Skip to main content

Authentication Bypass

31221 CVEs technique

Monthly

CVE-2026-56360 npm MEDIUM PATCH This Month

Webhook signature bypass in n8n's ZendeskTrigger node allows network-adjacent attackers who possess the webhook URL to inject arbitrary data into n8n workflows by sending unsigned POST requests. The ZendeskTrigger node omits the mandatory HMAC-SHA256 verification step that Zendesk's webhook security model requires, treating any inbound POST as a legitimate Zendesk event. This affects n8n v1.x before 1.123.18 and v2.x before 2.6.2; no public exploit or CISA KEV designation has been identified at time of analysis.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56293 MEDIUM PATCH This Month

Incomplete state management in Capgo's transfer_app() function allows low-privileged authenticated users to retain or cause loss of access to deployment history records across organizations. Specifically, the function fails to update the deploy_history.owner_org field during inter-organization application transfers in all versions before 12.128.2, creating a persistent stale authorization grant. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-56250 HIGH PATCH This Week

Cross-tenant bundle deletion in Capgo (Capacitor live/OTA update platform) before 12.128.2 lets holders of an upload-scoped API key rewrite the mutable app_versions.r2_path column through the PostgREST data API, retargeting it at another tenant's Cloudflare R2 objects. By pointing a soft-deleted attacker version at a victim bundle and firing the on_version_update cleanup trigger, an attacker deletes the victim's R2 object, breaking that app's over-the-air update delivery. No public exploit is identified at time of analysis, but the mechanism is fully described and CVSS 4.0 rates availability impact as High (8.7).

Authentication Bypass Denial Of Service
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56246 HIGH PATCH This Week

Cross-organization authorization bypass in Capgo before 12.128.2 lets a scoped API key (limited_to_orgs) inherit its owner's full user permissions, so an admin holding a write key restricted to one organization can execute destructive operations against a different organization. Because route-level authorization (rbac_check_permission_direct) checks the owner's user privileges before enforcing the key's org scope, a key intended to be confined to Org A can call DELETE /organization or DELETE /organization/members on Org B. No public exploit has been identified at time of analysis; the flaw is documented in a GitHub Security Advisory (GHSA-ccm4-hf72-p28m) and a VulnCheck advisory.

Authentication Bypass
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-56220 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 lets read-only organization members insert rows into the public.manifest table via a flawed INSERT row-level-security policy, poisoning the OTA update manifests that Capacitor apps fetch. Because these forged entries carry attacker-chosen s3_path values and are served to client devices through the unauthenticated /updates endpoint, a low-privileged insider can steer devices toward malicious update assets. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56217 MEDIUM PATCH This Month

Policy bypass in Capgo's OTA update enforcement allows holders of app-scoped API keys to downgrade encrypted app bundles to an unencrypted state by directly manipulating the app_versions table through PostgREST. Affected versions are all Capgo releases prior to 12.128.2. An attacker in possession of an app-scoped 'all' API key can nullify organization-level encrypted-bundle policies, silently stripping the cryptographic protections applied to over-the-air mobile updates and enabling distribution of unencrypted bundles to end-user devices. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56086 HIGH PATCH This Week

Improper authorization enforcement in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.6, plus LTS branches 8.6.1.0-8.6.1.10, 8.3.1.0-8.3.1.30, and 7.13.1.0-7.13.1.70) allows a low-privileged, remote authenticated attacker to reach resources or actions beyond their assigned role, resulting in unauthorized access. Rated CVSS 8.8 (High) with high confidentiality, integrity, and availability impact and low attack complexity. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the low barrier to exploitation for any existing account makes this a meaningful escalation risk on these backup appliances.

Authentication Bypass Dell Data Domain Operating System
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-54061 CRITICAL PATCH Act Now

Missing authentication in Dgraph Alpha lets an unauthenticated network client destroy and overwrite an entire database group's data via the external-snapshot import RPCs exposed on the public gRPC port :9080. Any attacker able to reach port 9080 can open a StreamExtSnapshot session; because the receiver calls Prepare() before ingesting the stream, the existing store is deleted and replaced with attacker-supplied Badger data. Fixed in version 25.3.5; no public exploit identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-5459 MEDIUM This Month

Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network attackers to activate a free subscription tier on behalf of any registered WordPress user by supplying an arbitrary user_id to the payment_page() function, silently overwriting existing paid subscriptions and revoking premium access. The root cause is a missing authorization check on a user-controlled key (CWE-639), and because WordPress user IDs are sequential integers trivially enumerable via the REST API, this is exploitable at scale with no authentication or user interaction. No public exploit has been identified at time of analysis, but the zero-privilege, low-complexity attack path makes this straightforward to weaponize against any site monetizing through this plugin's membership features.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-5356 HIGH This Week

Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0) lets unauthenticated attackers finalize bookings while paying an arbitrary amount. The Stripe Connect payment processor trusts a client-supplied PaymentIntent ID, so an attacker can replay a previously succeeded PaymentIntent token to satisfy the payment check. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-3688 HIGH This Week

Privilege escalation via Insecure Direct Object Reference in the WCFM Membership (WooCommerce Memberships for Multivendor Marketplace) WordPress plugin versions up to and including 2.11.10 lets authenticated users holding at least vendor-level access manipulate the 'wcfmvm_membership_change' AJAX action to reassign any user's account to the 'wcfm_vendor' role by altering their membership plan. Because the action never checks whether the caller is authorized to modify the targeted user, a low-privileged marketplace vendor can tamper with arbitrary accounts. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS of 8.1 and network-reachable authenticated vector make it a meaningful multivendor-store risk.

Authentication Bypass WordPress Wcfm Membership Woocommerce Memberships For Multivendor Marketplace
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-9695 CRITICAL Act Now

Authentication bypass in Dassault Systèmes DELMIA Apriso (Release 2020 through Release 2026) lets remote unauthenticated attackers obtain privileged access to the manufacturing operations server, consistent with the CVSS PR:N/UI:N metrics. Rated CVSS 9.8 (C:H/I:H/A:H), it exposes shop-floor and production-control functions to full compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Delmia Apriso
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12153 CRITICAL Act Now

Authorization bypass in the WP Learn Manager WordPress plugin (all versions through 1.1.8) lets unauthenticated attackers install and activate arbitrary plugins from the WordPress.org repository on a vulnerable site. The flaw stems from AJAX handlers that fail to verify a caller's authorization, and Wordfence rates it CVSS 9.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, low-complexity nature makes it a high-priority patch target.

Authentication Bypass WordPress Wp Learn Manager
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-12097 MEDIUM This Month

Authorization bypass in the User Management WordPress plugin (versions ≤ 1.2) permits unauthenticated network attackers to overwrite the plugin's export field configuration stored in the uiewp_export_field WordPress option, determining which user fields - including password hashes - are bundled into CSV exports and how columns are interpreted during user imports. Reported by Wordfence, the flaw stems from CWE-862 (Missing Authorization), meaning the plugin performs no privilege check before accepting these writes. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the ability to preconfigure exports to surface password hashes represents a meaningful secondary confidentiality risk beyond the raw CVSS 5.3 Medium score.

Authentication Bypass WordPress User Management
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-14495 HIGH This Week

Authentication bypass in the DoLogin Security plugin for WordPress (all versions through 4.3) lets remote attackers forge passwordless magic-link tokens and log in as any user, including administrators. The 32-character token is generated by seeding the Mersenne Twister PRNG (mt_srand) with a value derived from microtime() that carries only ~20 bits of entropy, so the entire token is a deterministic function of a ~10^6-value seed space that can be brute-forced offline. No public exploit identified at time of analysis, but the flaw was reported by Wordfence and the vulnerable code paths are cited directly in the WordPress plugin repository.

WordPress Authentication Bypass Dologin Security
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-56843 CRITICAL PATCH Act Now

Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. No public exploit has been identified at time of analysis, but the flaw was reported via HackerOne and carries a CVSS 9.9 rating.

Authentication Bypass Plesk
NVD VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-36028 MEDIUM POC This Month

Kiosk restriction bypass in the Code 27 Companion Hub allows an attacker with physical device access to perform a factory reset that completely circumvents the kiosk protection mechanism, granting full control over the device. The flaw (CWE-288) represents a protection mechanism failure where an alternate path - the factory reset function - is not gated by the same access controls as the restricted kiosk environment. A publicly available proof-of-concept exploit exists on GitHub, and while SSVC rates exploitation status as none and EPSS sits at 0.21% (11th percentile), the availability of working exploit code lowers the barrier for opportunistic physical-access attacks.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-53552 Go CRITICAL POC GHSA Act Now

Cross-namespace privilege escalation in goploy (zhenorzz/goploy through 1.17.5 and develop HEAD) lets any authenticated user holding the low-privilege `manager` role in their own namespace read, overwrite, plant, or delete project files in ANY other tenant's project, and rewrite any project's git remote URL, because the `/project/addFile`, `/project/editFile`, `/project/removeFile`, and `/project/edit` handlers act on body-supplied project/file row ids without verifying the target belongs to the caller's namespace. The rewritten git remote escalates to remote code execution on the next deploy, when goploy runs `git remote set-url origin <attacker-url>` and pulls attacker-controlled code under the goploy service account. A detailed proof-of-concept exists demonstrating all four primitives against the published Docker image, though no active exploitation has been reported.

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
9.6
CVE-2026-53487 Go MEDIUM POC PATCH GHSA This Month

Cluster-level RBAC bypass in Kite (github.com/zxh326/kite) v0.12.2 allows any authenticated user to retrieve aggregate inventory and capacity data from Kubernetes clusters they are not authorized to access. By supplying an arbitrary cluster name in the `x-cluster-name` header, a low-privileged user scoped to one cluster can enumerate node counts, pod counts, namespace counts, service counts, and CPU/memory resource totals from other configured clusters. No public exploit identified at time of analysis, though the reporter provided and validated a working Go proof-of-concept test demonstrating the bypass.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
4.3
CVE-2026-59704 HIGH PATCH This Week

Broken object-level authorization in Cap's GET /api/video/ai endpoint lets any authenticated user supply arbitrary video IDs to read private AI-generated metadata - titles, summaries, and chapters - belonging to other users, and to trigger unauthorized AI generation that burns the victim's credits. Reported by VulnCheck with a vendor patch (commit 8d48642) available; no public exploit identified at time of analysis, and EPSS/KEV data were not supplied. The flaw combines confidentiality loss over private content with an abusable, cost-incurring side effect.

Authentication Bypass Cap
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-59705 CRITICAL PATCH Act Now

Unauthenticated data theft, tampering, and denial-of-service affects mem0's OpenMemory API server (openmemory/api component), where several API routers are mounted without any authentication middleware. Because CVSS 4.0 vector shows PR:N and CWE-306 (Missing Authentication for a Critical Function), remote attackers can pass arbitrary user_id values to read, overwrite, or delete any user's stored memories, and can trigger a global pause to break the service for everyone. Reported by VulnCheck with a vendor patch commit available; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Mem0
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-54698 MEDIUM PATCH This Month

Row-level authorization bypass in Hasura GraphQL Engine prior to versions 2.49.2 and 2.45.5 permits low-privileged authenticated users to infer the contents of rows their role's permissions should suppress. By submitting crafted where-clause predicates against table computed fields returning SETOF results, an attacker exploits the query response as a boolean oracle - iteratively reconstructing protected column values through binary-search-style probing without ever directly retrieving the restricted rows. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.0 with VC:H reflects meaningful confidentiality exposure specifically in deployments relying on row-level security as a data boundary.

Authentication Bypass Oracle Graphql Engine
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-54602 HIGH PATCH This Week

Broken object-level authorization in FastGPT before 4.15.0 lets any authenticated user retrieve another team's LLM interaction traces via GET /api/core/ai/record/getRecord. The endpoint verifies the caller is logged in but fetches records solely by requestId without checking team ownership, exposing cross-tenant prompts, retrieved RAG chunks, and model completions to any user who can guess or obtain a valid requestId. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but exploitation requires only a low-privilege account and knowledge of a target requestId.

Authentication Bypass Fastgpt
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-55418 HIGH PATCH This Week

Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by supplying that team's S3 object key to the chat-file presign or dataset preview endpoints. The handlers authorize an unrelated resource but then sign or read the S3 object using a request-supplied key without verifying tenant ownership, so global bucket keys become an IDOR primitive. No public exploit code has been identified at time of analysis, though the upstream fix (PR #7104 / commit decb6d2) reveals the exact vulnerable code path.

Authentication Bypass Fastgpt
NVD GitHub
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-28378 LOW Monitor

Cross-organization authorization bypass in Grafana OSS and Enterprise allows an authenticated Org Admin to delete public dashboards owned by a different organization by supplying the target dashboard's identifiers to the deletion endpoint. The missing tenant-isolation check on the delete operation means any Org Admin - regardless of their organizational scope - can reach and destroy dashboards across organizational boundaries. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained impact and prerequisite of an existing Org Admin credential.

Grafana Enterprise Grafana Oss Authentication Bypass
NVD VulDB
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-59706 CRITICAL PATCH Act Now

Sensitive information disclosure and server-side request forgery in mem0's self-hosted server let unauthenticated remote attackers steal stored LLM provider credentials and pivot into internal infrastructure. Because the /api/v1/config/ endpoints require no authentication (CWE-306), an attacker can GET plaintext secrets such as OpenAI API keys and PUT a malicious ollama_base_url to coerce the server into requesting internal-only addresses like cloud instance metadata (IMDS). CVSS 4.0 rates this 9.2 (Critical); there is no public exploit identified at time of analysis, but the attack is trivial and reported by VulnCheck.

Authentication Bypass SSRF Mem0
NVD GitHub
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-53518 npm HIGH PATCH GHSA This Week

Single-use authorization-code enforcement can be bypassed under concurrency in the better-auth OAuth provider (@better-auth/oauth-provider 1.6.0 through 1.6.10, the embedded plugin in better-auth 1.4.8-beta.7 through 1.6.10, and the legacy oidc-provider and mcp plugins). Because the POST /oauth2/token authorization_code grant redeems the code via a non-atomic find-then-delete, two concurrent requests carrying the same code both pass the read step and each mint a fresh access, refresh, and id token for the original user's scope. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it CVSS 4.0 7.6 (High) with high confidentiality and integrity impact.

Authentication Bypass Nginx Redis Microsoft
NVD GitHub
CVSS 4.0
7.6
EPSS
0.5%
CVE-2026-53517 npm HIGH PATCH GHSA This Week

Refresh-token family forking in better-auth's OAuth provider plugin (@better-auth/oauth-provider 1.6.0–1.6.10, and embedded in better-auth 1.4.8-beta.7–1.5.x) lets a race condition on the /oauth2/token refresh_token grant split one parent refresh token into multiple valid child families, defeating RFC 9700 reuse detection. An attacker holding a stolen refresh token who times two concurrent redemptions can obtain a persistent, independently-rotating branch that survives revocation of the legitimate user's branch and never trips family-invalidation. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV, but the security impact is indefinite unauthorized access plus detection bypass at the victim's full authorization scope.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-53516 npm HIGH PATCH GHSA This Week

Pre-account-hijacking in the better-auth Node/TypeScript authentication library (versions < 1.6.11 on the stable line and all current `next` pre-releases) lets an unauthenticated attacker seize a victim's account by pre-registering the victim's email via `/sign-up/email`, then having the victim's later OAuth/SSO sign-in implicitly linked to the attacker's row. The result is a single account the attacker controls with a working password login plus the victim's OAuth identity, and the link-time verification flip defeats `requireEmailVerification: true`. No public exploit identified at time of analysis; not listed in CISA KEV, though the flaw is the same class as Microsoft nOAuth (2023) and the Sign in with Apple JWT flaw (2020).

Authentication Bypass Apple Microsoft Google
NVD GitHub
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-53514 npm HIGH PATCH GHSA This Week

Privilege escalation and account/organization takeover in the better-auth Node/TypeScript library affects applications using the organization plugin with unverified email sign-up enabled (emailAndPassword without requireEmailVerification). Because acceptInvitation treats a plain email-string match as proof of address ownership, an attacker who pre-registers an unverified account keyed to a victim's address and obtains a leaked invitationId can accept an admin's invitation and join the organization at the invited role. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the mechanism is fully documented in the vendor advisory (GHSA-fmh4-wcc4-5jm3).

Authentication Bypass
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-50007 HIGH PATCH This Week

Privilege escalation via broken authorization in Actual (self-hosted open-source budgeting app) before 26.7.0 lets any shared user holding only user_access on a budget file invoke owner-only file-management endpoints. Because requireFileAccess treats ordinary shared access as sufficient, a low-privileged collaborator can call /delete-user-file, /reset-user-file, and /user-create-key to destroy or reset another user's budget data or rotate its encryption key. No public exploit is identified at time of analysis, and it is not in CISA KEV.

Authentication Bypass Actual
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-49471 PyPI HIGH POC PATCH GHSA This Week

Remote code execution in the Oraios Serena MCP coding toolkit (prior to v1.5.2) lets a malicious webpage hijack a developer's local coding agent via DNS rebinding. Serena's built-in web dashboard runs an unauthenticated Flask API on a fixed, predictable port with no auth, no CSRF protection, and no Host-header validation, so any site the victim visits while Serena is running can write attacker-controlled content into the agent's persistent memory store; because the agent autonomously reads that memory and can invoke execute_shell_command with shell=True, this chains to code execution on the developer's machine. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.

Authentication Bypass CSRF Python RCE Serena
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-50530 HIGH PATCH This Week

Insecure Direct Object Reference in DataEase before 2.10.24 lets a holder of any valid share-link token retrieve arbitrary datasets by tampering with the request body. The share-mode chart endpoint POST /de2api/chartData/getData validates only that sceneId matches the resourceId bound to the link token, but never checks that the supplied tableId and field IDs belong to the shared resource, so an attacker can swap in identifiers for datasets they were never granted. No public exploit is identified at time of analysis, but the flaw is trivially exploitable by anyone already given a legitimate share link.

Authentication Bypass Dataease
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-50529 HIGH PATCH This Week

Authentication bypass in DataEase open-source BI platform before 2.10.24 lets unauthenticated remote attackers who know a protected share UUID retrieve a valid X-DE-LINK-TOKEN from the /de2api/share/proxyInfo endpoint, because the token is issued before the share password or ticket is checked. With that token an attacker can call subsequent share APIs and read data behind password-protected dashboards without valid credentials. No public exploit identified at time of analysis; the flaw is fixed in 2.10.24.

Authentication Bypass Dataease
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-58473 CRITICAL POC PATCH Act Now

Instance-wide LLM configuration hijacking in Cognee before 1.2.0 lets any remote attacker self-register a normal account and overwrite the global LLM provider settings through the /api/v1/settings endpoint, which performs no admin or superuser authorization check. Because the configuration is held in a process-wide singleton cache, a single call redirects every user's LLM operations to an attacker-controlled endpoint, exfiltrating prompts, uploaded documents, extracted entities, and knowledge-graph content. This is confirmed publicly available exploit code exists (reported by VulnCheck, with a released vendor patch in v1.2.0), and the CVSS 4.0 score is 9.3 (Critical).

Authentication Bypass Cognee
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-57172 HIGH PATCH This Week

Authentication bypass in DataEase before 2.10.24 lets remote attackers forge valid share-link JWTs because ShareSecretManage ships with a hardcoded signature key (link-pwd-fit2cloud). An attacker who has obtained any passwordless share can mint linkToken JWTs that pass TokenFilter verification and access backend resources as the original share creator, even after that share has been revoked. There is no public exploit identified at time of analysis, but the hardcoded key is disclosed in the advisory, making forgery trivial once the signing algorithm is known.

Authentication Bypass Dataease
NVD GitHub
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-53730 HIGH PATCH This Week

Broken access control in DataEase before 2.10.24 lets any authenticated low-privilege user reach the /de2api/datasetData/previewSql endpoint, which is missing its mandatory @DePermit authorization check, and pass datasourceId=-1 to hit the built-in engine database and execute arbitrary SQL. This CWE-862 missing-authorization flaw exposes sensitive core application data and carries a CVSS 4.0 base score of 8.7 (High). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-53729 HIGH PATCH This Week

{id} route is explicitly whitelisted from authentication, exported data files can be pulled by fully unauthenticated remote attackers, matching the vendor's CVSS 4.0 PR:N rating (8.7, High). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial ID-enumeration attack pattern makes exploitation straightforward once the endpoint is reachable.

Authentication Bypass Dataease
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-53512 npm CRITICAL PATCH GHSA Act Now

Confidential-client impersonation in better-auth below 1.6.11 lets an attacker who holds any leaked refresh_token and the public client_id mint fresh access tokens and rotated refresh tokens indefinitely. The deprecated oidcProvider() and mcp() plugins expose an OAuth 2.0 token endpoint whose refresh_token grant authenticates solely on the bound refresh-token row plus a matching client_id, never verifying the registered client_secret - a regression, since the same plugins' authorization_code grant does enforce the secret. No public exploit identified at time of analysis; the flaw was reported by @subhanUmer and fixed by the maintainers, with no CISA KEV listing or EPSS score supplied in the input.

Authentication Bypass XSS Canonical
NVD GitHub
CVSS 4.0
9.1
EPSS
0.3%
CVE-2026-55417 MEDIUM PATCH This Month

Chevereto's `/json` AJAX listing endpoint fails to enforce the private profile access control that the HTML profile route correctly applies, exposing user images and usernames to unauthenticated callers. Versions 3.7.5 through 4.5.3 are affected across both the commercial Chevereto product and the Chevereto Free (rodber/chevereto-free) variant. An unauthenticated attacker who knows a target's numeric user ID can bypass the privacy setting to retrieve all publicly-scoped media and recover the username the victim explicitly chose to hide. No public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Authentication Bypass Chevereto Chevereto Chevereto Rodber Chevereto Free
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-59708 HIGH This Week

Unauthorized portfolio data exposure in Ghostfolio's public API allows anyone holding a private access ID to read another user's full portfolio through the GET /api/v1/public/:accessId/portfolio endpoint. The endpoint accepts private access IDs without enforcing the granteeUserId filter, so holdings, quantities, buy prices, and performance metrics are returned without authentication. This is an authorization (broken access control) flaw with high confidentiality impact and no known public exploit at time of analysis.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-48947 MEDIUM This Month

Improper access control in Joomla! CMS's com_media webservice endpoints allows privileged users to overwrite media files even when they lack explicit editing permissions. The flaw affects two active release lines - 4.1.0 through 5.4.6 and 6.0.0 through 6.1.1 - and is confirmed by the Joomla Security Centre. The CVSS 4.0 vector (SC:H/SI:H/SA:H) indicates that while the direct impact on the vulnerable system is limited (VI:L), successful exploitation can cascade into high-impact consequences on the broader site or dependent systems. No public exploit or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48958 MEDIUM This Month

Incorrect access control in Joomla! CMS exposes com_fields REST API webservices endpoints to users who lack the required permissions, allowing them to create custom field definitions that should be restricted to higher-privileged roles such as Manager or Administrator. The flaw originates from a missing or incorrectly evaluated ACL check in the webservices layer and is confirmed by Joomla's own Security Centre in advisory 20260712. No public exploit has been identified at time of analysis, though the CVSS scope-change metrics indicate potential for significant downstream impact to site content and dependent integrations if unauthorized field definitions are used to inject malicious markup.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.3%
CVE-2026-48955 MEDIUM This Month

Unauthorized access to workflow stage and transition data in Joomla! CMS is possible due to an improper access check in the com_workflow component (CWE-284), allowing authenticated users who lack the necessary workflow management permissions to read internal content publication configuration. The CVSS 4.0 vector assigns high subsequent-system impacts (SC:H/SI:H/SA:H), suggesting the vendor assessed this metadata exposure as a meaningful enabler of broader content pipeline compromise. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48956 MEDIUM This Month

Incorrect access control in Joomla! CMS's com_modules component exposes the module listing interface to frontend users who should not have visibility into installed modules. The flaw stems from CWE-284 (Improper Access Control), where the frontend fails to enforce sufficient privilege checks before returning module enumeration data. No public exploit or CISA KEV listing has been identified at time of analysis, and the EPSS score is not provided in source data, but the CVSS 4.0 score of 6.4 reflects meaningful subsequent-system impact potential stemming from reconnaissance value of the disclosed module inventory.

Authentication Bypass Joomla Cms
NVD
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48957 MEDIUM This Month

Improper access control in Joomla! CMS exposes com_privacy component webservice endpoints to users lacking the required authorization, allowing unauthorized reads of GDPR/privacy datasets. The flaw is classified as CWE-284 and impacts downstream systems at high severity per the vendor-supplied CVSS 4.0 vector, despite requiring high privileges on the vulnerable system itself - a tension that suggests role-boundary bypass rather than fully unauthenticated access. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-48948 MEDIUM This Month

Improper access control in Joomla! CMS com_contact component exposes restricted contact records via vcard (VCF) export to authenticated users who should not have access. Affecting versions 3.0.0 through 5.4.6 and 6.0.0 through 6.1.1, the flaw allows an authenticated user to bypass access restrictions and download vcard exports of contacts that have been explicitly restricted from their view. No public exploit code or active exploitation has been identified at time of analysis, but the wide deployment footprint of Joomla and the breadth of affected versions (spanning both the 3.x/5.x and 6.x branches) make patching a priority for sites using the com_contact component.

Authentication Bypass Joomla Cms
NVD
CVSS 4.0
6.4
EPSS
0.2%
CVE-2026-13019 CRITICAL PATCH Act Now

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a critical API endpoint that a remote, unauthenticated attacker can reach directly, bypassing access controls to interact with functionality that should require an authenticated session. Esri rates this critical (CVSS 9.8) and disclosed it in its June 2026 ArcGIS security bulletin; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the exposed function is an administrative/portal API reachable over the network with no credentials, successful access could lead to disclosure or manipulation of portal content and configuration.

Authentication Bypass Kubernetes Microsoft Portal For Arcgis
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-13020 CRITICAL PATCH Act Now

Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten-password recovery mechanism (CWE-640) that a remote, unauthenticated attacker can manipulate to assume ownership of another user's account. The flaw carries a CVSS 9.8 rating because it is network-reachable with no authentication or user interaction, yielding full compromise of confidentiality, integrity, and availability of the targeted account. There is no public exploit identified at time of analysis and EPSS is low (0.22%, 13th percentile), and CISA's SSVC framework records exploitation as none, indicating no observed in-the-wild activity despite the critical score.

Authentication Bypass Kubernetes Microsoft Portal For Arcgis
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14935 LOW Monitor

GStreamer's webrtcbin component accepts remote SDP offers and answers that are missing the required a=fingerprint attribute due to an inverted boolean logic check in _check_sdp_crypto(), undermining the DTLS certificate fingerprint binding that protects WebRTC media streams from interception. An attacker already positioned as a man-in-the-middle on the WebRTC signaling channel can strip the a=fingerprint attribute from SDP messages, which the vulnerable code then incorrectly accepts, allowing the attacker to substitute their own DTLS certificate and intercept or tamper with encrypted media. No public exploit code exists and no CISA KEV listing has been issued; however, the flaw is architecturally significant because it silently voids a key WebRTC security guarantee rather than causing an obvious crash.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-12352 MEDIUM CISA This Month

Authentication bypass in Digi International PortServer TS 1/2/4 and Digi One SP/SP IA/IA serial device servers permits remote unauthenticated attackers to circumvent authorization controls and access restricted device resources. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote, credential-free exploitation but places High Attack Complexity on the flaw, indicating specific preconditions must be met - limiting opportunistic or automated mass exploitation. Impact is strictly confidentiality (C:H/I:N/A:N), meaning successful exploitation exposes restricted data or configuration without enabling modification or service disruption; no public exploit and no CISA KEV listing have been identified at time of analysis.

Authentication Bypass Portserver Ts 1 2 4 Digi One Sp Sp Ia Ia
NVD VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-59709 MEDIUM PATCH This Month

Ghostfolio's portfolio sharing impersonation feature exposes a missing authorization check on the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, allowing holders of read-only share tokens to modify portfolio holding tags they should only be able to view. Any user granted read-only access to another user's portfolio can exploit this flaw to assign or remove tags on holdings, silently corrupting the victim's portfolio categorization, reporting, and analytics. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Ghostfolio
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53481 CRITICAL PATCH Act Now

Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. Dell rates this critical (9.8) and its tags note an authentication-bypass characteristic; no public exploit identified at time of analysis and it is not currently in CISA KEV.

Authentication Bypass Dell Path Traversal Powerprotect Data Domain
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-53483 CRITICAL PATCH Act Now

Improper authentication in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2024 branches) lets an unauthenticated, remote attacker bypass authentication and gain unauthorized access that Dell says can escalate to complete system control. Dell rates it critical (CVSS 9.8, CWE-287). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network-facing, no-privilege attack profile makes it a high-priority patch for backup/data-protection infrastructure.

Authentication Bypass Dell Powerprotect Data Domain
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-11340 HIGH This Week

Privilege escalation and unauthorized functionality access in HAVELSAN Liman MYS (Yönetim Sistemi) before release.Master.1107 allows an authenticated low-privileged user to invoke functions that should be gated by access-control lists. Because certain endpoints fail to enforce authorization (CWE-862), a limited user can reach administrative or restricted operations, enabling significant integrity and availability impact. No public exploit identified at time of analysis; the flaw was reported by Turkey's national CERT (TR-CERT / USOM).

Authentication Bypass Liman Mys
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-49296 PyPI MEDIUM PATCH This Month

{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full file contents returned. No public exploit has been identified and the issue is not listed in CISA KEV, but it directly undermines per-DAG access control in multi-tenant or team-partitioned Airflow deployments.

Authentication Bypass Apache Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14476 HIGH This Week

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4. Because ad_gpo_extract_smb_components() fails to sanitize '..' sequences in the gPCFileSysPath LDAP attribute (CWE-23), an actor holding AD GPO management rights can force an SSSD-enrolled host to write attacker-controlled files outside the GPO cache as root, injecting Kerberos configuration to bypass authentication. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Red Hat Path Traversal Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +5
NVD VulDB
CVSS 3.1
8.0
EPSS
0.7%
CVE-2026-8377 HIGH This Week

Information disclosure in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows remote unauthenticated attackers to collect sensitive data from common resource locations due to a missing authorization check. Because the affected endpoints do not verify that a requester is entitled to the data they return, an attacker who can reach the system over the network can harvest information without credentials. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV, but the CVSS 8.2 rating and CWE-862 root cause make it a meaningful exposure for any accessible deployment.

Authentication Bypass Access Control System Gks
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-5799 HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.

Authentication Bypass Ontime
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-5730 HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote unauthenticated attackers read confidential records belonging to other users by tampering with user-controlled resource identifiers. Because the application trusts client-supplied keys without verifying ownership, an attacker can enumerate or substitute IDs to exfiltrate data they should not access. There is no public exploit identified at time of analysis, but the flaw is trivial to exercise (AV:N/AC:L/PR:N) and was flagged by Turkey's national CERT (TR-CERT).

Authentication Bypass Ontime
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-57870 MEDIUM This Month

Broken object-level access control (BOLA) in MicroRealEstate's Template API through version 1.0.0-alpha3 permits authenticated users to retrieve document templates owned by other organizations on the same platform. Any low-privilege account holder can query template objects belonging to unrelated tenants by supplying arbitrary template identifiers, crossing multi-tenant isolation boundaries. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57869 HIGH This Week

Unauthorized document disclosure in MicroRealEstate through version 1.0.0-alpha3 lets an authenticated low-privilege user retrieve documents uploaded by other landlords or tenants. The flaw combines a broken object-level authorization check (CWE-639) with document IDs that are generated using a predictable, deterministic pattern, so an attacker can guess or enumerate identifiers and pull files they should not see. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 7.1 reflects high confidentiality impact with no effect on integrity or availability.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-57868 HIGH This Week

Sensitive document disclosure in MicroRealEstate through 1.0.0-alpha3 lets an authenticated low-privilege user retrieve PDF documents belonging to other tenants or organizations by manipulating object identifiers passed to the PDF generator. Classified under CWE-639 (IDOR) and CVSS 4.0 7.1, the flaw exposes confidential data (VC:H) without requiring integrity or availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-57867 HIGH This Week

Authentication bypass in MicroRealEstate (open-source property/real-estate management platform) through version 1.0.0-alpha3 lets remote unauthenticated attackers brute-force the One-Time Password (OTP) login flow to authenticate as any user. Because the OTP tokens are not tracked in server-side state, codes are not invalidated or rate-limited across attempts, collapsing the effective keyspace and enabling account takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-4375 CRITICAL Act Now

Remote code execution affects the DoLeads Integrator and wp2epub WordPress plugins (both versions through 0.65), which WPScan reports have been observed being leveraged to run arbitrary code on a blog once installed. The plugins are reachable via a broader flaw that lets unauthorized users install 'unclosed'/withdrawn extensions from the wordpress.org repository, turning plugin installation into a code-execution primitive. No public exploit has been identified at time of analysis, and EPSS remains very low (0.15%, 5th percentile), indicating no observed widespread exploitation despite the high CVSS.

WordPress Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-34037 CRITICAL PATCH Act Now

Cross-tenant resource access in Coolify (self-hosted PaaS) before 4.0.0-beta.464 lets an authenticated user of one team clone resources into, and access resources owned by, other teams. The cloneTo() Livewire action in ResourceOperations.php checks authorization on the source resource but resolves destination resources with unscoped Eloquent lookups, breaking multi-tenant isolation. Rated CVSS 9.9 with scope change; no public exploit identified at time of analysis, but a fixing commit and vendor advisory are published.

Authentication Bypass PHP Coolify
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-34048 CRITICAL PATCH Act Now

Improper authorization in Coolify's terminal websocket bootstrap routes lets any low-privileged team member execute arbitrary commands on team-managed servers, because the routes verify only that a request is authenticated but never check whether the caller is authorized to use the terminal. Affecting all Coolify versions prior to 4.0.0-beta.471, this CWE-285 flaw carries a critical 9.9 CVSS score with a scope change, effectively granting shell access to underlying infrastructure from a minimal application role. No public exploit identified at time of analysis, but the low complexity and low privilege bar make it a high-priority patch.

Authentication Bypass Coolify
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-34044 HIGH PATCH This Week

Cross-tenant log disclosure in Coolify (self-hosted PaaS) before 4.0.0-beta.466 lets any authenticated user read application logs belonging to other teams by supplying a victim resource's UUID. The Logs::mount() component resolves resources by UUID alone without verifying the caller's team ownership, breaking the multi-tenant isolation boundary. Rated CVSS 7.7 (CWE-639, IDOR); no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is a one-line-class authorization check that is trivially reversible from the public commit.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-34047 CRITICAL PATCH Act Now

Privilege escalation via broken authorization in Coolify's self-hosted server/application management platform lets any authenticated low-privilege user reach terminal WebSocket functionality for resources outside their authorized scope, prior to version 4.0.0-beta.471. Because the terminal bootstrap routes skipped the expected authorization middleware, an attacker with a valid account can potentially execute commands on servers and containers they should not control. No public exploit identified at time of analysis, and there is no CISA KEV listing, but the fix is confirmed in release v4.0.0-beta.471.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-37271 CRITICAL Act Now

Improper authentication in Fire-Boltt FB BGS001 smartwatch firmware MOY-JS14-2.0.4 lets a nearby attacker replay previously captured Bluetooth Low Energy (BLE) GATT Write Request packets to trigger device functionality without valid session validation. The device accepts write commands over BLE without sufficient authentication, so an attacker within radio range who has observed legitimate traffic can reissue those commands. A public technical writeup/PoC exists on GitHub (EmbdCDACHyd), but there is no evidence of active exploitation (SSVC Exploitation: none) and EPSS is low at 0.21% (11th percentile).

Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-37270 CRITICAL Act Now

Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.

Authentication Bypass N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-51937 HIGH This Week

Sensitive information disclosure in OneBlog V2.3.9 lets remote unauthenticated attackers retrieve WeChat Official Account secrets - the access_token and jsapi_ticket - through unprotected REST endpoints backed by RestApiController.java, JsApiTicketComponent.java, and GetAccessTokenComponent.java. Because these credentials grant control over the linked WeChat public account, disclosure enables account takeover of the integration rather than just data leakage. Classified CWE-306 (Missing Authentication); a referenced public gist appears to contain proof-of-concept details, though EPSS is low (0.26%, 18th percentile) and it is not listed in CISA KEV.

Authentication Bypass Java N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-53644 HIGH This Week

Broken object-level authorization in FOSSBilling 0.5.3 through 0.7.2 lets an authenticated client read and reset API key service secrets belonging to orders that are no longer active, such as suspended or canceled orders. Two client API endpoints skip the order-state check that the frontend UI and the module's own isActive() helper otherwise enforce, exposing high-value credentials to any logged-in customer for their non-active services. There is no public exploit identified at time of analysis, and the flaw is fixed in version 0.8.0.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-53642 MEDIUM This Month

Incorrect authorization in FOSSBilling versions 0.5.6 through 0.7.2 allows authenticated clients with unverified email addresses to bypass the 'Require Email Confirmation' access control gate and read sensitive financial account data - including wallet balances and full transaction history - across all client-area pages. The application maintains two separate authorization layers: an API-level guard that correctly restricts unverified clients, and a page-level routing guard that is overly permissive, admitting any request whose URL path begins with /client, creating an exploitable enforcement gap. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 5.3 reflects a realistic but bounded confidentiality impact gated behind prior authentication.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-55501 npm HIGH PATCH GHSA This Week

Brute-force protection bypass in the 9router dashboard (npm package 9router) lets remote attackers defeat the login lockout by rotating the attacker-controlled X-Forwarded-For header on each request, giving every attempt a fresh rate-limit bucket. Because the CVSS vector is PR:N/UI:N, unauthenticated remote attackers can target any instance directly exposed or sitting behind a proxy that does not overwrite forwarding headers, enabling unlimited password guessing and, against default or weak credentials, full administrative takeover. A working exploit is published in the GitHub Security Advisory (GHSA-7cfm-pqrj-xgq7); the issue is not listed in CISA KEV and no EPSS score was provided.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.3
EPSS
0.5%
CVE-2026-34167 MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Coolify's ActivityMonitor Livewire component allows any authenticated user to enumerate and read activity records belonging to other teams, including full SSH process command outputs that may contain secrets, credentials, and infrastructure configuration details. Affected are all Coolify self-hosted deployments prior to version 4.0.0-beta.471. No special privileges beyond a valid user account are required, and auto-incrementing integer activity IDs make enumeration trivial. No public exploit code has been identified at time of analysis and this CVE is not in CISA KEV, but the low attack complexity and sensitive data exposure make this a meaningful risk for multi-tenant Coolify deployments.

Authentication Bypass Coolify
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-55438 Go MEDIUM PATCH GHSA This Month

Cross-origin request forgery via CORS same-owner bypass in Coder's subdomain workspace app proxy allows an authenticated attacker to exfiltrate data from a victim's workspace apps. The flaw exists across Coder release lines 2.29 through 2.34, and was disclosed by Anthropic's Security Team. No public exploit exists and no CISA KEV listing is present, but the vulnerability is directly exploitable against any deployment with wildcard subdomain routing enabled, making prompt patching critical for affected configurations.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-55435 Go MEDIUM PATCH GHSA This Month

Incorrect authorization in Coder's AI Bridge proxy (introduced in v2.30.0) permits suspended users to continue accessing LLM proxy endpoints using previously issued, unexpired API keys. The `Server.IsAuthorized` function in `coderd/aibridgeserver` validates key format, expiry, secret, and deleted/system-user status but omits the active/suspended status check present in the standard API key middleware, creating a divergence that survives indefinitely until tokens expire or are manually deleted. No public exploit code exists and the flaw is not listed in CISA KEV; the vendor patched all active release lines following coordinated disclosure by Anthropic's Security Team (ANT-2026-22446).

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-41899 MEDIUM PATCH This Month

Unauthenticated access to Coolify's POST /api/feedback endpoint allows any remote attacker to forward arbitrary content directly to the operator's configured Discord webhook, enabling spam flooding, content injection, and webhook rate-limit abuse. All self-hosted Coolify instances prior to 4.0.0-beta.474 are affected, with CVSS AV:N/AC:L/PR:N/UI:N confirming zero-barrier network exploitation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the trivial exploit conditions (plain unauthenticated HTTP POST) make automated abuse straightforward.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-55433 Go MEDIUM PATCH GHSA This Month

Authorization bypass in the Coder devcontainer recreate endpoint allows any authenticated user holding only read-level workspace access - such as Template Admin or Org Template Admin roles - to trigger a destructive container rebuild that destroys uncommitted in-container state. Unlike the sibling delete endpoint, which correctly enforces an ActionUpdate check, the recreate endpoint relied solely on route middleware verifying ActionRead, leaving the destructive operation unguarded against lower-privileged principals. No public exploit has been identified at time of analysis; vendor-confirmed patches are available across all supported release lines.

Authentication Bypass Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.4%
CVE-2026-55432 Go MEDIUM PATCH GHSA This Month

Port-sharing policy bypass in Coder's CreateSubAgent RPC allows an authenticated workspace owner to register sub-agent apps at sharing levels exceeding the template's administrator-configured MaxPortSharingLevel, potentially exposing workspace apps as PUBLIC to unauthenticated users via wildcard app subdomains. Exploitation is gated behind authenticated workspace ownership with an agent token and requires an Enterprise deployment with both port-sharing policy enforcement and wildcard app hostnames active - making this a meaningful privilege escalation within a constrained environment rather than a broadly exploitable network flaw. No public exploit has been identified at time of analysis; vendor-released patches are available across all supported release lines.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-34050 MEDIUM PATCH This Month

Missing authorization in Coolify's Settings/Updates Livewire component allows any authenticated non-admin user to access the Updates settings page and modify auto-update behavior or trigger update checks. Affected versions span all releases prior to 4.0.0-beta.471 of the self-hosted server management platform. No public exploit code or CISA KEV listing exists at time of analysis, but the network-accessible nature and low authentication bar (any valid account) make this a meaningful integrity risk in multi-tenant or shared Coolify deployments.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-32718 MEDIUM PATCH This Month

Incorrect authorization in Coolify's API layer allows any holder of a read-scoped API token to invoke mutating validation endpoints - including cloud token validation and server validation - that should require write-level privileges. All Coolify deployments prior to version 4.0.0-beta.466 are affected. No public exploit or active exploitation has been identified at time of analysis, but the low attack complexity and network accessibility via API make this straightforward to abuse for any user who has been issued even a minimal API token.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-42331 HIGH PATCH This Week

Broken access control in FOSSBilling before 0.8.0 lets an unauthenticated attacker who knows an unpaid invoice's hash change the payment gateway (gateway_id) tied to that invoice, because the Guest API invoice/update endpoint omits an authorization check that its sibling invoice endpoints enforce. The attacker can only select gateways an administrator has already installed and configured, and the impact is further gated by the invoice_accessible_from_hash setting, so it cannot redirect funds to an arbitrary external endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Fossbilling
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-55428 Go HIGH PATCH GHSA This Week

Traffic interception in Coder's tailnet coordinator allows a malicious workspace agent to hijack another agent's tailnet address by advertising forged WireGuard AllowedIPs prefixes. The coordinator authorizes an agent's Addresses against its authenticated UUID but performs no equivalent check on AllowedIPs, which it forwards verbatim to tunnel peers; because ServerTailnet routes by tailnet IP, an attacker who claims a victim's prefix can intercept web terminal and workspace app traffic and serve spoofed content. Rated CVSS 8.2 (CWE-285, improper authorization); a vendor patch is available and no public exploit is identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-55429 Go HIGH PATCH GHSA This Week

Cross-workspace agent hijacking in Coder (self-hosted cloud development environment platform) lets a user with template-authorship or external-provisioner privileges rebind another user's workspace app to an attacker-controlled agent. By submitting a crafted CompleteJob payload referencing a known victim app UUID, the attacker causes later app traffic - including IDE and terminal sessions - to be proxied through their own workspace, enabling interception. No public exploit is identified at time of analysis; it is not listed in CISA KEV. Fixed in v2.34.2, v2.33.8, v2.32.7, and v2.29.17.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.5%
CVE-2026-42341 CRITICAL PATCH Act Now

Unauthenticated payment bypass in FOSSBilling 0.6.0 through 0.7.2 lets a remote attacker mark any unpaid invoice as paid and credit the associated client's account balance with a single crafted HTTP request to the IPN callback endpoint (/ipn.php), provided the Custom payment adapter is enabled. The flaw stems from missing authentication (CWE-306) on a financially critical callback, so no credentials or user interaction are needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it 9.2 (CVSS 4.0) and a patched release (0.8.0) is available.

Authentication Bypass PHP Fossbilling
NVD GitHub
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-55077 Go HIGH PATCH GHSA This Week

{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the practical blast radius is bounded by the need to already hold the privileged user-admin role.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.6%
CVE-2026-55075 Go HIGH PATCH GHSA This Week

Account takeover in Coder's OIDC login (versions before v2.34.2, v2.33.8, v2.32.7, and ESR v2.29.17) lets an attacker who controls a matching email address at the configured identity provider log in as a victim and seize their workspaces, templates and resources. Two chained flaws are responsible: email-based user matching silently linked accounts by email without verifying an existing IdP-subject link, and the email_verified claim was only honored when explicitly boolean false, so absent or malformed claims were treated as verified. CVSS is 7.4 (High) with no public exploit identified at time of analysis; the issue was privately reported by Anthropic's Security Team.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.5%
CVE-2026-55076 Go HIGH PATCH GHSA This Week

Account takeover in Coder's OIDC login flow allows an unauthenticated remote attacker to hijack an existing user account by registering the victim's email at a compatible identity provider. A Go `bool` type assertion on the `email_verified` claim failed open when an IdP returned the claim as a non-boolean (e.g. the string "false") or omitted it entirely, and an unconditional email-based account fallback then matched the attacker's session to the victim's account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was privately disclosed by Anthropic's Security Team and fixed across all supported release lines.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.5%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Webhook signature bypass in n8n's ZendeskTrigger node allows network-adjacent attackers who possess the webhook URL to inject arbitrary data into n8n workflows by sending unsigned POST requests. The ZendeskTrigger node omits the mandatory HMAC-SHA256 verification step that Zendesk's webhook security model requires, treating any inbound POST as a legitimate Zendesk event. This affects n8n v1.x before 1.123.18 and v2.x before 2.6.2; no public exploit or CISA KEV designation has been identified at time of analysis.

Authentication Bypass N8n
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Incomplete state management in Capgo's transfer_app() function allows low-privileged authenticated users to retain or cause loss of access to deployment history records across organizations. Specifically, the function fails to update the deploy_history.owner_org field during inter-organization application transfers in all versions before 12.128.2, creating a persistent stale authorization grant. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant bundle deletion in Capgo (Capacitor live/OTA update platform) before 12.128.2 lets holders of an upload-scoped API key rewrite the mutable app_versions.r2_path column through the PostgREST data API, retargeting it at another tenant's Cloudflare R2 objects. By pointing a soft-deleted attacker version at a victim bundle and firing the on_version_update cleanup trigger, an attacker deletes the victim's R2 object, breaking that app's over-the-air update delivery. No public exploit is identified at time of analysis, but the mechanism is fully described and CVSS 4.0 rates availability impact as High (8.7).

Authentication Bypass Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cross-organization authorization bypass in Capgo before 12.128.2 lets a scoped API key (limited_to_orgs) inherit its owner's full user permissions, so an admin holding a write key restricted to one organization can execute destructive operations against a different organization. Because route-level authorization (rbac_check_permission_direct) checks the owner's user privileges before enforcing the key's org scope, a key intended to be confined to Org A can call DELETE /organization or DELETE /organization/members on Org B. No public exploit has been identified at time of analysis; the flaw is documented in a GitHub Security Advisory (GHSA-ccm4-hf72-p28m) and a VulnCheck advisory.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 lets read-only organization members insert rows into the public.manifest table via a flawed INSERT row-level-security policy, poisoning the OTA update manifests that Capacitor apps fetch. Because these forged entries carry attacker-chosen s3_path values and are served to client devices through the unauthenticated /updates endpoint, a low-privileged insider can steer devices toward malicious update assets. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Policy bypass in Capgo's OTA update enforcement allows holders of app-scoped API keys to downgrade encrypted app bundles to an unencrypted state by directly manipulating the app_versions table through PostgREST. Affected versions are all Capgo releases prior to 12.128.2. An attacker in possession of an app-scoped 'all' API key can nullify organization-level encrypted-bundle policies, silently stripping the cryptographic protections applied to over-the-air mobile updates and enabling distribution of unencrypted bundles to end-user devices. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Improper authorization enforcement in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.6, plus LTS branches 8.6.1.0-8.6.1.10, 8.3.1.0-8.3.1.30, and 7.13.1.0-7.13.1.70) allows a low-privileged, remote authenticated attacker to reach resources or actions beyond their assigned role, resulting in unauthorized access. Rated CVSS 8.8 (High) with high confidentiality, integrity, and availability impact and low attack complexity. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the low barrier to exploitation for any existing account makes this a meaningful escalation risk on these backup appliances.

Authentication Bypass Dell Data Domain Operating System
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Missing authentication in Dgraph Alpha lets an unauthenticated network client destroy and overwrite an entire database group's data via the external-snapshot import RPCs exposed on the public gRPC port :9080. Any attacker able to reach port 9080 can open a StreamExtSnapshot session; because the receiver calls Prepare() before ingesting the stream, the existing store is deleted and replaced with attacker-supplied Badger data. Fixed in version 25.3.5; no public exploit identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network attackers to activate a free subscription tier on behalf of any registered WordPress user by supplying an arbitrary user_id to the payment_page() function, silently overwriting existing paid subscriptions and revoking premium access. The root cause is a missing authorization check on a user-controlled key (CWE-639), and because WordPress user IDs are sequential integers trivially enumerable via the REST API, this is exploitable at scale with no authentication or user interaction. No public exploit has been identified at time of analysis, but the zero-privilege, low-complexity attack path makes this straightforward to weaponize against any site monetizing through this plugin's membership features.

Authentication Bypass WordPress User Frontend
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0) lets unauthenticated attackers finalize bookings while paying an arbitrary amount. The Stripe Connect payment processor trusts a client-supplied PaymentIntent ID, so an attacker can replay a previously succeeded PaymentIntent token to satisfy the payment check. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Privilege escalation via Insecure Direct Object Reference in the WCFM Membership (WooCommerce Memberships for Multivendor Marketplace) WordPress plugin versions up to and including 2.11.10 lets authenticated users holding at least vendor-level access manipulate the 'wcfmvm_membership_change' AJAX action to reassign any user's account to the 'wcfm_vendor' role by altering their membership plan. Because the action never checks whether the caller is authorized to modify the targeted user, a low-privileged marketplace vendor can tamper with arbitrary accounts. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS of 8.1 and network-reachable authenticated vector make it a meaningful multivendor-store risk.

Authentication Bypass WordPress Wcfm Membership Woocommerce Memberships For Multivendor Marketplace
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in Dassault Systèmes DELMIA Apriso (Release 2020 through Release 2026) lets remote unauthenticated attackers obtain privileged access to the manufacturing operations server, consistent with the CVSS PR:N/UI:N metrics. Rated CVSS 9.8 (C:H/I:H/A:H), it exposes shop-floor and production-control functions to full compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Delmia Apriso
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authorization bypass in the WP Learn Manager WordPress plugin (all versions through 1.1.8) lets unauthenticated attackers install and activate arbitrary plugins from the WordPress.org repository on a vulnerable site. The flaw stems from AJAX handlers that fail to verify a caller's authorization, and Wordfence rates it CVSS 9.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, low-complexity nature makes it a high-priority patch target.

Authentication Bypass WordPress Wp Learn Manager
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the User Management WordPress plugin (versions ≤ 1.2) permits unauthenticated network attackers to overwrite the plugin's export field configuration stored in the uiewp_export_field WordPress option, determining which user fields - including password hashes - are bundled into CSV exports and how columns are interpreted during user imports. Reported by Wordfence, the flaw stems from CWE-862 (Missing Authorization), meaning the plugin performs no privilege check before accepting these writes. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the ability to preconfigure exports to surface password hashes represents a meaningful secondary confidentiality risk beyond the raw CVSS 5.3 Medium score.

Authentication Bypass WordPress User Management
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in the DoLogin Security plugin for WordPress (all versions through 4.3) lets remote attackers forge passwordless magic-link tokens and log in as any user, including administrators. The 32-character token is generated by seeding the Mersenne Twister PRNG (mt_srand) with a value derived from microtime() that carries only ~20 bits of entropy, so the entire token is a deterministic function of a ~10^6-value seed space that can be brute-forced offline. No public exploit identified at time of analysis, but the flaw was reported by Wordfence and the vulnerable code paths are cited directly in the WordPress plugin repository.

WordPress Authentication Bypass Dologin Security
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. No public exploit has been identified at time of analysis, but the flaw was reported via HackerOne and carries a CVSS 9.9 rating.

Authentication Bypass Plesk
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Kiosk restriction bypass in the Code 27 Companion Hub allows an attacker with physical device access to perform a factory reset that completely circumvents the kiosk protection mechanism, granting full control over the device. The flaw (CWE-288) represents a protection mechanism failure where an alternate path - the factory reset function - is not gated by the same access controls as the restricted kiosk environment. A publicly available proof-of-concept exploit exists on GitHub, and while SSVC rates exploitation status as none and EPSS sits at 0.21% (11th percentile), the availability of working exploit code lowers the barrier for opportunistic physical-access attacks.

Authentication Bypass N A
NVD GitHub
CVSS 9.6
CRITICAL POC Act Now

Cross-namespace privilege escalation in goploy (zhenorzz/goploy through 1.17.5 and develop HEAD) lets any authenticated user holding the low-privilege `manager` role in their own namespace read, overwrite, plant, or delete project files in ANY other tenant's project, and rewrite any project's git remote URL, because the `/project/addFile`, `/project/editFile`, `/project/removeFile`, and `/project/edit` handlers act on body-supplied project/file row ids without verifying the target belongs to the caller's namespace. The rewritten git remote escalates to remote code execution on the next deploy, when goploy runs `git remote set-url origin <attacker-url>` and pulls attacker-controlled code under the goploy service account. A detailed proof-of-concept exists demonstrating all four primitives against the published Docker image, though no active exploitation has been reported.

Authentication Bypass Docker
NVD GitHub
CVSS 4.3
MEDIUM POC PATCH This Month

Cluster-level RBAC bypass in Kite (github.com/zxh326/kite) v0.12.2 allows any authenticated user to retrieve aggregate inventory and capacity data from Kubernetes clusters they are not authorized to access. By supplying an arbitrary cluster name in the `x-cluster-name` header, a low-privileged user scoped to one cluster can enumerate node counts, pod counts, namespace counts, service counts, and CPU/memory resource totals from other configured clusters. No public exploit identified at time of analysis, though the reporter provided and validated a working Go proof-of-concept test demonstrating the bypass.

Authentication Bypass Kubernetes
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken object-level authorization in Cap's GET /api/video/ai endpoint lets any authenticated user supply arbitrary video IDs to read private AI-generated metadata - titles, summaries, and chapters - belonging to other users, and to trigger unauthorized AI generation that burns the victim's credits. Reported by VulnCheck with a vendor patch (commit 8d48642) available; no public exploit identified at time of analysis, and EPSS/KEV data were not supplied. The flaw combines confidentiality loss over private content with an abusable, cost-incurring side effect.

Authentication Bypass Cap
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated data theft, tampering, and denial-of-service affects mem0's OpenMemory API server (openmemory/api component), where several API routers are mounted without any authentication middleware. Because CVSS 4.0 vector shows PR:N and CWE-306 (Missing Authentication for a Critical Function), remote attackers can pass arbitrary user_id values to read, overwrite, or delete any user's stored memories, and can trigger a global pause to break the service for everyone. Reported by VulnCheck with a vendor patch commit available; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Mem0
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Row-level authorization bypass in Hasura GraphQL Engine prior to versions 2.49.2 and 2.45.5 permits low-privileged authenticated users to infer the contents of rows their role's permissions should suppress. By submitting crafted where-clause predicates against table computed fields returning SETOF results, an attacker exploits the query response as a boolean oracle - iteratively reconstructing protected column values through binary-search-style probing without ever directly retrieving the restricted rows. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 6.0 with VC:H reflects meaningful confidentiality exposure specifically in deployments relying on row-level security as a data boundary.

Authentication Bypass Oracle Graphql Engine
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken object-level authorization in FastGPT before 4.15.0 lets any authenticated user retrieve another team's LLM interaction traces via GET /api/core/ai/record/getRecord. The endpoint verifies the caller is logged in but fetches records solely by requestId without checking team ownership, exposing cross-tenant prompts, retrieved RAG chunks, and model completions to any user who can guess or obtain a valid requestId. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but exploitation requires only a low-privilege account and knowledge of a target requestId.

Authentication Bypass Fastgpt
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by supplying that team's S3 object key to the chat-file presign or dataset preview endpoints. The handlers authorize an unrelated resource but then sign or read the S3 object using a request-supplied key without verifying tenant ownership, so global bucket keys become an IDOR primitive. No public exploit code has been identified at time of analysis, though the upstream fix (PR #7104 / commit decb6d2) reveals the exact vulnerable code path.

Authentication Bypass Fastgpt
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

Cross-organization authorization bypass in Grafana OSS and Enterprise allows an authenticated Org Admin to delete public dashboards owned by a different organization by supplying the target dashboard's identifiers to the deletion endpoint. The missing tenant-isolation check on the delete operation means any Org Admin - regardless of their organizational scope - can reach and destroy dashboards across organizational boundaries. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained impact and prerequisite of an existing Org Admin credential.

Grafana Enterprise Grafana Oss Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Sensitive information disclosure and server-side request forgery in mem0's self-hosted server let unauthenticated remote attackers steal stored LLM provider credentials and pivot into internal infrastructure. Because the /api/v1/config/ endpoints require no authentication (CWE-306), an attacker can GET plaintext secrets such as OpenAI API keys and PUT a malicious ollama_base_url to coerce the server into requesting internal-only addresses like cloud instance metadata (IMDS). CVSS 4.0 rates this 9.2 (Critical); there is no public exploit identified at time of analysis, but the attack is trivial and reported by VulnCheck.

Authentication Bypass SSRF Mem0
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Single-use authorization-code enforcement can be bypassed under concurrency in the better-auth OAuth provider (@better-auth/oauth-provider 1.6.0 through 1.6.10, the embedded plugin in better-auth 1.4.8-beta.7 through 1.6.10, and the legacy oidc-provider and mcp plugins). Because the POST /oauth2/token authorization_code grant redeems the code via a non-atomic find-then-delete, two concurrent requests carrying the same code both pass the read step and each mint a fresh access, refresh, and id token for the original user's scope. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it CVSS 4.0 7.6 (High) with high confidentiality and integrity impact.

Authentication Bypass Nginx Redis +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Refresh-token family forking in better-auth's OAuth provider plugin (@better-auth/oauth-provider 1.6.0–1.6.10, and embedded in better-auth 1.4.8-beta.7–1.5.x) lets a race condition on the /oauth2/token refresh_token grant split one parent refresh token into multiple valid child families, defeating RFC 9700 reuse detection. An attacker holding a stolen refresh token who times two concurrent redemptions can obtain a persistent, independently-rotating branch that survives revocation of the legitimate user's branch and never trips family-invalidation. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV, but the security impact is indefinite unauthorized access plus detection bypass at the victim's full authorization scope.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Pre-account-hijacking in the better-auth Node/TypeScript authentication library (versions < 1.6.11 on the stable line and all current `next` pre-releases) lets an unauthenticated attacker seize a victim's account by pre-registering the victim's email via `/sign-up/email`, then having the victim's later OAuth/SSO sign-in implicitly linked to the attacker's row. The result is a single account the attacker controls with a working password login plus the victim's OAuth identity, and the link-time verification flip defeats `requireEmailVerification: true`. No public exploit identified at time of analysis; not listed in CISA KEV, though the flaw is the same class as Microsoft nOAuth (2023) and the Sign in with Apple JWT flaw (2020).

Authentication Bypass Apple Microsoft +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation and account/organization takeover in the better-auth Node/TypeScript library affects applications using the organization plugin with unverified email sign-up enabled (emailAndPassword without requireEmailVerification). Because acceptInvitation treats a plain email-string match as proof of address ownership, an attacker who pre-registers an unverified account keyed to a victim's address and obtains a leaked invitationId can accept an admin's invitation and join the organization at the invited role. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the mechanism is fully documented in the vendor advisory (GHSA-fmh4-wcc4-5jm3).

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation via broken authorization in Actual (self-hosted open-source budgeting app) before 26.7.0 lets any shared user holding only user_access on a budget file invoke owner-only file-management endpoints. Because requireFileAccess treats ordinary shared access as sufficient, a low-privileged collaborator can call /delete-user-file, /reset-user-file, and /user-create-key to destroy or reset another user's budget data or rotate its encryption key. No public exploit is identified at time of analysis, and it is not in CISA KEV.

Authentication Bypass Actual
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Remote code execution in the Oraios Serena MCP coding toolkit (prior to v1.5.2) lets a malicious webpage hijack a developer's local coding agent via DNS rebinding. Serena's built-in web dashboard runs an unauthenticated Flask API on a fixed, predictable port with no auth, no CSRF protection, and no Host-header validation, so any site the victim visits while Serena is running can write attacker-controlled content into the agent's persistent memory store; because the agent autonomously reads that memory and can invoke execute_shell_command with shell=True, this chains to code execution on the developer's machine. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.

Authentication Bypass CSRF Python +2
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Insecure Direct Object Reference in DataEase before 2.10.24 lets a holder of any valid share-link token retrieve arbitrary datasets by tampering with the request body. The share-mode chart endpoint POST /de2api/chartData/getData validates only that sceneId matches the resourceId bound to the link token, but never checks that the supplied tableId and field IDs belong to the shared resource, so an attacker can swap in identifiers for datasets they were never granted. No public exploit is identified at time of analysis, but the flaw is trivially exploitable by anyone already given a legitimate share link.

Authentication Bypass Dataease
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in DataEase open-source BI platform before 2.10.24 lets unauthenticated remote attackers who know a protected share UUID retrieve a valid X-DE-LINK-TOKEN from the /de2api/share/proxyInfo endpoint, because the token is issued before the share password or ticket is checked. With that token an attacker can call subsequent share APIs and read data behind password-protected dashboards without valid credentials. No public exploit identified at time of analysis; the flaw is fixed in 2.10.24.

Authentication Bypass Dataease
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Instance-wide LLM configuration hijacking in Cognee before 1.2.0 lets any remote attacker self-register a normal account and overwrite the global LLM provider settings through the /api/v1/settings endpoint, which performs no admin or superuser authorization check. Because the configuration is held in a process-wide singleton cache, a single call redirects every user's LLM operations to an attacker-controlled endpoint, exfiltrating prompts, uploaded documents, extracted entities, and knowledge-graph content. This is confirmed publicly available exploit code exists (reported by VulnCheck, with a released vendor patch in v1.2.0), and the CVSS 4.0 score is 9.3 (Critical).

Authentication Bypass Cognee
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Authentication bypass in DataEase before 2.10.24 lets remote attackers forge valid share-link JWTs because ShareSecretManage ships with a hardcoded signature key (link-pwd-fit2cloud). An attacker who has obtained any passwordless share can mint linkToken JWTs that pass TokenFilter verification and access backend resources as the original share creator, even after that share has been revoked. There is no public exploit identified at time of analysis, but the hardcoded key is disclosed in the advisory, making forgery trivial once the signing algorithm is known.

Authentication Bypass Dataease
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Broken access control in DataEase before 2.10.24 lets any authenticated low-privilege user reach the /de2api/datasetData/previewSql endpoint, which is missing its mandatory @DePermit authorization check, and pass datasourceId=-1 to hit the built-in engine database and execute arbitrary SQL. This CWE-862 missing-authorization flaw exposes sensitive core application data and carries a CVSS 4.0 base score of 8.7 (High). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Dataease
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

{id} route is explicitly whitelisted from authentication, exported data files can be pulled by fully unauthenticated remote attackers, matching the vendor's CVSS 4.0 PR:N rating (8.7, High). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial ID-enumeration attack pattern makes exploitation straightforward once the endpoint is reachable.

Authentication Bypass Dataease
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Confidential-client impersonation in better-auth below 1.6.11 lets an attacker who holds any leaked refresh_token and the public client_id mint fresh access tokens and rotated refresh tokens indefinitely. The deprecated oidcProvider() and mcp() plugins expose an OAuth 2.0 token endpoint whose refresh_token grant authenticates solely on the bound refresh-token row plus a matching client_id, never verifying the registered client_secret - a regression, since the same plugins' authorization_code grant does enforce the secret. No public exploit identified at time of analysis; the flaw was reported by @subhanUmer and fixed by the maintainers, with no CISA KEV listing or EPSS score supplied in the input.

Authentication Bypass XSS Canonical
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Chevereto's `/json` AJAX listing endpoint fails to enforce the private profile access control that the HTML profile route correctly applies, exposing user images and usernames to unauthenticated callers. Versions 3.7.5 through 4.5.3 are affected across both the commercial Chevereto product and the Chevereto Free (rodber/chevereto-free) variant. An unauthenticated attacker who knows a target's numeric user ID can bypass the privacy setting to retrieve all publicly-scoped media and recover the username the victim explicitly chose to hide. No public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Authentication Bypass Chevereto Chevereto Chevereto +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Unauthorized portfolio data exposure in Ghostfolio's public API allows anyone holding a private access ID to read another user's full portfolio through the GET /api/v1/public/:accessId/portfolio endpoint. The endpoint accepts private access IDs without enforcing the granteeUserId filter, so holdings, quantities, buy prices, and performance metrics are returned without authentication. This is an authorization (broken access control) flaw with high confidentiality impact and no known public exploit at time of analysis.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Improper access control in Joomla! CMS's com_media webservice endpoints allows privileged users to overwrite media files even when they lack explicit editing permissions. The flaw affects two active release lines - 4.1.0 through 5.4.6 and 6.0.0 through 6.1.1 - and is confirmed by the Joomla Security Centre. The CVSS 4.0 vector (SC:H/SI:H/SA:H) indicates that while the direct impact on the vulnerable system is limited (VI:L), successful exploitation can cascade into high-impact consequences on the broader site or dependent systems. No public exploit or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Incorrect access control in Joomla! CMS exposes com_fields REST API webservices endpoints to users who lack the required permissions, allowing them to create custom field definitions that should be restricted to higher-privileged roles such as Manager or Administrator. The flaw originates from a missing or incorrectly evaluated ACL check in the webservices layer and is confirmed by Joomla's own Security Centre in advisory 20260712. No public exploit has been identified at time of analysis, though the CVSS scope-change metrics indicate potential for significant downstream impact to site content and dependent integrations if unauthorized field definitions are used to inject malicious markup.

Authentication Bypass Joomla Cms
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Unauthorized access to workflow stage and transition data in Joomla! CMS is possible due to an improper access check in the com_workflow component (CWE-284), allowing authenticated users who lack the necessary workflow management permissions to read internal content publication configuration. The CVSS 4.0 vector assigns high subsequent-system impacts (SC:H/SI:H/SA:H), suggesting the vendor assessed this metadata exposure as a meaningful enabler of broader content pipeline compromise. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Joomla Cms
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Incorrect access control in Joomla! CMS's com_modules component exposes the module listing interface to frontend users who should not have visibility into installed modules. The flaw stems from CWE-284 (Improper Access Control), where the frontend fails to enforce sufficient privilege checks before returning module enumeration data. No public exploit or CISA KEV listing has been identified at time of analysis, and the EPSS score is not provided in source data, but the CVSS 4.0 score of 6.4 reflects meaningful subsequent-system impact potential stemming from reconnaissance value of the disclosed module inventory.

Authentication Bypass Joomla Cms
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Improper access control in Joomla! CMS exposes com_privacy component webservice endpoints to users lacking the required authorization, allowing unauthorized reads of GDPR/privacy datasets. The flaw is classified as CWE-284 and impacts downstream systems at high severity per the vendor-supplied CVSS 4.0 vector, despite requiring high privileges on the vulnerable system itself - a tension that suggests role-boundary bypass rather than fully unauthenticated access. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Joomla Cms
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Improper access control in Joomla! CMS com_contact component exposes restricted contact records via vcard (VCF) export to authenticated users who should not have access. Affecting versions 3.0.0 through 5.4.6 and 6.0.0 through 6.1.1, the flaw allows an authenticated user to bypass access restrictions and download vcard exports of contacts that have been explicitly restricted from their view. No public exploit code or active exploitation has been identified at time of analysis, but the wide deployment footprint of Joomla and the breadth of affected versions (spanning both the 3.x/5.x and 6.x branches) make patching a priority for sites using the com_contact component.

Authentication Bypass Joomla Cms
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a critical API endpoint that a remote, unauthenticated attacker can reach directly, bypassing access controls to interact with functionality that should require an authenticated session. Esri rates this critical (CVSS 9.8) and disclosed it in its June 2026 ArcGIS security bulletin; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the exposed function is an administrative/portal API reachable over the network with no credentials, successful access could lead to disclosure or manipulation of portal content and configuration.

Authentication Bypass Kubernetes Microsoft +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten-password recovery mechanism (CWE-640) that a remote, unauthenticated attacker can manipulate to assume ownership of another user's account. The flaw carries a CVSS 9.8 rating because it is network-reachable with no authentication or user interaction, yielding full compromise of confidentiality, integrity, and availability of the targeted account. There is no public exploit identified at time of analysis and EPSS is low (0.22%, 13th percentile), and CISA's SSVC framework records exploitation as none, indicating no observed in-the-wild activity despite the critical score.

Authentication Bypass Kubernetes Microsoft +1
NVD
EPSS 0% CVSS 3.7
LOW Monitor

GStreamer's webrtcbin component accepts remote SDP offers and answers that are missing the required a=fingerprint attribute due to an inverted boolean logic check in _check_sdp_crypto(), undermining the DTLS certificate fingerprint binding that protects WebRTC media streams from interception. An attacker already positioned as a man-in-the-middle on the WebRTC signaling channel can strip the a=fingerprint attribute from SDP messages, which the vulnerable code then incorrectly accepts, allowing the attacker to substitute their own DTLS certificate and intercept or tamper with encrypted media. No public exploit code exists and no CISA KEV listing has been issued; however, the flaw is architecturally significant because it silently voids a key WebRTC security guarantee rather than causing an obvious crash.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Authentication bypass in Digi International PortServer TS 1/2/4 and Digi One SP/SP IA/IA serial device servers permits remote unauthenticated attackers to circumvent authorization controls and access restricted device resources. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote, credential-free exploitation but places High Attack Complexity on the flaw, indicating specific preconditions must be met - limiting opportunistic or automated mass exploitation. Impact is strictly confidentiality (C:H/I:N/A:N), meaning successful exploitation exposes restricted data or configuration without enabling modification or service disruption; no public exploit and no CISA KEV listing have been identified at time of analysis.

Authentication Bypass Portserver Ts 1 2 4 Digi One Sp Sp Ia Ia
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Ghostfolio's portfolio sharing impersonation feature exposes a missing authorization check on the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, allowing holders of read-only share tokens to modify portfolio holding tags they should only be able to view. Any user granted read-only access to another user's portfolio can exploit this flaw to assign or remove tags on holdings, silently corrupting the victim's portfolio categorization, reporting, and analytics. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Ghostfolio
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. Dell rates this critical (9.8) and its tags note an authentication-bypass characteristic; no public exploit identified at time of analysis and it is not currently in CISA KEV.

Authentication Bypass Dell Path Traversal +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper authentication in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2024 branches) lets an unauthenticated, remote attacker bypass authentication and gain unauthorized access that Dell says can escalate to complete system control. Dell rates it critical (CVSS 9.8, CWE-287). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network-facing, no-privilege attack profile makes it a high-priority patch for backup/data-protection infrastructure.

Authentication Bypass Dell Powerprotect Data Domain
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Privilege escalation and unauthorized functionality access in HAVELSAN Liman MYS (Yönetim Sistemi) before release.Master.1107 allows an authenticated low-privileged user to invoke functions that should be gated by access-control lists. Because certain endpoints fail to enforce authorization (CWE-862), a limited user can reach administrative or restricted operations, enabling significant integrity and availability impact. No public exploit identified at time of analysis; the flaw was reported by Turkey's national CERT (TR-CERT / USOM).

Authentication Bypass Liman Mys
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full file contents returned. No public exploit has been identified and the issue is not listed in CISA KEV, but it directly undermines per-DAG access control in multi-tenant or team-partitioned Airflow deployments.

Authentication Bypass Apache Apache Airflow
NVD GitHub VulDB
EPSS 1% CVSS 8.0
HIGH This Week

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4. Because ad_gpo_extract_smb_components() fails to sanitize '..' sequences in the gPCFileSysPath LDAP attribute (CWE-23), an actor holding AD GPO management rights can force an SSSD-enrolled host to write attacker-controlled files outside the GPO cache as root, injecting Kerberos configuration to bypass authentication. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Authentication Bypass Red Hat Path Traversal +7
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Information disclosure in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows remote unauthenticated attackers to collect sensitive data from common resource locations due to a missing authorization check. Because the affected endpoints do not verify that a requester is entitled to the data they return, an attacker who can reach the system over the network can harvest information without credentials. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV, but the CVSS 8.2 rating and CWE-862 root cause make it a meaningful exposure for any accessible deployment.

Authentication Bypass Access Control System Gks
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.

Authentication Bypass Ontime
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote unauthenticated attackers read confidential records belonging to other users by tampering with user-controlled resource identifiers. Because the application trusts client-supplied keys without verifying ownership, an attacker can enumerate or substitute IDs to exfiltrate data they should not access. There is no public exploit identified at time of analysis, but the flaw is trivial to exercise (AV:N/AC:L/PR:N) and was flagged by Turkey's national CERT (TR-CERT).

Authentication Bypass Ontime
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Broken object-level access control (BOLA) in MicroRealEstate's Template API through version 1.0.0-alpha3 permits authenticated users to retrieve document templates owned by other organizations on the same platform. Any low-privilege account holder can query template objects belonging to unrelated tenants by supplying arbitrary template identifiers, crossing multi-tenant isolation boundaries. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Unauthorized document disclosure in MicroRealEstate through version 1.0.0-alpha3 lets an authenticated low-privilege user retrieve documents uploaded by other landlords or tenants. The flaw combines a broken object-level authorization check (CWE-639) with document IDs that are generated using a predictable, deterministic pattern, so an attacker can guess or enumerate identifiers and pull files they should not see. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 7.1 reflects high confidentiality impact with no effect on integrity or availability.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Sensitive document disclosure in MicroRealEstate through 1.0.0-alpha3 lets an authenticated low-privilege user retrieve PDF documents belonging to other tenants or organizations by manipulating object identifiers passed to the PDF generator. Classified under CWE-639 (IDOR) and CVSS 4.0 7.1, the flaw exposes confidential data (VC:H) without requiring integrity or availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in MicroRealEstate (open-source property/real-estate management platform) through version 1.0.0-alpha3 lets remote unauthenticated attackers brute-force the One-Time Password (OTP) login flow to authenticate as any user. Because the OTP tokens are not tracked in server-side state, codes are not invalidated or rate-limited across attempts, collapsing the effective keyspace and enabling account takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Remote code execution affects the DoLeads Integrator and wp2epub WordPress plugins (both versions through 0.65), which WPScan reports have been observed being leveraged to run arbitrary code on a blog once installed. The plugins are reachable via a broader flaw that lets unauthorized users install 'unclosed'/withdrawn extensions from the wordpress.org repository, turning plugin installation into a code-execution primitive. No public exploit has been identified at time of analysis, and EPSS remains very low (0.15%, 5th percentile), indicating no observed widespread exploitation despite the high CVSS.

WordPress Authentication Bypass
NVD WPScan VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cross-tenant resource access in Coolify (self-hosted PaaS) before 4.0.0-beta.464 lets an authenticated user of one team clone resources into, and access resources owned by, other teams. The cloneTo() Livewire action in ResourceOperations.php checks authorization on the source resource but resolves destination resources with unscoped Eloquent lookups, breaking multi-tenant isolation. Rated CVSS 9.9 with scope change; no public exploit identified at time of analysis, but a fixing commit and vendor advisory are published.

Authentication Bypass PHP Coolify
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Improper authorization in Coolify's terminal websocket bootstrap routes lets any low-privileged team member execute arbitrary commands on team-managed servers, because the routes verify only that a request is authenticated but never check whether the caller is authorized to use the terminal. Affecting all Coolify versions prior to 4.0.0-beta.471, this CWE-285 flaw carries a critical 9.9 CVSS score with a scope change, effectively granting shell access to underlying infrastructure from a minimal application role. No public exploit identified at time of analysis, but the low complexity and low privilege bar make it a high-priority patch.

Authentication Bypass Coolify
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-tenant log disclosure in Coolify (self-hosted PaaS) before 4.0.0-beta.466 lets any authenticated user read application logs belonging to other teams by supplying a victim resource's UUID. The Logs::mount() component resolves resources by UUID alone without verifying the caller's team ownership, breaking the multi-tenant isolation boundary. Rated CVSS 7.7 (CWE-639, IDOR); no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is a one-line-class authorization check that is trivially reversible from the public commit.

Authentication Bypass Coolify
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation via broken authorization in Coolify's self-hosted server/application management platform lets any authenticated low-privilege user reach terminal WebSocket functionality for resources outside their authorized scope, prior to version 4.0.0-beta.471. Because the terminal bootstrap routes skipped the expected authorization middleware, an attacker with a valid account can potentially execute commands on servers and containers they should not control. No public exploit identified at time of analysis, and there is no CISA KEV listing, but the fix is confirmed in release v4.0.0-beta.471.

Authentication Bypass Coolify
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper authentication in Fire-Boltt FB BGS001 smartwatch firmware MOY-JS14-2.0.4 lets a nearby attacker replay previously captured Bluetooth Low Energy (BLE) GATT Write Request packets to trigger device functionality without valid session validation. The device accepts write commands over BLE without sufficient authentication, so an attacker within radio range who has observed legitimate traffic can reissue those commands. A public technical writeup/PoC exists on GitHub (EmbdCDACHyd), but there is no evidence of active exploitation (SSVC Exploitation: none) and EPSS is low at 0.21% (11th percentile).

Authentication Bypass N A
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.

Authentication Bypass N A
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive information disclosure in OneBlog V2.3.9 lets remote unauthenticated attackers retrieve WeChat Official Account secrets - the access_token and jsapi_ticket - through unprotected REST endpoints backed by RestApiController.java, JsApiTicketComponent.java, and GetAccessTokenComponent.java. Because these credentials grant control over the linked WeChat public account, disclosure enables account takeover of the integration rather than just data leakage. Classified CWE-306 (Missing Authentication); a referenced public gist appears to contain proof-of-concept details, though EPSS is low (0.26%, 18th percentile) and it is not listed in CISA KEV.

Authentication Bypass Java N A
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Broken object-level authorization in FOSSBilling 0.5.3 through 0.7.2 lets an authenticated client read and reset API key service secrets belonging to orders that are no longer active, such as suspended or canceled orders. Two client API endpoints skip the order-state check that the frontend UI and the module's own isActive() helper otherwise enforce, exposing high-value credentials to any logged-in customer for their non-active services. There is no public exploit identified at time of analysis, and the flaw is fixed in version 0.8.0.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Incorrect authorization in FOSSBilling versions 0.5.6 through 0.7.2 allows authenticated clients with unverified email addresses to bypass the 'Require Email Confirmation' access control gate and read sensitive financial account data - including wallet balances and full transaction history - across all client-area pages. The application maintains two separate authorization layers: an API-level guard that correctly restricts unverified clients, and a page-level routing guard that is overly permissive, admitting any request whose URL path begins with /client, creating an exploitable enforcement gap. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 5.3 reflects a realistic but bounded confidentiality impact gated behind prior authentication.

Authentication Bypass
NVD GitHub VulDB
EPSS 1% CVSS 7.3
HIGH PATCH This Week

Brute-force protection bypass in the 9router dashboard (npm package 9router) lets remote attackers defeat the login lockout by rotating the attacker-controlled X-Forwarded-For header on each request, giving every attempt a fresh rate-limit bucket. Because the CVSS vector is PR:N/UI:N, unauthenticated remote attackers can target any instance directly exposed or sitting behind a proxy that does not overwrite forwarding headers, enabling unlimited password guessing and, against default or weak credentials, full administrative takeover. A working exploit is published in the GitHub Security Advisory (GHSA-7cfm-pqrj-xgq7); the issue is not listed in CISA KEV and no EPSS score was provided.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in Coolify's ActivityMonitor Livewire component allows any authenticated user to enumerate and read activity records belonging to other teams, including full SSH process command outputs that may contain secrets, credentials, and infrastructure configuration details. Affected are all Coolify self-hosted deployments prior to version 4.0.0-beta.471. No special privileges beyond a valid user account are required, and auto-incrementing integer activity IDs make enumeration trivial. No public exploit code has been identified at time of analysis and this CVE is not in CISA KEV, but the low attack complexity and sensitive data exposure make this a meaningful risk for multi-tenant Coolify deployments.

Authentication Bypass Coolify
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Cross-origin request forgery via CORS same-owner bypass in Coder's subdomain workspace app proxy allows an authenticated attacker to exfiltrate data from a victim's workspace apps. The flaw exists across Coder release lines 2.29 through 2.34, and was disclosed by Anthropic's Security Team. No public exploit exists and no CISA KEV listing is present, but the vulnerability is directly exploitable against any deployment with wildcard subdomain routing enabled, making prompt patching critical for affected configurations.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Incorrect authorization in Coder's AI Bridge proxy (introduced in v2.30.0) permits suspended users to continue accessing LLM proxy endpoints using previously issued, unexpired API keys. The `Server.IsAuthorized` function in `coderd/aibridgeserver` validates key format, expiry, secret, and deleted/system-user status but omits the active/suspended status check present in the standard API key middleware, creating a divergence that survives indefinitely until tokens expire or are manually deleted. No public exploit code exists and the flaw is not listed in CISA KEV; the vendor patched all active release lines following coordinated disclosure by Anthropic's Security Team (ANT-2026-22446).

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthenticated access to Coolify's POST /api/feedback endpoint allows any remote attacker to forward arbitrary content directly to the operator's configured Discord webhook, enabling spam flooding, content injection, and webhook rate-limit abuse. All self-hosted Coolify instances prior to 4.0.0-beta.474 are affected, with CVSS AV:N/AC:L/PR:N/UI:N confirming zero-barrier network exploitation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the trivial exploit conditions (plain unauthenticated HTTP POST) make automated abuse straightforward.

Authentication Bypass Coolify
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Authorization bypass in the Coder devcontainer recreate endpoint allows any authenticated user holding only read-level workspace access - such as Template Admin or Org Template Admin roles - to trigger a destructive container rebuild that destroys uncommitted in-container state. Unlike the sibling delete endpoint, which correctly enforces an ActionUpdate check, the recreate endpoint relied solely on route middleware verifying ActionRead, leaving the destructive operation unguarded against lower-privileged principals. No public exploit has been identified at time of analysis; vendor-confirmed patches are available across all supported release lines.

Authentication Bypass Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Port-sharing policy bypass in Coder's CreateSubAgent RPC allows an authenticated workspace owner to register sub-agent apps at sharing levels exceeding the template's administrator-configured MaxPortSharingLevel, potentially exposing workspace apps as PUBLIC to unauthenticated users via wildcard app subdomains. Exploitation is gated behind authenticated workspace ownership with an agent token and requires an Enterprise deployment with both port-sharing policy enforcement and wildcard app hostnames active - making this a meaningful privilege escalation within a constrained environment rather than a broadly exploitable network flaw. No public exploit has been identified at time of analysis; vendor-released patches are available across all supported release lines.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization in Coolify's Settings/Updates Livewire component allows any authenticated non-admin user to access the Updates settings page and modify auto-update behavior or trigger update checks. Affected versions span all releases prior to 4.0.0-beta.471 of the self-hosted server management platform. No public exploit code or CISA KEV listing exists at time of analysis, but the network-accessible nature and low authentication bar (any valid account) make this a meaningful integrity risk in multi-tenant or shared Coolify deployments.

Authentication Bypass Coolify
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Incorrect authorization in Coolify's API layer allows any holder of a read-scoped API token to invoke mutating validation endpoints - including cloud token validation and server validation - that should require write-level privileges. All Coolify deployments prior to version 4.0.0-beta.466 are affected. No public exploit or active exploitation has been identified at time of analysis, but the low attack complexity and network accessibility via API make this straightforward to abuse for any user who has been issued even a minimal API token.

Authentication Bypass Coolify
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Broken access control in FOSSBilling before 0.8.0 lets an unauthenticated attacker who knows an unpaid invoice's hash change the payment gateway (gateway_id) tied to that invoice, because the Guest API invoice/update endpoint omits an authorization check that its sibling invoice endpoints enforce. The attacker can only select gateways an administrator has already installed and configured, and the impact is further gated by the invoice_accessible_from_hash setting, so it cannot redirect funds to an arbitrary external endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Fossbilling
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Traffic interception in Coder's tailnet coordinator allows a malicious workspace agent to hijack another agent's tailnet address by advertising forged WireGuard AllowedIPs prefixes. The coordinator authorizes an agent's Addresses against its authenticated UUID but performs no equivalent check on AllowedIPs, which it forwards verbatim to tunnel peers; because ServerTailnet routes by tailnet IP, an attacker who claims a victim's prefix can intercept web terminal and workspace app traffic and serve spoofed content. Rated CVSS 8.2 (CWE-285, improper authorization); a vendor patch is available and no public exploit is identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Cross-workspace agent hijacking in Coder (self-hosted cloud development environment platform) lets a user with template-authorship or external-provisioner privileges rebind another user's workspace app to an attacker-controlled agent. By submitting a crafted CompleteJob payload referencing a known victim app UUID, the attacker causes later app traffic - including IDE and terminal sessions - to be proxied through their own workspace, enabling interception. No public exploit is identified at time of analysis; it is not listed in CISA KEV. Fixed in v2.34.2, v2.33.8, v2.32.7, and v2.29.17.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Unauthenticated payment bypass in FOSSBilling 0.6.0 through 0.7.2 lets a remote attacker mark any unpaid invoice as paid and credit the associated client's account balance with a single crafted HTTP request to the IPN callback endpoint (/ipn.php), provided the Custom payment adapter is enabled. The flaw stems from missing authentication (CWE-306) on a financially critical callback, so no credentials or user interaction are needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it 9.2 (CVSS 4.0) and a patched release (0.8.0) is available.

Authentication Bypass PHP Fossbilling
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the practical blast radius is bounded by the need to already hold the privileged user-admin role.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Account takeover in Coder's OIDC login (versions before v2.34.2, v2.33.8, v2.32.7, and ESR v2.29.17) lets an attacker who controls a matching email address at the configured identity provider log in as a victim and seize their workspaces, templates and resources. Two chained flaws are responsible: email-based user matching silently linked accounts by email without verifying an existing IdP-subject link, and the email_verified claim was only honored when explicitly boolean false, so absent or malformed claims were treated as verified. CVSS is 7.4 (High) with no public exploit identified at time of analysis; the issue was privately reported by Anthropic's Security Team.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Account takeover in Coder's OIDC login flow allows an unauthenticated remote attacker to hijack an existing user account by registering the victim's email at a compatible identity provider. A Go `bool` type assertion on the `email_verified` claim failed open when an IdP returned the claim as a non-boolean (e.g. the string "false") or omitted it entirely, and an unconditional email-based account fallback then matched the attacker's session to the victim's account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was privately disclosed by Anthropic's Security Team and fixed across all supported release lines.

Authentication Bypass
NVD GitHub VulDB
Prev Page 8 of 347 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy