Skip to main content

Passwordless

1 CVEs product

Monthly

CVE-2026-4522 MEDIUM PATCH This Month

Credential interception in HYPR Passwordless on Windows (all versions before 11.1.1) is possible due to a missing authentication check on a critical internal function (CWE-306), allowing a low-privileged local attacker to capture authentication material during an active user session. The CVSS 4.0 vector's SC:H metric confirms the intercepted credentials are usable against downstream systems that HYPR protects, elevating the downstream blast radius beyond the compromised endpoint. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Microsoft Passwordless
NVD
CVSS 4.0
6.7
EPSS
0.1%
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

Credential interception in HYPR Passwordless on Windows (all versions before 11.1.1) is possible due to a missing authentication check on a critical internal function (CWE-306), allowing a low-privileged local attacker to capture authentication material during an active user session. The CVSS 4.0 vector's SC:H metric confirms the intercepted credentials are usable against downstream systems that HYPR protects, elevating the downstream blast radius beyond the compromised endpoint. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Microsoft Passwordless
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy