue = $request->getParsedBody()['token'] ?? ''; if (!empty($tokenValue)) { try { $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); $this->accessTokenRepository->revokeAccessToken($tokenId); } catch (\Exception $e) { // RFC 7009: The server responds with HTTP 200 even for invalid tokens } } return new JsonResponse([], 200); } ```

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.

PHP Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Inverted authorization logic in Admidio's two-factor authentication reset module allows non-admin users with profile edit permissions to strip TOTP protection from administrator accounts while paradoxically blocking users from resetting their own 2FA. A group leader holding 'hasRightEditProfile()' rights on an admin account can send a single POST request to /adm_program/modules/profile/two_factor_authentication.php with the admin's UUID, disabling the admin's 2FA and reducing account security to password-only. This vulnerability affects Admidio versions ≤5.0.8; patched version 5.0.9 corrects the inverted comparison operator. Public exploit code exists via the GitHub advisory's proof-of-concept. No confirmed active exploitation (not in CISA KEV).

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.

Authentication Bypass PHP CSRF
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Admidio 5.0.8 and earlier allows user managers with rol_edit_user permission to bypass multi-tenant organization isolation and retrieve complete member directories across all organizations by directly calling the contacts_data.php endpoint with mem_show_filter=3, exploiting a permission check mismatch between the frontend UI (which correctly requires isAdministrator() and contacts_show_all setting) and the backend API endpoint (which only requires the weaker isAdministratorUsers() check). Affected data includes full names, email addresses, login names, UUIDs, and all configured profile fields from unauthorized organizations. This is confirmed actively exploited vulnerability with patch available in version 5.0.9.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated users with shared workflow access in n8n can exfiltrate other users' API credentials by injecting foreign credential IDs into dynamic-node-parameters endpoint requests. The vulnerability forces the n8n backend to decrypt and replay stolen credentials against attacker-controlled URLs, enabling credential theft across workflow collaborators. Affects npm package n8n versions <1.123.33 and 2.17.0-2.17.4, with vendor-confirmed patches available in 1.123.33 and 2.17.5. No public exploit identified at time of analysis, though CVSS 8.5 with scope change (S:C) reflects the multi-tenant credential boundary violation.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in n8n's public API variables endpoint allows authenticated users with variable:list API key scope to read project variables from any project regardless of membership by manipulating the projectId query parameter. The API handler bypassed project membership authorization checks present in the enterprise service layer, enabling cross-project secret disclosure. This affects only licensed enterprise or team deployments with multiple projects and variables feature enabled. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

n8n Chat Trigger's Hosted Chat feature fails to verify WebSocket connection authorization on the /chat endpoint, allowing unauthenticated remote attackers to hijack workflow executions in waiting state by obtaining the execution ID, intercept intended user prompts, and submit arbitrary input to influence downstream workflow behavior. This affects instances configured with authentication set to None. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1. No public exploit code identified at time of analysis.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tenda
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Authentication Bypass Merge Pacs
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint. To mitigate this issue, users should upgrade to the fixed version when available.

Authentication Bypass Freertos Plus Tcp
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the configured threshold (max_login_attempts, default 50) is enforced correctly for sequential requests, a parallel burst allows significantly more failed login attempts to be processed before the IP block is applied. This enables an attacker to perform more password guesses than the configured policy intends (e.g., 100 attempts processed where 50 should be allowed). This issue has been patched in version 4.14.4.

Authentication Bypass Wazuh
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing.

Authentication Bypass Identityiq
NVD VulDB
EPSS 17% 5.4 CVSS 9.3
CRITICAL POC KEV EUVD KEV PATCH THREAT Act Now

Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites.

Authentication Bypass Cpanel Whm Wp Squared
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.

Jenkins Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths.

Jenkins Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus allows Authentication Bypass. This issue affects Pardus: from <=0.6.4 before 0.8.0.

Authentication Bypass Pardus
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.22.

Authentication Bypass Spectra
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing Authorization vulnerability in StellarWP GiveWP give allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through <= 4.14.5.

Authentication Bypass Givewp
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts.

WordPress Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

This vulnerability exists in e-Sushrut due to the use of reversible Base64 encoding for protecting sensitive data. An authenticated attacker could exploit this vulnerability by decoding and manipulating Base64-encoded parameters in the request URL to gain unauthorized access to sensitive information on the targeted system.

