Authentication Bypass

Missing authentication in zhayujie chatgpt-on-wechat CowAgent 2.0.4 administrative HTTP endpoint allows remote attackers to bypass access controls and perform unauthorized administrative operations without credentials. Publicly available exploit code exists. EPSS risk not available; CVSS 7.3 reflects network-based attack requiring no privileges or user interaction. The vendor has not responded to the vulnerability disclosure (GitHub issue #2733) at time of analysis.

Insecure Direct Object Reference in Tutor LMS WordPress plugin versions up to 3.9.7 allows authenticated Subscriber-level users to manipulate course content structure across any course by exploiting missing authorization checks in the save_course_content_order() method, enabling attackers to detach lessons from topics, reorder course content, and reassign lessons between courses without proper ownership verification.

Tutor LMS plugin for WordPress up to version 3.9.7 allows authenticated subscribers to enroll in private courses due to missing post_status validation in enrollment functions, exposing private course metadata in user dashboards despite WordPress core preventing actual content access. The vulnerability requires subscriber-level authentication but affects confidentiality and integrity, with confirmed patches available in version 3.9.8.

Unauthenticated remote attackers bypass authentication in OpenClaw canvas endpoints due to improper authentication implementation (CWE-291). Exploitation requires no user interaction and yields high confidentiality/integrity impact. Network-accessible attack vector with high complexity (CVSS:3.0 7.4 AV:N/AC:H/PR:N). No public exploit identified at time of analysis. Originally reported as ZDI-CAN-29311.

Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address. The wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses. Example: my $cidr = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); $cidr->find("::ffff:192.168.2.0"); # incorrectly returns true This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x). See also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.

Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and produce packed values of wrong length (3, 7, or 15 bytes instead of 17). The packed values are used internally for mask and comparison operations. find() and bin_find() use Perl string comparison (lt/gt) on these values, and comparing strings of different lengths gives wrong results. This can cause find() to incorrectly report an address as inside or outside a range. Example: my $cidr = Net::CIDR::Lite->new("::/8"); $cidr->find("1:2:3"); # invalid input, incorrectly returns true This is the same class of input validation issue as CVE-2021-47154 (IPv4 leading zeros) previously fixed in this module. See also CVE-2026-40199, a related issue in the same function affecting IPv4 mapped IPv6 addresses.

Microsoft Edge (Chromium-based) on Android contains a user interface misrepresentation vulnerability that allows unauthenticated remote attackers to conduct spoofing attacks over a network. The vulnerability exploits UI rendering to misrepresent critical information to end users, enabling attackers to deceive users into taking unintended actions. While the CVSS score is moderate (5.4), the attack requires user interaction and only impacts confidentiality and integrity; a vendor-released patch is available.

Temporal's frontend gRPC server fails to enforce authentication and authorization on the StreamWorkflowReplicationMessages endpoint, allowing unauthenticated network attackers to establish replication streams and potentially exfiltrate workflow data when replication targets are configured. The vulnerability affects Temporal versions prior to 1.28.4, 1.29.6, and 1.30.4; Temporal Cloud deployments are unaffected. While exploitation requires knowledge of cluster configuration and correctly configured replication targets, the authentication bypass on a network-accessible service combined with a moderate CVSS score (6.3) reflects the practical risk of unauthorized data access in multi-tenant or sensitive workflow environments.

Broken Access Control in FastGPT versions prior to 4.14.10.4 allows authenticated teams to access and execute applications belonging to other teams by supplying a foreign application ID, enabling cross-tenant data exposure and unauthorized workflow execution. The vulnerability stems from insufficient API validation-while team tokens are verified, the API fails to confirm that the requested application belongs to the authenticated team. This affects all FastGPT instances with multi-tenant deployments where different teams manage separate AI Agent applications, and is fixed in version 4.14.10.4.

ClearanceKit for macOS prior to version 5.0.4-beta-1f46165 fails to validate destination paths in dual-path file operations (rename, link, copyfile, exchangedata, clone), allowing authenticated local processes to bypass file-access protection and place or replace files in protected directories. The vulnerability affects all versions before 5.0.4-beta-1f46165 and has been patched; no public exploit code or active exploitation has been identified at the time of analysis.

Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.

Authentication bypass in TREK collaborative travel planner (versions prior to 2.7.2) allows authenticated attackers with low privileges to access and modify trip photos without proper authorization. The missing authorization checks on Immich trip photo management routes enable unauthorized data access (high confidentiality impact) and limited integrity compromise. Exploitation requires authenticated access but no user interaction, exploitable remotely over network with low attack complexity.

TREK collaborative travel planner versions before 2.7.2 serve uploaded user photos without authentication, allowing unauthenticated remote attackers to enumerate and access private photo collections through direct URL access. The vulnerability is restricted to information disclosure with low impact due to attack complexity constraints, though it exposes sensitive travel-related imagery that users expect to be private.

Unauthorized deletion of attribute view definitions in SiYuan note-taking application allows authenticated publish-service readers to permanently destroy arbitrary workspace data. Attackers with low-privilege publish credentials can extract attribute view IDs from published content markup (exposed as data-av-id attributes) and invoke the /api/av/removeUnusedAttributeView endpoint to delete corresponding JSON definition files. The endpoint lacks proper authorization controls, accepting RoleReader tokens despite performing destructive write operations. Successful exploitation corrupts database views, breaks local workspace rendering, and causes operational disruption requiring manual restoration.

Remote authentication bypass in Ajenti prior to version 0.112 allows unauthenticated network attackers to circumvent two-factor authentication during a brief post-authentication window with high attack complexity. The vulnerability affects the core authentication mechanism in ajenti.plugin.core and permits attackers to gain high-confidence access to protected resources; the vendor released patched version 0.112 to resolve this issue.

Authentication bypass in Ajenti admin panel versions prior to 0.112 allows unauthenticated remote attackers to completely circumvent password authentication when two-factor authentication (2FA) is enabled. Attackers can gain full administrative access to the Ajenti server management interface without valid credentials, compromising confidentiality and integrity of managed systems. No public exploit identified at time of analysis.

Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sensitive project data from other tenants. The vulnerability exists in the template generation endpoint (GET /team/:team_id/template/generate/:project_id), where unawaited promise execution and missing tenant validation enable attackers with valid template-generation permissions in their own team to access chart configurations, database connection details, and query structures from victim teams' projects. No public exploit identified at time of analysis. CVSS 7.7 reflects high confidentiality impact with scope change due to cross-tenant boundary violation.

Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students and lower-privileged users to enumerate all platform users and extract sensitive personal information (email addresses, phone numbers, role assignments) through an unauthenticated API endpoint (GET /api/users), enabling reconnaissance of administrator accounts and organizational structure. The vulnerability affects any installation with user accounts below administrative level and is fixed in version 2.0.0-RC.3.

Chamilo LMS REST API endpoint get_user_info_from_username fails to authorize requests, exposing personal information (email, names, user ID, active status) to any authenticated user regardless of role prior to version 1.11.38. An attacker with valid login credentials, including a student account, can enumerate and retrieve sensitive user data for any account in the system.

Insecure Direct Object Reference in Chamilo LMS allows authenticated users to access complete personal data and API tokens of any user by manipulating the userId parameter in the /social-network/personal-data/{userId} endpoint. Attack requires only low-privilege authentication (PR:L) and no user interaction, enabling mass disclosure of credentials and sensitive information across the entire platform. Affects all Chamilo LMS versions prior to 2.0.0-RC.3. No public exploit identified at time of analysis.

Insecure Direct Object Reference in Chamilo LMS REST API stats endpoint allows authenticated low-privilege users to read unauthorized access to any user's learning progress, certificates, and gradebook scores across all courses prior to version 2.0.0-RC.3. The vulnerability requires only valid user credentials (accessible to students with ROLE_USER) and network access, enabling horizontal privilege escalation without administrative intervention or system compromise. No public exploit code or active exploitation has been identified at time of analysis.

Authenticated teachers in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 can access and modify gradebook evaluation settings across unauthorized courses through Insecure Direct Object Reference in the editeval parameter. Attackers with low-privilege teacher accounts can alter evaluation names, maximum scores, and weights for assessments in courses they do not own, enabling unauthorized data disclosure and integrity compromise. No public exploit identified at time of analysis.

Insecure Direct Object Reference in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows authenticated users enrolled in a course to manipulate arbitrary Learning Path progress data for other users. The lp_ajax_save_item.php endpoint accepts a uid parameter without ownership validation, enabling attackers to overwrite scores, completion status, and time tracking for any enrolled user by modifying the request parameter. No public exploit identified at time of analysis. CVSS 7.1 (High) reflects authenticated network-based exploitation with high integrity impact.

Service Account token disclosure in Red Hat OpenShift AI odh-dashboard component exposes Kubernetes credentials through unprotected NodeJS endpoint. Low-privilege authenticated attackers can retrieve service account tokens enabling unauthorized access to Kubernetes cluster resources. Affects Red Hat OpenShift AI 2.16 and multiple RHOAI versions. Cross-scope impact allows privilege escalation beyond dashboard component boundaries. No public exploit identified at time of analysis.

OpenClaw before version 2026.3.22 allows authenticated attackers to redirect webhook-triggered chat replies to unintended users by exploiting username-based recipient binding instead of stable numeric identifiers. An attacker with valid credentials can manipulate username changes to rebind webhook replies intended for one user to a different user, compromising message confidentiality and integrity. No public exploit code or active CISA exploitation data is available, but the vulnerability is confirmed patched by the vendor.

Allowlist bypass in OpenClaw before 2026.3.22 permits authenticated attackers to execute arbitrary commands by wrapping disallowed executables with /usr/bin/time. The vulnerability exploits incomplete validation in system.run approvals, which fail to detect time wrapper prefixes, allowing reuse of approval state for inner prohibited commands. Remote exploitation requires low-privilege authentication (PR:L) with network access, enabling full system compromise through command injection. No public exploit identified at time of analysis.

OpenClaw before version 2026.3.25 contains an authentication bypass vulnerability in the raw card send surface that allows unauthenticated remote attackers to send malformed card commands, bypassing DM pairing restrictions and reaching callback handlers without proper authorization. This enables unpaired recipients to mint legacy callback payloads, resulting in integrity compromise of the messaging protocol. No public exploit code or active exploitation has been confirmed, but the low attack complexity and network accessibility make this a practical vulnerability.

OpenClaw before version 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing authenticated leaf subagents to bypass access control and message child sessions beyond their authorized scope. An authenticated attacker with subagent privileges can exploit this via the send action to communicate with restricted child sessions without proper validation, resulting in unauthorized inter-session message relay. No public exploit code has been identified, but the vulnerability has a moderate CVSS score of 4.3 reflecting the integrity impact and low attack complexity.

OpenClaw before 2026.3.25 allows remote attackers to bypass Telegram direct message pairing requirements and mutate session state through weaker callback-only authorization mechanisms. An unauthenticated attacker can craft malicious Telegram callback queries in direct messages to modify session state without satisfying the normal DM pairing security controls, resulting in unauthorized state modification with CVSS 5.3 (medium severity).

Insufficient access control in OpenClaw Gateway agent allows authenticated attackers with operator.write permission to reset admin sessions without operator.admin authorization. By invoking /reset or /new endpoints with explicit sessionKey parameters, attackers bypass privilege requirements and terminate arbitrary administrative sessions, achieving high-impact session hijacking. Affects OpenClaw versions prior to 2026.3.23. No public exploit identified at time of analysis.

OpenClaw before version 2026.3.25 allows authenticated attackers to bypass authorization checks on the /sessions/:sessionKey/history HTTP endpoint, enabling unauthorized access to session history data without requiring operator.read scope permissions. The vulnerability affects all OpenClaw versions prior to 2026.3.25 and requires valid authentication credentials to exploit; no public exploit code or active exploitation has been identified at time of analysis.

OpenClaw before version 2026.3.22 contains an authentication bypass vulnerability in X-Forwarded-For header processing when trustedProxies is configured, allowing unauthenticated remote attackers to spoof loopback client addresses and bypass canvas authentication and rate-limiting protections. The vulnerability exploits improper validation of forwarding headers to masquerade as local loopback connections, with a CVSS score of 6.5 reflecting moderate confidentiality and integrity impact but no direct availability impact.

OpenClaw before version 2026.3.22 allows authenticated remote attackers to spoof tool identities through rawInput parameters, bypassing ACP permission resolution and suppressing dangerous-tool prompting via identity hint conflicts between rawInput and metadata. This authentication bypass with high integrity impact affects all versions prior to the fixed release, enabling attackers to circumvent security restrictions intended to prevent execution of dangerous operations.

OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass sender allowlist checks in Microsoft Teams feedback invoke endpoints, enabling unauthorized recording of session feedback. The vulnerability exploits improper authorization logic in feedback processing, granting attackers the ability to trigger feedback recording or reflection operations that should be restricted to authorized senders. No public exploit code has been identified at the time of analysis.

Incorrect authorization in OpenClaw pre-2026.3.24 allows authenticated users with operator.write access to browser.request capability to invoke POST /reset-profile endpoint, bypassing privilege restrictions to terminate running browsers, sever Playwright connections, and relocate profile directories to system Trash. Exploitation requires low-privilege authentication (CVSS PR:L) but achieves high integrity and availability impact through unauthorized state mutation and service disruption across intended security boundaries. No public exploit identified at time of analysis.

OpenClaw before version 2026.3.22 suffers from an authorization bypass in its interactive callback dispatch mechanism that permits unauthenticated remote attackers to execute action handlers without sender allowlist validation. The vulnerability exploits a race condition or timing gap where callbacks are processed before security checks complete, enabling unauthorized state modification and availability impact. No public exploit code or active exploitation has been confirmed at time of analysis, but the low attack complexity and lack of authentication requirements make this a practical threat to exposed OpenClaw deployments.

OpenClaw before version 2026.3.22 allows unauthenticated remote attackers to bypass access control denials by exploiting improper handling of empty allowlists during settings reconciliation, silently restoring previously revoked permissions. The vulnerability treats explicitly empty allowlists as unset rather than as explicit deny-all configurations, enabling attackers to undo intended access revocations without authentication. With a CVSS score of 6.5 and network-accessible attack vector, this represents a moderate-severity logic flaw affecting access control enforcement.

OpenClaw before version 2026.3.22 allows policy bypass through unvalidated queued node actions, enabling attackers to execute unauthorized commands by exploiting stale allowlists or policy declarations that persist after policy changes. The vulnerability requires network access and high attack complexity but no authentication, resulting in integrity impact without exposing confidentiality or availability. No public exploit code or active exploitation has been confirmed.

OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass direct message policy controls by sending verification notices to users outside configured allowed peer lists. The vulnerability stems from insufficient access validation checks applied to verification notice transmission, enabling attackers to contact users who have restricted direct messaging policies in place. CVSS score of 5.3 reflects moderate integrity impact with low attack complexity and no authentication requirements.

OpenClaw before version 2026.3.24 allows authenticated operator.write-scoped clients to escalate privileges and modify channel authorization policies normally restricted to operator.admin scope through improper scope re-validation in the /allowlist command. Attackers with write-level permissions can exploit the chat.send function to construct an internal command-authorized context and persist unauthorized changes to channel allowFrom and groupAllowFrom policies, effectively bypassing access control mechanisms.

OpenClaw before version 2026.3.24 fails to enforce authorization checks in the /send and /allowlist chat command handlers, allowing authenticated users with operator.write scope to bypass owner-only restrictions and modify session delivery policies and allowlist configurations. Attackers can persistently alter sendPolicy settings and add entries to allowlists without proper admin authorization, resulting in integrity and availability impacts within the affected session.

OpenClaw before version 2026.3.24 allows authenticated operators with only operator.approvals scope to enumerate sensitive gateway model metadata via the HTTP /v1/models endpoint, bypassing stricter WebSocket RPC authorization controls. Attackers with limited operator privileges can access information that should be restricted to higher-privilege read scopes, resulting in unauthorized information disclosure.

Authentication bypass in Vikunja task management platform allows unauthenticated attackers to circumvent two-factor authentication when OIDC email-based user matching is enabled. The OIDC callback handler issues complete JWT tokens without validating TOTP enrollment status, enabling full account access to users with configured TOTP protection when matched through OIDC email fallback. Affects versions prior to 2.3.0. No public exploit identified at time of analysis.

Vikunja's scoped API token enforcement for project background routes contains a method-confusion authorization bypass allowing tokens with only `projects.background` permission to delete project backgrounds despite lacking the `projects.background_delete` permission. This enables authenticated attackers to perform unintended destructive operations on projects they have update access to, weakening the permission model for narrowly scoped API tokens used in automation and third-party integrations. The vulnerability has a vendor-released patch available and is confirmed reproducible on the affected codebase.

Vikunja task authorization bypass in CalDAV allows authenticated users to read arbitrary task details from any project by knowing a task UID, bypassing REST API permission checks. The GetResource and GetResourcesByList CalDAV methods query tasks by UID without verifying the authenticated user has project access, enabling information disclosure of task titles, descriptions, due dates, and other metadata across organizational boundaries in multi-tenant deployments. Patch available in v2.3.0.

Vikunja API brute-forces TOTP codes by exploiting a database transaction rollback bug that prevents account lockout persistence. When TOTP validation fails, the login handler rolls back the database session containing the failed-attempt counter increment and account lock status, leaving the lockout mechanism non-functional while per-IP rate limiting can be bypassed via distributed attack. Unauthenticated remote attackers who possess a user's password can exhaust the 6-digit TOTP code space (only 1 million combinations) and gain unauthorized access. Patch is available as of Vikunja v2.3.0.

Vikunja API versions prior to 2.3.0 allow authenticated users to read any label metadata and creator information across projects via SQL operator precedence flaw in the hasAccessToLabel function. Any label attached to at least one task becomes readable to all authenticated users regardless of project access permissions, enabling cross-project information disclosure of label titles, descriptions, colors, and creator usernames. The vulnerability requires prior authentication (PR:L per CVSS vector) and carries low complexity attack surface with direct impact to confidentiality. No public exploit code beyond the proof-of-concept in the advisory has been identified, and vendor-released patch version 2.3.0 is available.

Local privilege escalation in systemd 259 before 260 allows authenticated local users to gain root-level access via varlink communication to systemd-machined, exploiting improper namespace isolation. The vulnerability requires low privileges, high attack complexity, and user interaction, affecting the systemd init system across Linux distributions. No public exploit code or active exploitation has been confirmed at time of analysis.

Privilege escalation in CouchCMS allows authenticated Admin-level users to create SuperAdmin accounts by manipulating the f_k_levels_list parameter during user creation requests. Attackers modify the parameter value from 4 to 10 in HTTP POST bodies to bypass authorization controls and gain unrestricted application access. This authenticated attack (PR:H) enables lateral privilege movement from Admin to SuperAdmin, circumventing intended role hierarchy enforcement. Publicly available exploit code exists, lowering exploitation barrier for actors with existing Admin credentials.

Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentials via CloudSpec API. Affects Juju 2.9.0-2.9.56 and 3.6.0-3.6.20. Low-privileged authenticated attackers can escalate privileges by accessing sensitive cloud provider credentials, enabling lateral movement to infrastructure resources. Network-accessible with low complexity (CVSS 9.9 Critical). No public exploit identified at time of analysis. Patch available in versions 2.9.57 and 3.6.21.

Unauthenticated root access in Egate Atom 3x Projector enables complete device compromise via exposed Android Debug Bridge service on local network. Attacker on same network segment can execute arbitrary commands with full system privileges without credentials due to missing authentication controls and network exposure of ADB service. No public exploit identified at time of analysis. Critical impact includes data exfiltration, malware installation, and persistent backdoor deployment.

Missing authorization in Gravity SMTP plugin for WordPress (versions ≤2.1.4) allows authenticated attackers with subscriber-level privileges to uninstall the plugin, deactivate functionality, and delete configuration options. Exploitable via direct API calls or CSRF attack vectors. Affects Gravity SMTP by Rocketgenius. Successful exploitation enables low-privileged users to disable critical SMTP mail delivery functionality and remove plugin settings without proper permission checks. No public exploit identified at time of analysis.

Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to bypass access controls in the SysAnnouncementController component, potentially leading to unauthorized data modification and disclosure. The vulnerability has a CVSS score of 6.3 (medium severity) and carries an EPSS severity rating reflecting real-world exploitability; publicly available exploit code exists and the vendor has confirmed the issue with a patch expected in an upcoming release.

Unauthenticated attackers can overwrite billing profile data (name, email, phone, address) for any WordPress user with an incomplete manual order in Tutor LMS plugin versions ≤3.9.7. The pay_incomplete_order() function accepts attacker-controlled order_id parameters without identity verification, writing billing fields directly to the order owner's profile. Exploitation is simplified by predictable Tutor nonce exposure on public pages, enabling targeted profile manipulation via crafted POST requests with enumerated order IDs. No public exploit or active exploitation confirmed at time of analysis.

Unauthenticated attackers can bypass authentication in Customer Reviews for WooCommerce plugin versions up to 5.103.0 by submitting an empty string as the review permission key, allowing them to create, modify, and inject malicious product reviews via the REST API without any legitimate order association. The vulnerability exploits improper key validation using strict equality comparison without checking for empty values, combined with auto-approval of reviews by default, enabling widespread review injection across all products on affected WooCommerce installations.

OpenStack Keystone 14 through 29.x allows authenticated users with restricted application credentials to create EC2 credentials that inherit the parent user's full S3 permissions, bypassing role restrictions. This privilege escalation affects only deployments combining restricted application credentials with the EC2/S3 compatibility API (swift3/s3api), and requires valid authentication credentials and moderate attack complexity to exploit.

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.

CSRF vulnerability in Dockyard prior to 1.1.0 allows unauthenticated remote attackers to start or stop Docker containers by tricking a logged-in administrator into clicking a malicious link, since container control endpoints accept GET requests without CSRF token validation. An attacker can disrupt service availability or trigger unintended container state changes without authentication credentials. No active exploitation or public exploit code has been confirmed.

Juniper Networks Junos OS on MX Series allows authenticated local users with low privileges to execute 'request csds' CLI commands intended only for high-privileged administrators or CSDS operators, enabling complete compromise of managed devices. The vulnerability affects Junos OS 24.4 releases before 24.4R2-S3 and 25.2 releases before 25.2R2. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS score of 6.3 reflects moderate severity with high system impact.

Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.

Missing authorization in Juniper Networks Junos OS and Junos OS Evolved CLI allows local users with low privileges to execute the 'show mgd' command with specific arguments to read sensitive information. The vulnerability affects multiple version branches of both Junos OS (22.4, 23.2, 23.4, 24.2, 24.4, 25.2) and Junos OS Evolved (23.2, 23.4, 24.2, 24.4, 25.2), with patches available for all affected versions. CVSS score is 6.8 with high confidentiality impact but no public exploit identified at time of analysis.

Firewall filter bypass in Juniper Networks Junos OS on MX Series allows unauthenticated network-based attackers to access the control plane by exploiting improper exception handling in the packet forwarding engine when firewall filters are applied to non-zero loopback interfaces in the default routing instance. Affected MX platforms with MPC10, MPC11, LC4800, LC9600 line cards and MX304 models running Junos OS versions before 23.2R2-S6, 23.4R2-S7, 24.2R2, or 24.4R2 fail to enforce configured lo0.n ingress filters, allowing bypass of access controls designed to protect critical infrastructure management interfaces. No public exploit identified at time of analysis, but the vulnerability requires only network access and no authentication to trigger.

Juniper Networks CTP OS 9.2R1 and 9.2R2 fail to persist password complexity settings, enabling unauthenticated attackers to exploit predictable weak passwords on local accounts. The password management function allows administrators to configure complexity requirements but does not save these configurations, verifiable through 'Show password requirements' menu. This defect permits trivial passwords that attackers can brute-force remotely to gain full device control. No public exploit identified at time of analysis.

Local privilege escalation in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated users with low privileges to gain high-privileged direct access to Flexible PIC Concentrators (FPCs), enabling potential full compromise of affected line cards. Impacts PTX10004, PTX10008, PTX10016 with JNP10K-LC1201 or JNP10K-LC1202 line cards across multiple firmware branches. Missing authentication on critical FPC management functions permits unauthorized privilege elevation. No public exploit identified at time of analysis.

OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass pre-authentication rate limiting on webhook token validation, enabling brute-force attacks against weak webhook secrets through rapid successive requests. The vulnerability stems from absent throttling on invalid token rejection attempts, permitting attackers to enumerate valid tokens without login credentials or triggering defensive rate-limiting mechanisms.

OpenClaw before version 2026.3.25 allows authenticated attackers to bypass authorization controls in mention-gated groups by triggering reaction events that circumvent the requireMention access control mechanism, enabling them to enqueue agent-visible system events that should remain restricted. This medium-severity vulnerability (CVSS 5.3) affects the integrity of group-based access policies and requires user interaction at the network level but leverages low privilege requirements.

Session isolation bypass in OpenClaw 2026.3.11 through 2026.3.24 allows authenticated attackers to access parent or sibling sessions bypassing visibility restrictions. The vulnerability exploits session_status logic that resolves sessionId to canonical session keys before enforcing explicit sessionKey-based access controls, enabling sandboxed child sessions to read data from sessions they should not access. No public exploit identified at time of analysis. Impacts confidentiality of session data across isolation boundaries in multi-tenant or sandboxed deployment scenarios.

OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in its Synology Chat extension that allows unauthenticated remote attackers to bypass per-account direct message access controls by collapsing multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to replace route ownership across accounts, potentially gaining unauthorized access to account-specific resources. No public exploit code or active exploitation has been confirmed at the time of analysis.

OpenClaw before version 2026.3.23 contains an authentication bypass in the Canvas gateway where the authorizeCanvasRequest() function unconditionally allows local-direct requests without validating bearer tokens or Canvas capabilities, enabling unauthenticated attackers on the local system to send loopback HTTP and WebSocket requests to bypass authentication and access Canvas routes. The vulnerability requires local network access but no prior authentication, affecting all versions prior to the patched release.

OpenClaw through version 2026.2.22 allows authenticated local attackers to execute arbitrary code or manipulate system files via symlink traversal in the agents.create and agents.update handlers. The vulnerability stems from unsafe use of fs.appendFile on IDENTITY.md without validating symlink targets, permitting attackers with workspace access to plant symlinks pointing to sensitive files like crontab or SSH configuration directories and inject malicious content through the agent creation/update process.

Authorization bypass in OpenClaw versions prior to 2026.3.22 allows authenticated low-privilege users to execute administrative control-plane operations through internal ACP chat commands. The vulnerability stems from missing operator.admin scope enforcement on mutating commands, enabling unauthorized users to invoke privileged actions that modify system configuration or state. Exploitation requires authenticated access but no elevated privileges, permitting lateral privilege escalation to administrative functions. No public exploit identified at time of analysis.

OpenClaw before version 2026.3.22 uses room names instead of stable tokens for Nextcloud Talk room authorization, allowing authenticated attackers to bypass allowlist policies by creating similarly named rooms and gaining unauthorized access to protected conversations. The vulnerability requires low privileges and high attack complexity but poses a direct confidentiality and integrity risk to room access controls. No public exploit code or active exploitation has been reported.

OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to brute-force webhook authentication credentials due to missing rate limiting on password validation attempts. The vulnerability enables attackers to perform repeated authentication guesses against the webhook endpoint without throttling, potentially compromising webhook security and gaining unauthorized access to webhook functionality.

OpenClaw before version 2026.3.22 contains an improper authentication verification flaw in its Google Chat webhook handling that allows authenticated attackers with low privileges to bypass webhook authentication by supplying non-deployment add-on principals, enabling unauthorized actions through the Google Chat integration with a CVSS score of 6.0 and confirmed vendor patch availability.

Authentication bypass in OpenClaw versions prior to 2026.3.23 enables attackers to forge Plivo V2 signature-verified requests without credentials. The vulnerability stems from replay key derivation using full URLs with query parameters rather than canonicalized base URLs, allowing unauthenticated remote attackers to manipulate query strings on signed requests and generate new valid verification keys. This permits bypassing webhook authentication controls and injecting malicious requests into Plivo-integrated telephony workflows. No public exploit or active exploitation confirmed at time of analysis.

OpenClaw before version 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement where attackers with authenticated access can manipulate space display names to rebind group policies and gain unauthorized access to protected resources. The vulnerability requires authenticated access and high attack complexity but affects confidentiality and integrity of protected data. A vendor patch has been released.

Authorization bypass in OpenClaw versions prior to 2026.3.25 enables authenticated users to terminate arbitrary subagent sessions through the /sessions/:sessionKey/kill HTTP endpoint. Exploiting CWE-863 improper authorization, low-privilege authenticated attackers execute admin-level killSubagentRunAdmin functions without ownership or operator scope validation, achieving high integrity and availability impact on targeted sessions. No public exploit identified at time of analysis.

Unauthenticated modification of the tool approval allowlist in PraisonAI multi-agent system (versions prior to 4.5.128) enables attackers to bypass human-in-the-loop safety controls by injecting dangerous tool names (shell_exec, file_write) into the allowlist via the /api/approval/allow-list gateway endpoint. The ExecApprovalManager then auto-approves agent invocations of these tools, circumventing the approval mechanism's core security function. Attack requires local access; no public exploit identified at time of analysis. CVSS 7.9 reflects high integrity impact with scope change due to compromised safety boundaries in agent workflows.

PraisonAIAgents versions prior to 1.5.128 allow unauthenticated local attackers to read arbitrary files from the filesystem via the read_skill_file() function in skill_tools.py, which lacks the workspace boundary protections and approval requirements enforced by comparable file access functions. An agent subjected to prompt injection can exfiltrate sensitive files without user awareness or approval prompts, enabling confidentiality compromise with CVSS 6.2 (local attack vector, high confidentiality impact). No public exploit code or active exploitation has been reported at the time of analysis.

Flux notification-controller prior to version 1.8.3 fails to validate the email claim in Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to trigger unauthorized reconciliations via the gcr Receiver webhook endpoint. An attacker must know or discover the webhook URL (generated from a random token stored in a Kubernetes Secret) to exploit this vulnerability; however, practical impact is severely limited because Flux reconciliations are idempotent and deduplicated, meaning unauthorized requests result in no operational changes to cluster state unless the underlying Git/OCI/Helm sources have been modified.

Unauthenticated remote attackers can manipulate Modbus register inputs in GPL Odorizers GPL750 industrial control systems (XL4, XL4 Prime, XL7, XL7 Prime variants across versions 1.0-20.0), causing incorrect odorant injection volumes into natural gas distribution pipelines. Authentication bypass (CWE-306) via network-accessible Modbus interface permits direct register value tampering without credential validation, enabling safety-critical process manipulation. No public exploit identified at time of analysis.

Apollo MCP Server versions prior to 1.7.0 fail to validate HTTP Host headers on StreamableHTTP transport, allowing unauthenticated remote attackers with user interaction to bypass same-origin policy via DNS rebinding attacks and invoke GraphQL tools or access resources on behalf of a local user. The vulnerability is limited to HTTP-based deployments without network-level controls and does not affect stdio transport configurations. Vendor-released patch: version 1.7.0.

CLIENT_CERT authentication bypass in Apache Tomcat allows unauthenticated remote attackers to bypass certificate-based authentication when soft fail is disabled and Foreign Function Memory (FFM) is enabled, affecting Tomcat 9.0.92-9.0.116, 10.1.22-10.1.53, and 11.0.0-M14-11.0.20. The vulnerability has a CVSS score of 6.5 with high confidentiality impact and partial integrity impact; however, the EPSS score of 0.04% (11th percentile) indicates very low real-world exploitation probability, and no public exploit code or confirmed active exploitation has been identified.

Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%).

Authorization bypass in OpenPLC_V3 REST API allows authenticated low-privilege users to delete administrator accounts or create new admin-level accounts. The API validates JWT token presence but fails to enforce role-based access control, enabling any user with basic authentication to escalate privileges to full administrator access or remove existing administrators by manipulating user ID parameters. This affects all versions of OpenPLC_V3. No public exploit identified at time of analysis.

Authentication bypass in OpenPLC_V3 allows unauthenticated remote attackers to gain unauthorized system access through insecurely configured API endpoints. The vulnerability stems from insecure default resource initialization (CWE-1188), enabling complete circumvention of authentication mechanisms. Attackers can exploit this over the network with low attack complexity to achieve high confidentiality, integrity, and availability impact across vulnerable and subsequent systems. No public exploit identified at time of analysis.

Authenticated privilege escalation in pyLoad's WebUI JSON endpoints (/json/package_order, /json/link_order, /json/abort_link) allows low-privileged users to perform unauthorized MODIFY operations that violate the application's permission model. Versions prior to 0.5.0b3.dev97 are affected; the vulnerability requires valid authentication but enables privilege boundary bypass without requiring elevated credentials.

Authentication bypass in Laravel Passport 13.0.0-13.7.0 allows machine-to-machine OAuth2 client_credentials tokens to impersonate arbitrary application users. The league/oauth2-server library sets JWT sub claim to client identifier for M2M flows; Passport's token guard fails to validate this identifier represents an actual user before passing to retrieveById(), enabling any M2M token to authenticate as unrelated real users. Affects all deployments using client_credentials grant type. Requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis.

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers to bypass authentication and execute unauthorized LDAP queries. The vulnerability exists in ApacheAuthenticate.php when administrators configure apacheEnv to use user-controlled server variables instead of REMOTE_USER in proxy deployments. Attackers manipulate unsanitized username values to inject special characters into LDAP search filters, potentially gaining unauthorized access to the threat intelligence platform. No public exploit identified at time of analysis.

SQL operator-precedence bug in Lychee prior to 7.5.4 allows authenticated users with upload permission to bypass ownership filters and retrieve all user-group-based sharing permissions across the instance, including private albums owned by other users. The vulnerability exists in SharingController::listAll() where an orWhereNotNull clause escapes the ownership filter applied by a when() block. This affects any non-admin user who owns at least one album, creating an information disclosure risk that exposes sharing metadata for the entire Lychee instance.