Information Disclosure Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

This vulnerability exists in e-Sushrut due to improper access control in resource access validation. An authenticated attacker could exploit this vulnerability by manipulating parameter in the API request URL to gain unauthorized access to sensitive information of patients on the targeted system.

Authentication Bypass E Sushrut Hospital Management Information System Hmis
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target user and gain unauthorized access to user accounts on the targeted system.

Authentication Bypass E Sushrut Hospital Management Information System Hmis
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

This vulnerability exists in e-Sushrut due to improper authentication logic that relies on client-side response parameters to determine authentication status. A remote attacker could exploit this vulnerability by intercepting and modifying the server response. Successful exploitation of this vulnerability could allow the attacker to bypass authentication and gain unauthorized access to user accounts on the targeted system.

Authentication Bypass E Sushrut Hospital Management Information System Hmis
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.3.1.

Authentication Bypass Wp User Frontend
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Missing Authorization vulnerability in Brainstorm Force SureForms Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SureForms Pro: from n/a through 2.8.0.

Authentication Bypass Sureforms Pro
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

B1 Free Archiver v1.5.86 strips Mark of the Web (MotW) protections from files extracted from internet-downloaded archives, allowing untrusted executables to run without Windows Defender SmartScreen warnings. Attackers can deliver malware via email attachments or malicious downloads that, when extracted using this archiver, bypass Windows security prompts entirely. EPSS exploitation probability is minimal (0.01%) with no active exploitation or public POC identified, suggesting limited real-world targeting despite the 7.3 CVSS score and theoretical RCE capability.

RCE Microsoft Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

### Summary The gRPC, QUIC, DoH, and DoH3 transports in CoreDNS incorrectly handle TSIG authentication. For gRPC and QUIC, CoreDNS checks whether the TSIG key name exists in the config, but does not actually verify the TSIG HMAC. If the key name matches, `tsigStatus` remains nil and the tsig plugin treats the request as "verified". For DoH and DoH3, the issue is worse: TSIG is not verified at all. The DoH response writer has `TsigStatus()` hardcoded to return nil, so any request containing a TSIG record is treated as authenticated, even if the key name is invalid and the MAC is garbage. As a result, attackers may bypass TSIG authentication on affected transports and access TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic updates, or other TSIG-gated plugin behavior. ### Details In `server_grpc.go` and `server_quic.go`, the TSIG handling checks whether the TSIG key name exists, but does not call `dns.TsigVerify()`. Relevant code before fix: ```go if tsig := msg.IsTsig(); tsig != nil { if s.tsigSecret == nil { w.tsigStatus = dns.ErrSecret } else if _, ok := s.tsigSecret[tsig.Hdr.Name]; !ok { w.tsigStatus = dns.ErrSecret } // key found -> nothing happens -> tsigStatus stays nil -> "verified" } ``` This means that for gRPC and QUIC, a request with a known TSIG key name but an invalid MAC is accepted as authenticated. PRs #7943 and #7947 partially addressed this area by adding key name checks for gRPC and QUIC, but did not add HMAC verification. The DoH and DoH3 paths have an even weaker failure mode. In `https.go`, `DoHWriter.TsigStatus()` returned nil unconditionally: ```go func (d *DoHWriter) TsigStatus() error { return nil } ``` In `server_https.go`, the incoming DNS message is unpacked from the HTTP request and passed directly into `ServeDNS()` without checking `msg.IsTsig()`, without looking up the TSIG key name, and without calling `dns.TsigVerify()`. The same pattern exists in the DoH3 path in `server_https3.go`. The effective DoH/DoH3 flow before the fix was: 1. HTTP or HTTP/3 request arrives. 2. DNS message is unpacked from the request. 3. A `DoHWriter` is created. 4. The message is passed to `ServeDNS()`. 5. The tsig plugin checks `w.TsigStatus()`. 6. `TsigStatus()` returns nil. 7. nil is interpreted as successful TSIG verification. This means that for DoH and DoH3, CoreDNS did not even require a valid TSIG key name. Any TSIG record was enough to satisfy the tsig plugin, regardless of key name or MAC contents. ### PoC Setup: built CoreDNS from master at commit `12d9457` and also verified against the v1.14.2 release binary. Configured a single test zone with 9 records and `tsig { require all }`. Listeners used the same TSIG configuration and key: - TCP on port 1053, using the normal `dns.Server` path where TSIG HMAC verification works correctly - gRPC on port 1443, using manual TSIG handling - DoH on port 8443 - DoH3 with the same TSIG configuration #### gRPC / QUIC behavior A test client sent AXFR requests over gRPC with a valid TSIG key name but forged MAC values. The same requests were sent over TCP for comparison. | MAC used | gRPC | TCP | |----------|------|-----| | 32 zero bytes | BYPASS, 9 records returned | BADSIG | | 32 random bytes | BYPASS, 9 records returned | BADSIG | | HMAC computed with wrong secret | BYPASS, 9 records returned | BADSIG | | truncated to 16 bytes | BYPASS, 9 records returned | BADSIG | | single byte `0x41` | BYPASS, 9 records returned | BADSIG | | empty MAC | BYPASS, 9 records returned | BADSIG | | wrong key name + zero MAC | REJECTED, NOTAUTH/BADKEY | REJECTED, NOTAUTH/BADKEY | 6 out of 7 forged TSIG requests bypassed authentication over gRPC and returned a full zone transfer. The only rejected case was the wrong key name, because the gRPC path checked whether the key name existed. The same class applied to QUIC. #### DoH / DoH3 behavior For DoH, a test client sent DNS queries over HTTPS POST to `/dns-query` with forged TSIG records. These requests were also compared against TCP. | TSIG variant | DoH result | TCP result | |-------------|------------|------------| | 32 zero bytes | BYPASS, NOERROR | BADSIG | | 32 random bytes | BYPASS, NOERROR | BADSIG | | HMAC computed with wrong secret | BYPASS, NOERROR | BADSIG | | truncated to 16 bytes | BYPASS, NOERROR | BADSIG | | single byte `0x41` | BYPASS, NOERROR | BADSIG | | empty MAC | BYPASS, NOERROR | BADSIG | | bad key name | BYPASS, NOERROR | NOTAUTH/BADKEY | | no TSIG record | REJECTED, REFUSED | REJECTED, REFUSED | 7 out of 8 cases bypassed authentication over DoH. Every request containing a TSIG record was accepted, including requests with an invalid key name. An AXFR request over DoH with a forged TSIG record using a zero-byte MAC returned the full test zone. The same pattern applies to DoH3 because it used the same `DoHWriter` TSIG behavior and did not verify TSIG before passing the message into the plugin chain. To confirm that the tsig plugin itself was enforcing policy, requests with no TSIG record were rejected with `REFUSED`. The bypass happens because the transport layer reports successful TSIG verification when verification either did not happen or only checked the key name. ### Impact An unauthenticated network attacker may bypass TSIG authentication on affected CoreDNS transports. Depending on configuration, this may allow an attacker to: - perform AXFR or IXFR zone transfers over affected transports - dump TSIG-protected zone data - submit dynamic DNS updates if enabled - bypass other TSIG-gated plugin behavior - authenticate over DoH or DoH3 without knowing a valid TSIG key name The DoH and DoH3 variants have a lower exploitation bar than gRPC and QUIC because the attacker does not need to know a configured TSIG key name. Any TSIG record is treated as valid. ### Affected transports - gRPC - QUIC - DoH - DoH3 ### Workarounds If upgrading is not immediately possible: - Disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required. - Restrict network-level access to affected transport ports to trusted sources only. - Avoid exposing TSIG-protected functionality such as AXFR, IXFR, or dynamic updates over affected transports. ### Fix Affected transports must verify TSIG before passing the DNS message into the plugin chain. For requests containing a TSIG record, the transport should: 1. check whether TSIG secrets are configured 2. verify that the TSIG key name exists 3. call `dns.TsigVerify()` against the original wire-format message 4. store the resulting status in the response writer 5. return that status from `TsigStatus()` A successful key name lookup alone is not sufficient. A nil TSIG status must only be returned after successful HMAC verification.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

### Summary CoreDNS' tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer's TsigStatus() instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG (NOTAUTH), while the same invalid-TSIG request is accepted over DoT (tls://) and DoH (https://), allowing a client without the shared secret to satisfy require all. The same bug class affects DoH3, DoQ, and gRPC. ### Details The tsig plugin decides whether an incoming TSIG was valid by consulting w.TsigStatus(): tsigStatus := w.TsigStatus(); if tsigStatus != nil { ... NOTAUTH ... } (plugin/tsig/tsig.go) Two affected transports are shown directly in the PoC: - DoH: DoHWriter.TsigStatus() always returns nil (core/dnsserver/https.go), and the HTTP server passes unpacked DNS messages directly into the plugin chain. - DoT: the TLS server builds a dns.Server without setting TsigSecret (core/dnsserver/server_tls.go), unlike plain DNS/TCP/UDP which sets TsigSecret: s.tsigSecret (core/dnsserver/server.go). The same transport-family bug pattern also appears on other transports: - DoH3 reuses the DoH writer path (core/dnsserver/server_https3.go -> core/dnsserver/https.go), so it inherits the same TsigStatus() == nil behavior. - DoQ uses DoQWriter.TsigStatus() error { return nil } (core/dnsserver/quic.go). - gRPC uses gRPCresponse.TsigStatus() error { return nil } (core/dnsserver/server_grpc.go). The attached PoC was kept deliberately small (baseline TCP+DoT+DoH only) for convenience. ### PoC 1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well) 2. Run python3 ./tsig-repro.py 3. Expected output: *** Start CoreDNS *** Corefile: /tmp/vh-f001-tsig-doh-dot-bypass/Corefile Log: /tmp/vh-f001-tsig-doh-dot-bypass/coredns.log *** Baseline (plain TCP) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=9 (expected NOTAUTH=9) *** Candidate (DoT) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=0 ancount=1 (expected NOERROR=0 and ancount>0) *** Candidate (DoH) *** no_tsig http=200 rcode=5 (expected REFUSED=5) invalid_tsig http=200 rcode=0 ancount=1 (expected NOERROR=0 and ancount>0) *** OK *** TSIG bypass reproduced: plain TCP rejects invalid TSIG, while DoT and DoH accept it. Results: /tmp/vh-f001-tsig-doh-dot-bypass/results.json ### Impact Unauthenticated remote clients can bypass TSIG-based authentication/authorization on first-class encrypted transports, enabling access to whatever the deployment intended to restrict behind tsig { require all } (e.g., zone data/privileged queries, etc.).

Authentication Bypass Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

### Summary CoreDNS' transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. A permissive parent-zone transfer rule can override a restrictive subzone rule (name-dependent), allowing an unauthorized client to perform AXFR/IXFR for the subzone and retrieve its zone contents. ### Details In plugin/transfer/transfer.go, stanza selection is implemented by longestMatch(), which is documented as "longest zone match wins", but it actually chooses the winner via a lexicographic string comparison: - zone := "" // longest zone match wins (plugin/transfer/transfer.go) - if z > zone { zone = z; x = xfr } (plugin/transfer/transfer.go) So, a parent zone like example.org. can beat a child zone like a.example.org. purely due to lexicographic ordering ("example.org." > "a.example.org."), even though the child zone is the longer/more specific suffix match. The bypass is data-dependent (some child labels will win, some will lose), making it operationally non-intuitive. ### PoC 1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well) 2. Run python3 ./acl-repro.py 3. Expected output: *** Baseline (only subzone transfer rule) *** axfr a.example.org.: rcode=5 ancount=0 (expected REFUSED=5) *** Candidate (add permissive parent transfer rule) *** axfr a.example.org.: rcode=0 ancount=5 (expected NOERROR=0 with ancount>0) *** OK *** Subzone transfer ACL bypass reproduced: adding a permissive parent-zone stanza can override a stricter child-zone stanza due to lexicographic zone selection. ### Impact Unauthorized zone transfer can expose full zone contents to a remote network client that was intended to be denied by a subzone-specific transfer policy.

Suse Authentication Bypass Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

### Summary The application fails to validate the ```nick``` parameter during a ```POST``` request to the ```EditUser``` controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption. ### Details The vulnerability exists in the user update logic. When a ```POST``` request is sent to ```/EditUser```, the backend processes the ```nick``` form-data parameter without checking if it matches the original value or if the user has the privilege to change a unique identifier that is intended to be immutable. ### PoC ***1.*** Log in to the dashboard as any user (e.g. admin user). ***2.*** Go to your Profile by clicking your username/avatar in the top right. ***3.*** Open Burp Suite and ensure Intercept is ON. ***5.*** Click the Save button in the UI. ***6.*** In Burp Suite, locate ```nick``` in the body: <img width="1915" height="1013" alt="Screenshot_2026-03-04_05_26_32" src="https://github.com/user-attachments/assets/aea4e6fd-beba-4a47-96da-8b9bd9075681" /> ***7.*** Change the value admin to Vulnerable (or any other string). ***8.*** Click Forward in Burp Suite. The application will log the user out. It is possible to now log back in using the username "Vulnerable" and the original password. ### Impact An attacker can effectively sabotage the system’s audit trail, performing malicious actions and then renaming their account to evade detection or frame other users. This breakdown in accountability facilitates identity impersonation and risks data corruption, as internal references to the original username become orphaned, undermining the overall integrity of the multi-user environment. ### Result #### Before <img width="1920" height="996" alt="Screenshot_2026-03-04_05_25_30" src="https://github.com/user-attachments/assets/3b2d34e5-a2b9-4da9-9a56-963fe1a8fd65" /> #### After <img width="1920" height="955" alt="Screenshot_2026-03-04_05_27_00" src="https://github.com/user-attachments/assets/af1de0ef-2b55-4d29-9557-29ee26a3775a" />

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient validation of untrusted input. in Compositing in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Google Authentication Bypass Chrome
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.

Authentication Bypass Outline
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Snap One WattBox 800 and 820 series firmware versions prior to 2.10.0.0 contain undisclosed diagnostic HTTP endpoints that require only the device MAC address and service tag for authentication, both of which are printed in plaintext on the physical device label. Attackers with access to the device label or documentation containing these values can authenticate to the several endpoints and execute arbitrary commands as root on the device.

Authentication Bypass
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent intended rate-limiting protections on Tailscale-capable paths.

Authentication Bypass Race Condition Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.3.31 contains a sender allowlist bypass vulnerability allowing remote attackers to access restricted messages by exploiting quoted, root, and thread context message retrieval mechanisms. The vulnerability affects default configurations and requires user interaction (CVSS UI:P), making it a moderate-risk authentication bypass that undermines message access controls.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation in OpenClaw's trusted-proxy authentication mode allows low-privileged authenticated users to gain operator.admin privileges by declaring operator scopes on non-Control-UI clients. The incomplete scope-clearing mechanism fails to sanitize self-declared scopes when identity-bearing authentication paths process requests, enabling attackers to bypass authorization checks and achieve full administrative access. Vendor patch available via commit 8b88b927 in version 2026.3.31; no confirmed active exploitation (not in CISA KEV) but publicly disclosed with detailed GitHub security advisory increasing attack feasibility.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer, allowing attackers to bypass the allowRemoteViewer access control restriction. Unauthenticated remote attackers can exploit this authentication bypass by sending specially crafted proxied requests that are incorrectly identified as local traffic, gaining unauthorized access to the diffs viewer functionality. The vulnerability requires network access and specific timing/proximity conditions (per CVSS AT:P vector), but once exploited results in confidentiality impact through unauthorized information disclosure.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.3.31 allows authenticated attackers to bypass webhook replay protection through overly broad cache keying, enabling delivery of duplicate webhook messages to unintended sibling targets when the same messageId is reused. The vulnerability exploits insufficient scope isolation in the webhook replay cache deduplication mechanism, allowing message replay across organizational boundaries within a single authentication context.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

OpenClaw before version 2026.4.2 improperly trusts local-network pages in its iOS A2UI bridge, allowing attackers to inject unauthorized agent.request commands by serving malicious content from local-network or tailnet hosts. This can pollute session state and consume user budget without authentication, though exploitation requires user interaction and proximity to the target network.

Apple Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Sandbox escape in OpenClaw file synchronization before version 2026.3.31 enables remote authenticated attackers to read and write arbitrary files outside intended boundaries via crafted symlinks during mirror sync operations. The vulnerability exploits CWE-59 (Improper Link Resolution Before File Access) with attack complexity rated High and requires low privileges, indicating targeted exploitation scenarios. Vendor patches available via GitHub commits c02ee8a and 3b9dab0, with CVSS 7.6 reflecting high confidentiality and integrity impact but no availability impact. No active exploitation or public POC identified at time of analysis beyond vendor disclosure.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Webhook replay attacks in OpenClaw before 2026.3.28 allow remote attackers to trigger duplicate voice-call processing by reordering query parameters in captured Plivo V3 signed webhooks. The vulnerability stems from inconsistent canonicalization: signature verification sorts query parameters before validation, but replay detection hashes the raw URL with original parameter ordering. Attackers possessing a single valid signed webhook can bypass replay cache indefinitely by permuting query string order, causing repeated execution of voice-call workflows without requiring authentication or cryptographic breaks. No public exploit identified at time of analysis, though attack complexity is low (CVSS AC:L) with network vector (AV:N) requiring no privileges (PR:N).

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authentication bypass in OpenClaw allows remote unauthenticated attackers to execute privileged runtime operations intended for authorized operators. The vulnerability exists in plugin-auth HTTP routes that incorrectly grant operator-level write scopes without authentication checks. Attackers can remotely exploit this flaw with low complexity (CVSS:4.0 AV:N/AC:L/PR:N) to modify runtime configurations and perform administrative actions. Vendor-released patch available as of commit 2a1db0c (March 31, 2026). No active exploitation confirmed in CISA KEV, though EPSS data unavailable for risk calibration.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows local authenticated users with user interaction to bypass exec allowlist restrictions via shell initialization file options (--rcfile, --init-file, --startup-file), enabling them to load attacker-controlled initialization files and achieve high-impact unauthorized access to confined resources. Exploitation requires local access, low privileges, user interaction, and specific timing conditions, but bypasses a critical security control intended to restrict executable trust.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows local authenticated attackers to redirect Python package-index traffic by injecting malicious URLs through unsanitized PIP_INDEX_URL and UV_INDEX_URL environment variables, enabling interception or manipulation of package management operations. The vulnerability requires local access and authentication but can result in high integrity impact through compromised package delivery. No active exploitation has been publicly confirmed, but the attack surface is direct and the remediation is straightforward.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.3.28 allows local authenticated attackers to bypass execution allowlist controls via wrapper binary persistence. When users grant trust to wrapped commands (e.g., via /usr/bin/script), OpenClaw fails to distinguish the wrapper from the underlying executable, allowing attackers to reuse the wrapper's persistent trust to execute arbitrary unauthorized programs. No active exploitation confirmed (CISA KEV: not listed), but VulnCheck has published technical advisory details. EPSS data not available.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows remote attackers to bypass configuration revocation controls by restarting the application, which rehydrates revoked Tlon configuration settings from disk state due to improper handling of empty-array settings during startup migration. An attacker with network access and the ability to trigger application restarts can restore previously revoked authentication or authorization configurations without explicit re-enablement, potentially compromising intended security controls.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Plaintext private key storage in OpenClaw versions before 2026.3.31 exposes Nostr protocol signing keys through configuration retrieval methods. Authenticated attackers with network access can exploit redaction bypass in config.get methods to extract unencrypted private keys, enabling full impersonation of the compromised Nostr identity for signing and authentication operations. Vendor patch available via GitHub commit 57700d716f660591fb6e09727f3ca8041fa48b9d. EPSS and KEV data not available, but the authentication bypass tag and network attack vector indicate elevated risk for multi-tenant or shared OpenClaw deployments.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.3.31 allows authenticated attackers to bypass authorization controls on Discord voice channels through exploitation of stale-role validation gaps and improper channel name validation, enabling unauthorized access to restricted voice channels that should be protected by member and channel allowlists. The vulnerability requires valid Discord credentials but enables privilege escalation within voice channel access controls. No public exploit code has been identified at the time of analysis.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.3.31 contains an access control bypass in its Discord voice manager that allows authenticated attackers to send voice ingress requests before channel allowlist authorization checks are enforced, gaining unauthorized access to restricted voice channels. The vulnerability exploits a race condition or authorization sequencing flaw in the voice channel access control mechanism, affecting deployments with member-level access restrictions.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in OpenClaw versions prior to 2026.3.28 enables authenticated operators with write permissions to modify administrator-only voice configuration settings through the chat.send endpoint. This vulnerability allows low-privileged operator accounts to manipulate sensitive Talk Voice configuration persistence, bypassing intended role-based access controls. A vendor-released patch is available via commit e34694733fc64931ed4a543c73d84ad3435d5df1. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, though the targeted nature (authenticated internal operators) suggests lower mass-exploitation risk than the CVSS 7.1 score might imply.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Remote code execution in OpenClaw gateway versions before 2026.3.31 allows attackers with trusted paired node credentials (role=node) to escalate privileges and execute arbitrary code on the gateway by abusing unrestricted agent.request dispatch functionality. The vulnerability stems from insufficient access controls on node.event agent requests, enabling low-privilege paired nodes to invoke gateway-side tools without restriction. EPSS exploitation probability and KEV status not yet available for this recently disclosed vulnerability, but a vendor patch and exploit details are publicly documented.

Authentication Bypass Privilege Escalation RCE +1
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.3.31 fails to properly validate message senders in Matrix thread root and reply context handling, allowing remote unauthenticated attackers to bypass sender allowlists and access filtered messages. The vulnerability requires user interaction and has low attack complexity, but impact is limited to information disclosure of message context that should have been restricted by access controls.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in OpenClaw phone channel endpoints allows authenticated low-privilege users to arm or disarm phone-based alarm channels without required administrative rights. Versions prior to 2026.3.28 fail to validate operator.admin scope for /phone arm and /phone disarm API endpoints when accessed through external channels (CWE-863). Patch released via GitHub commit aa66ae1fc, with CVSS 7.1 reflecting network-accessible integrity impact requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV); exploit development straightforward given simple API authorization flaw.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in NVIDIA NVFlare Dashboard allows remote unauthenticated attackers to escalate privileges through user-controlled key manipulation in the authentication system. The vulnerability affects the NVIDIA Flare SDK and enables complete system compromise including arbitrary code execution, data tampering, information disclosure, and denial of service. With a CVSS score of 9.8 (critical severity) and maximum exploitability metrics (AV:N/AC:L/PR:N/UI:N), this represents a severe security flaw requiring immediate remediation, though no active exploitation (KEV) or public exploit code has been identified at time of analysis.

RCE Authentication Bypass Nvidia +3
NVD
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Carlson Software VASCO-B GNSS receivers allow remote unauthenticated attackers to fully access and modify device configuration and operational functions due to complete absence of authentication controls (CWE-306). The network-accessible interface requires no credentials, enabling attackers to compromise device integrity and availability with low attack complexity. EPSS and KEV status not provided in available data; exploitation requires only network connectivity to the device management interface, typical in surveying and precision agriculture deployments where GNSS receivers may be exposed on operational networks.

Authentication Bypass Vasco B Gnss Receiver
NVD GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper authorization in o2oa up to version 10.0 allows remote attackers to bypass authentication via the syncFile function in NodeAgent.java, leading to unauthorized access to file operations. The vulnerability requires high attack complexity and has publicly available exploit code, though no active exploitation in the wild has been confirmed at this time.

Java Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information

Jwt Attack Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Privilege escalation in MphRx Minerva V3.6.0 allows authenticated users with user modification privileges to gain administrator access by manipulating the 'identifier' field in direct HTTP requests to the '/minerva/moUser/update' endpoint. While the vulnerability requires existing low-level authenticated access and cannot be exploited through the graphical interface, the CVSS v4.0 score of 8.5 reflects high impact across confidentiality, integrity, and availability in the subsequent system context (SC:H/SI:H/SA:H). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE.

Authentication Bypass Minerva
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to enumerate and exfiltrate sensitive user data across the entire application by manipulating user IDs in the '/minerva/moUser/show/' endpoint. The CVSS 4.0 score of 8.5 reflects high confidentiality impact to both vulnerable (VC:H) and subsequent (SC:H) systems, with subsequent high integrity (SI:H) and availability (SA:H) impacts indicating potential for lateral movement or privilege escalation after initial data disclosure. Coordinated disclosure by INCIBE-CERT suggests vendor notification occurred, though no public exploit code is currently identified and EPSS/KEV data are unavailable for this 2026 CVE.

Authentication Bypass Minerva
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to modify arbitrary user profiles via the '/minerva/user/updateUserProfile' endpoint, enabling account takeover by changing victim email addresses and triggering password reset flows. Reported by INCIBE-CERT with authentication bypass tags, indicating likely real-world discovery during security assessment. CVSS 9.4 reflects high confidentiality, integrity, and scope impacts (VC:H/VI:H/SC:H/SI:H), though the PR:L requirement (low-privileged authenticated access) limits initial attack surface to users with valid credentials.

Authentication Bypass Minerva
NVD VulDB
EPSS 0% CVSS 8.4
HIGH Monitor

Client-side authentication bypass in mpGabinet 23.12.19 and earlier allows local authenticated attackers to impersonate arbitrary users by patching the application binary. An attacker with legitimate low-privilege access to the system can manipulate the compiled application code to skip login verification entirely, gaining unauthorized access as any user including administrators. EPSS score not available for this 2026 CVE; no active exploitation or public POC confirmed at time of analysis.

Authentication Bypass Mpgabinet
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper access control in the vault documentation feature in Devolutions Server 2026.1.14.0 and earlier allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request.

Authentication Bypass Hashicorp
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Unauthenticated network attackers can access an exposed API passthrough endpoint on TCP port 7373 in Cisco Intersight Device Connector for Nutanix Prism Central, enabling enumeration of cluster metadata and invocation of cluster maintenance workflows that may disrupt active workloads. The vulnerability stems from missing authentication controls on a network-accessible service endpoint and carries a CVSS 6.7 score reflecting high availability impact despite limited confidentiality and integrity exposure. No public exploit code or active exploitation has been confirmed, but the attack requires no special conditions beyond network access to the deployment environment.

Cisco Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Remote unauthenticated access to sensitive data in VEGA VEGAPULS 6X Two-Wire industrial sensors exposes hashed credentials and access codes via unsecured configuration interface. Network-accessible interface (AV:N/AC:L/PR:N/UI:N) allows attackers to extract authentication materials without any prerequisites, enabling credential cracking and potential lateral movement in industrial networks. EPSS and KEV data not available; CERTVDE advisory confirms vulnerability in Ethernet-APL enabled industrial level measurement devices running PROFINET, Modbus TCP, and OPC UA protocols. No public exploit identified at time of analysis, though exploitation trivial due to lack of authentication requirement.

Authentication Bypass Vegapuls 6X Two Wire Profinet Modbus Tcp Opc Ua Ethernet Apl
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Authentication Bypass Qnd 8080R
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Spring AI fails to properly isolate conversation contexts when user-supplied input is passed directly as conversationId to VectorStoreChatMemoryAdvisor, allowing remote unauthenticated attackers to inject filter logic that exfiltrates sensitive data from other users' chat histories, including secrets and credentials. Exploitation requires moderately complex attack construction (AC:H) but no user interaction, affecting only applications with the specific vulnerable configuration pattern.

Java Authentication Bypass
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

OpenClaw before version 2026.4.2 fails to normalize trailing-dot localhost hostnames in Chrome DevTools Protocol (CDP) discovery responses, allowing attackers to bypass loopback address protections. An unauthenticated remote attacker can craft malicious CDP discovery responses that return 'localhost.' (with trailing dot) instead of the standard 'localhost', causing the browser control mechanism to treat it as a different hostname and redirect authenticated browser sessions to attacker-controlled endpoints, potentially exposing sensitive browser state and authentication tokens.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Privilege escalation in OpenClaw chat.send API allows low-privileged gateway callers with write scope to execute admin-only session management operations. Attackers can forcibly reset user sessions, rotate session IDs, and archive chat transcripts without admin authorization by exploiting broken access control in the chat messaging path. This enables session hijacking and data manipulation attacks against legitimate users. Reported by VulnCheck disclosure team with vendor security advisory published; no public exploit or active exploitation confirmed at time of analysis.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenClaw versions 2026.2.14 through 2026.3.24 fail to enforce guild and channel policy gates on Discord button and component interactions, allowing authenticated users to trigger privileged component actions from contexts where those actions should be blocked. The vulnerability bypasses channel policy enforcement via policy gate inconsistency, enabling privilege escalation within Discord servers where OpenClaw is deployed.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows authenticated remote attackers to bypass sender allowlist filters when retrieving MS Teams thread history via Microsoft Graph API, enabling access to messages that should be restricted by security policies. The vulnerability affects organizations using OpenClaw's Teams integration and has been patched as of the specified version.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in Spring Boot 4.0.0-4.0.5 allows remote unauthenticated attackers to access all application endpoints, bypassing default web security filters entirely. Affects servlet-based applications using spring-boot-actuator-autoconfigure without custom Spring Security configuration and without spring-boot-health dependency. Vendor patch released (upgrade to 4.0.6+). No public exploit code identified at time of analysis, but CVSS 9.1 with network attack vector (AV:N/AC:L/PR:N) indicates trivial exploitation once configuration prerequisites are met.

Java Authentication Bypass Spring Boot
NVD VulDB
EPSS 0% CVSS 7.7
HIGH Act Now

Hard-coded credentials in Milesight AIOT camera firmware allow adjacent network attackers to gain full system access without authentication. CISA ICS-CERT has published an advisory, indicating industrial/IoT deployment concern. The CVSS 7.7 score reflects adjacent network vector (AV:A) with low complexity (AC:L) and no authentication required (PR:N), enabling complete compromise of confidentiality, integrity, and availability on vulnerable devices. Firmware-level credential hardcoding (CWE-798) cannot be disabled through configuration changes, making patching critical for exposed industrial camera deployments.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH Act Now

A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.

Authentication Bypass Ms Cxx63 Pd Ms Cxx64 Xpd +31
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

PHP Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.

PHP Information Disclosure Authentication Bypass +1
NVD
Prev Page 44 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy