Authentication Bypass
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.
How It Works
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.
The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.
More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.
Impact
- Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
- Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
- System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
- Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
- Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties
Real-World Examples
CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.
Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.
SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.
Mitigation
- Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
- Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
- Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
- Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
- Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
- Regular security testing — conduct penetration testing specifically targeting authentication logic and flows
Recent CVEs (31263)
Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanently defeat the maintainer approval step that normally guards workflow execution on fork PRs, so that after the initial gate is subverted the attacker's workflow code runs against the repository's CI runners and secrets. CVSS is 8.9 (high) with a scope change and high integrity/availability impact; no public exploit has been identified at time of analysis, but a vendor patch (v1.26.4) is available. The flaw is classed as CWE-285 (Improper Authorization) and was self-reported by the Gitea project.
Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to read files from private repositories they should not access by supplying a malformed SSH sub-verb, per the Gitea security advisory GHSA-7wvc-rvp7-w99x. Because the flaw crosses a security boundary (CVSS scope change) it exposes confidential repository contents without any integrity or availability impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, but a vendor patch is available in Gitea 1.26.4.
Authorization bypass in Gitea Open Source Git Server (versions up to and including 1.26.1) allows a user whose account was deliberately disabled by an administrator to silently regain access simply by signing in through a linked OAuth provider. The OAuth sign-in callback fails to honor the administrator's 'disabled' flag, effectively reversing an intended access-revocation action. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the flaw undermines a core account-lifecycle control on a widely self-hosted platform.
Denial of service in Gitea, the self-hosted open-source Git service, allows a remote unauthenticated attacker to exhaust server CPU by triggering catastrophic backtracking in the regular-expression engine that evaluates CODEOWNERS pattern matching. All versions prior to the fixed 1.26.3/1.26.4 releases are affected, and the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H only) confirms network-reachable, low-complexity, no-authentication abuse with availability-only impact. There is no public exploit identified at time of analysis and EPSS is low (0.16%, 6th percentile), so exploitation risk is real but not yet widespread.
Spoofing in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows a remote unauthenticated attacker to present deceptive browser UI to a victim user, resulting in high-confidentiality-impact information disclosure. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms exploitation is network-delivered and requires only a single user interaction, consistent with a classic UI-spoofing or URL-spoofing class of flaw. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a vendor-released patch is available.
Insufficient UI warning of dangerous operations in Microsoft Edge (Chromium-based) before version 150.0.4078.48 enables network-based spoofing attacks against users who interact with adversary-controlled content. Per the CVSS vector (PR:N, UI:R), an unauthenticated remote attacker can exploit this flaw without any privileges, but requires the victim to interact with the browser during the attack. No public exploit identified at time of analysis; the Medium CVSS score of 4.3 and confidentiality-only impact (C:L) reflect a bounded but real risk primarily useful for phishing, credential harvesting, or identity spoofing scenarios.
Security-feature bypass in Microsoft Edge (Chromium-based) stems from a type-confusion (CWE-843) flaw that a remote, unauthenticated attacker can trigger over the network to defeat a browser security boundary. Microsoft has published a fix via its Update Guide (CVE-2026-58295), and the issue carries a CVSS 8.3 with a scope change reflecting the crossed trust boundary. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets an unauthorized attacker run arbitrary code when a victim is lured to interact with attacker-controlled content, stemming from external control of a file name or path (CWE-73). The flaw is network-reachable but non-trivial to exploit, requiring user interaction and high attack complexity, and there is no public exploit identified at time of analysis. Microsoft has released a patched build, and EPSS estimates a low 0.53% exploitation probability with SSVC reporting no observed exploitation.
Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run code on a victim's machine when the user is lured into interacting with attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and, per its CVSS scope-change metric, is consistent with a renderer/sandbox boundary escape. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a fix.
Remote code execution in Microsoft Edge (Chromium-based) stems from a type confusion flaw (CWE-843) that an unauthorized attacker can trigger over the network to run arbitrary code, provided the victim interacts with attacker-controlled web content. Microsoft self-reported and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (AC:H) and required user interaction (UI:R) temper an otherwise network-reachable, unauthenticated attack surface.
Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run arbitrary code when a victim is lured to a malicious web page, via a type-confusion flaw (CWE-843) in the browser engine. The CVSS:3.1 score is 8.3 with a scope change (S:C), indicating a likely sandbox/renderer boundary escape, though exploitation carries high attack complexity and requires user interaction. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, with EPSS at 0.53% (41st percentile).
Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker misrepresent trusted UI or content to a victim by abusing improper access control (CWE-284), per Microsoft's own advisory (MSRC CVE-2026-58286). The high CVSS 8.1 is driven by a scope-changed impact (S:C) with high integrity effect, though the AC:H rating signals the attack is not trivially reliable. Currently there is no public exploit identified at time of analysis and no CISA KEV listing, so this is a proactively-patched issue rather than one under active exploitation.
Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attacker run arbitrary code when a victim is lured to malicious web content. The CVSS 3.1 base score is 8.3 with a scope change, reflecting a likely renderer-to-sandbox impact, but exploitation requires user interaction and has high attack complexity. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available via Microsoft's MSRC update guide.
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to break out of the browser's security boundary and run arbitrary code when a victim is lured to malicious web content. Rooted in an improper authorization flaw (CWE-285) with a scope-changing CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C), exploitation requires user interaction and high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.
UI misrepresentation in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled web content. The browser fails to accurately present critical security information - such as origin indicators, security status, or authentication prompts - allowing an unauthenticated remote attacker to deceive victims into believing they are interacting with a trusted source. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and a vendor patch is available.
Remote code execution in Microsoft Edge for Android (Chromium-based) arises from a time-of-check to time-of-use (TOCTOU) race condition that an unauthenticated network attacker can win to run arbitrary code, though success requires the victim to interact (UI:R) and the timing window makes exploitation high-complexity. Microsoft (self-reported) has shipped an official fix, and the temporal signals (E:U, RC:C) indicate no public exploit identified at time of analysis despite confirmed technical validity. The flaw is credited to Microsoft/Google collaboration and tagged as an authentication-bypass-class issue.
Spoofing in Microsoft Edge (Chromium-based) stems from a type-confusion memory-safety defect (CWE-843) that a remote, unauthenticated attacker can leverage over the network to misrepresent content or origin to the victim. Microsoft rates it CVSS 8.1 with a changed scope, driven largely by high integrity impact, though the CVSS vector's high attack complexity (AC:H) signals non-trivial exploitation. There is no public exploit identified at time of analysis (CVSS E:U), and it is not listed in CISA KEV; Microsoft has already shipped an official fix (RL:O).
Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker bypass an origin/security-context access control (CWE-284) to misrepresent trusted content or UI over a network. The flaw carries CVSS 8.1 with a scope-changed vector and high integrity impact, meaning a successful spoof can influence resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has shipped an official fix.
Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote attacker to run arbitrary code when a victim is lured into loading attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and carries a high-severity CVSS of 8.8, though it requires user interaction and has no public exploit identified at time of analysis. EPSS risk is low (0.42%, 34th percentile) and CISA SSVC currently rates exploitation status as none.
Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticated attacker circumvent a browser security control over the network via improper authorization (CWE-285). Microsoft rates it CVSS 10.0 with a changed scope, meaning a successful bypass can affect resources beyond the browser's original security boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation as 'none', so this is a high-severity but not currently-exploited issue with a vendor patch already available.
Remote code execution in Microsoft Edge (Chromium-based) stems from a type-confusion flaw (CWE-843) that an unauthenticated attacker can trigger when a victim visits a malicious web page. Microsoft has released an official fix, and while exploit maturity is currently unproven (no public exploit identified at time of analysis), the high confidentiality, integrity, and availability impact combined with network reach makes it a meaningful browser patch. The CVSS 3.1 base score is 7.5 with high attack complexity and required user interaction, tempering real-world exploitability.
Broken authorization in Gitea (self-hosted Git service) versions up to and including 1.26.2 lets a user who holds general repository access but has NOT been granted the Code unit permission read private source content by reusing Git LFS objects to authorize otherwise-restricted source objects. The flaw (CWE-639, tracked as GHSA-2m9v-5q2g-58vq) enables horizontal privilege escalation to confidential code within a repository. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch shipped in 1.26.3.
Branch-protection bypass in Gitea's self-hosted Git server (all versions before 1.26.0) allows a user with push access to circumvent pre-receive hook enforcement by supplying oversized hook input that trips a bufio.Scanner error the code fails to handle safely. Because Gitea does not fail closed on the scanner error, the protection check is silently skipped and the push is accepted. No public exploit identified at time of analysis; EPSS is low (0.17%, 7th percentile) and this is not in CISA KEV, but a vendor patch (v1.26.0) is available.
Canonical URL spoofing in Gitea before 1.25.5 lets remote attackers inject malformed X-Forwarded-Proto values that the server trusts when computing its public-facing URL, causing it to emit attacker-controlled canonical links (e.g. in emails, redirects, and generated absolute URLs). No public exploit identified at time of analysis, and the low EPSS score (0.17%, 6th percentile) reflects minimal in-the-wild interest, but a vendor patch is available in v1.25.5. Note that the published CVSS vector claims availability impact (A:H) while the description describes URL spoofing (an integrity concern), a discrepancy worth verifying with the vendor.
Privilege escalation in Gitea 1.25.5 lets a user holding a per-branch maintainer-edit grant reuse that write permission against other refs and obtain full repository write access. The flaw stems from a branch-specific permission result being cached and incorrectly reused across multiple refs within a single pre-receive hook session. It is an authenticated authorization-bypass (CWE-863) fixed in Gitea 1.26.3; no public exploit has been identified and EPSS exploitation probability is low (0.20%).
Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers read private or internal Composer package source links they should not be authorized to see, leaking internal repository/source metadata. The flaw is a missing-authorization (CWE-862) issue reported by the Gitea project itself and fixed in v1.26.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With a CVSS 3.0 base score of 8.2 driven by high confidentiality impact, the practical effect is unauthorized disclosure of otherwise-private package sourcing information.
Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commit metadata to any holder of a valid but under-privileged API token. Versions up to and including 1.26.2 are affected; the flaw is classified as CWE-863 (Incorrect Authorization) with a CVSS score of 4.3. No public exploit code or CISA KEV listing exists at time of analysis; vendor-released patches are available in v1.26.3 and v1.26.4.
Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.
Gitea versions before 1.25.5 allow a user to change another user's primary email address.
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. X-WEBAUTH-USER), the wildcard trust list means Gitea accepts those identity headers from any client rather than only from a trusted front-end proxy, granting full account takeover including administrator access. No public exploit has been identified at time of analysis, and the issue is patched in Gitea 1.26.3.
Authorization bypass in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows authenticated remote attackers to view student records they are not authorized to access. By manipulating the ID parameter in POST requests to /index.php?action=view_student, a low-privileged user can enumerate or access other students' data. A public proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no active exploitation confirmed in CISA KEV.
Keycloak's ClientResource admin API component, when Fine-Grained Admin Permissions v2 (FGAP v2) is enabled, permits a delegated administrator to attach or detach hidden client scopes that fall outside their authorized management boundary. By injecting unauthorized scopes into client configurations, an attacker can manipulate the contents of OAuth2/OIDC security tokens issued to end-users, causing downstream applications to grant privilege levels beyond what the original access policy intended. No public exploit is identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the token-injection impact class carries meaningful risk in federated identity deployments.
Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) fails to enforce group-level authorization when a restricted administrator queries role-to-group assignments, exposing group names and custom attributes beyond the admin's intended scope. Restricted admins holding only role-view permission can enumerate all groups assigned to that role, bypassing the group-level access controls that FGAP v2 is designed to enforce. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; however, the EPSS risk is compounded in deployments where group attributes carry sensitive operational metadata.
Local privilege escalation via argument injection in TUBITAK BILGEM's pardus-software (the Pardus Linux application/software center) affects versions up to and including 1.0.4 and is fixed in 1.0.5. A low-privileged local user can abuse a missing authorization check (CWE-862) to inject attacker-controlled arguments into a privileged backend operation, and because the CVSS scope is Changed with High confidentiality, integrity, and availability impact, this realistically yields code execution or full compromise of the underlying system. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but the 8.8 CVSS and scope change make it a serious local escalation issue.
{id} path parameter in GET /calendar/event/delete/{id}. The delete handler calls Calendar::find($id)->delete() with no user_id or company_id scoping, meaning possession of a valid session is the only gate to destroying arbitrary records. No public exploit has been identified at time of analysis; a confirmed fix is available in the v5.5.3 release.
Incorrect authorization in Dell PowerProtect Data Domain permits a high-privileged local attacker to execute commands outside their authorized scope across a broad span of affected versions covering the main release line and all three active LTS branches. The root cause (CWE-863) indicates the appliance's Data Domain OS fails to enforce authorization boundaries correctly for certain operations accessible to already-elevated users, enabling privilege escalation within an authenticated administrative session. No public exploit code or active exploitation is confirmed at time of analysis; the CVSS 4.2 Medium score accurately reflects the significant access prerequisites - local presence plus high-level credentials - required to trigger the flaw.
Improper access control in the RBAC implementation of Dell PowerProtect Data Domain allows a low-privileged authenticated remote attacker to tamper with information beyond their authorized role scope. Affected releases span the main 7.7.1.0-8.6 line and three LTS tracks covering LTS2024, LTS2025, and LTS2026. No public exploit code has been identified and exploitation has not been confirmed by CISA KEV, placing this as a medium-priority issue requiring patch scheduling rather than emergency response.
Incorrect permission assignment on a critical resource in Dell PowerProtect Data Domain exposes sensitive data to high-privileged local attackers across a broad range of supported release trains. The flaw (CWE-732) means a resource - likely a file, directory, or configuration object - carries overly permissive access controls, allowing a local attacker operating with elevated privileges to read data they are not authorized to access. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the breadth of affected versions (seven release trains spanning 2024-2026 LTS and mainline builds) increases aggregate exposure across enterprise backup environments.
Link-following exploitation in Dell PowerProtect Data Domain enables a high-privileged local attacker to read files outside their intended access scope by manipulating symbolic or hard links before file access operations resolve. Affected across multiple release trains - mainline 7.7.1.0 through 8.6, LTS2026 8.6.1.10 and below, LTS2025 8.3.1.30 and below, and LTS2024 7.13.1.70 and below. No public exploit code or active exploitation confirmed at time of analysis; risk is bounded by the requirement for pre-existing high-privilege local access.
Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. No public exploit or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references that substantially lower the barrier to exploitation.
Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.
Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Cloud takeover of Gardyn smart indoor garden devices is possible because a privileged Azure IoT Hub 'iothubowner' shared-access key is embedded in the product, letting a malicious actor query the IoT Hub Registry Manager to enumerate connection details for every Gardyn Home Kit and Studio device and then push arbitrary commands to a targeted unit. Because the key is service-level rather than per-device, one extracted credential compromises the entire fleet, and the attacker may pivot from a controlled device onto the victim's home or corporate LAN. This flaw was reported through CISA ICS-CERT (ICSA-26-183-03) and carries a CVSS 4.0 base score of 9.5, but no public exploit identified at time of analysis.
WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.
Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.
Privilege escalation in Microsoft Exchange Online allows an already-authenticated attacker to elevate their permissions over the network by exploiting an incorrect authorization check (CWE-863). Because Exchange Online is a cloud-hosted, multi-tenant service, a low-privileged authenticated user could gain elevated access to confidential data, tamper with mail/configuration, and disrupt availability. No public exploit has been identified at time of analysis, and the EPSS/exploit-maturity signal (E:U) indicates exploit code is currently unproven.
Privilege elevation in Microsoft Azure Synapse Analytics allows a network-based, authorized attacker to bypass improper access controls and gain higher privileges than assigned. The flaw carries a critical 9.8 CVSS with full confidentiality, integrity, and availability impact, though its EPSS probability is modest (0.33%, 24th percentile) and CISA SSVC records no observed exploitation. No public exploit has been identified at time of analysis, and Microsoft has released a fix through its Security Update Guide.
Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.
Authentication bypass in 9router (>= 0.2.21 through 0.4.41) lets any unauthenticated remote attacker forge a valid dashboard session cookie because the JWT signing key falls back to the publicly committed hardcoded string "9router-default-secret-change-me" whenever the JWT_SECRET environment variable is unset. Since this secret is identical across every release and visible in the public repository, an attacker can pre-compute a valid auth_token, bypass the /dashboard login, and reach every API endpoint to steal stored API keys and auth tokens or take over the instance. Publicly available exploit code exists (the advisory ships a working jose-based PoC); there is no CISA KEV listing and no confirmed active exploitation at time of analysis.
Kiwi TCMS exposes its /init-db/ database setup endpoint without authentication even after initial setup is complete, allowing any unauthenticated remote actor to invoke the Django migration runner against an already-initialized database. Despite the Authentication Bypass classification (CWE-862), real-world impact is severely limited because the underlying manage.py migrate command is idempotent - once migrations are applied, repeated invocations produce a confirmed no-op with no data loss, no state change, and no information disclosure. No public exploit code exists and no CVSS score was assigned, consistent with the vendor's own characterization that the severity is low.
Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.
Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.
Authentication bypass and IdP impersonation in the SimpleSAMLphp saml2 library (and the saml2-legacy package) lets a malicious or lower-trust identity provider in a shared federation forge assertions for higher-trust IdPs when the HTTP-Artifact binding is used. Because the TLS-based validator applied to the SOAP ArtifactResponse returns normally instead of throwing when its public key does not match the embedded Response, an unsigned embedded SAML Response claiming a different issuer is accepted as valid, allowing an attacker to log into the SP as arbitrary users of a victim IdP. CVSS is 8.7; there is no public exploit identified at time of analysis and no CISA KEV listing.
Consensus divergence in the Zcash Foundation's Zebra node (zebrad up to and including v4.4.1) lets a remote, unauthenticated attacker force a chain split between Zebra and zcashd validators without any mining capability. Zebra's P2SH signature-operation counter runs a pure-Rust path that short-circuits on disabled opcodes and undercounts sigops, so Zebra accepts blocks that zcashd rejects once the 20,000 block-sigop limit is straddled. There is no public exploit identified at time of analysis, but the advisory includes a concrete crafted redeem script demonstrating the divergence, and all default configurations are affected.
Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate chat-group agent data belonging to other users by supplying arbitrary group identifiers to unguarded API operations. The getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup endpoints accept caller-controlled group IDs without validating ownership, enabling cross-user data access and modification. Publicly available exploit code exists per GitHub issue #16537, though the CVE is absent from the CISA KEV catalog and carries a CVSS 4.0 score of 2.3, indicating limited blast radius; real-world risk is elevated primarily in shared multi-tenant LobeChat deployments.
Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.
Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.
Information disclosure and denial of service in JuiceFS through 1.3.1 lets remote attackers reach Go pprof debug and Prometheus metrics endpoints that are inadvertently exposed because handlers are registered on the shared http.DefaultServeMux. By fetching /debug/pprof/cmdline an attacker recovers the process command line, which embeds the metadata engine connection string and its database credentials, effectively yielding full read/write control over filesystem metadata; other pprof and profiling handlers leak internal state and can be abused to exhaust resources. Reported by VulnCheck with an upstream fix in commit a46979c; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.
Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.
Authentication bypass in the joserfc Python JOSE/JWT library (PyPI, versions <= 1.6.7) lets unauthenticated attackers forge valid HS256/HS384/HS512 tokens whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds a zero-length key straight into hmac.new(b"", ...) and OctKey.import_key only warned (never rejected) empty material, an attacker who knows no secret can reproduce the exact digest with HMAC(key=b"") and pass hmac.compare_digest. Publicly available exploit code exists (working PoC in the advisory); the flaw is fixed in 1.6.8. This is the cross-language sibling of ruby-jwt CVE-2026-45363. No EPSS score or CISA KEV listing was provided; no public exploit-in-the-wild is claimed.
Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.
JWT authentication bypass in Project Contour (Kubernetes ingress controller) allows unauthenticated remote clients to reach protected upstream services without a valid JWT token when an HTTPProxy resource incorrectly combines `spec.virtualhost.tls.enableFallbackCertificate: true` with `spec.virtualhost.jwtProviders`. Contour fails to detect and reject this incompatible configuration, so any TLS client that omits an SNI extension or presents an SNI not matching any configured HTTPProxy FQDN is silently matched by the fallback certificate handler, which operates outside the JWT verification pipeline. No public exploit has been identified and this CVE is not in the CISA KEV catalog; a vendor-released patch (v1.33.5) is available.
Craft CMS versions 4.x prior to 4.17.14 and 5.x prior to 5.9.21 contain a missing authorization check (CWE-862) in the asset folder move operation that allows an authenticated user to delete a destination folder they lack delete permission on by exploiting the force=true overwrite path in AssetsController::actionMoveFolder(). The CVSS 4.0 score of 4.9 with PR:L and VI:H reflects a real but internally-scoped integrity impact: an attacker with move-but-not-delete rights can destroy asset content outside their permission boundary. No public exploit code exists and no active exploitation has been identified; the E:U supplemental metric in the provided vector corroborates this assessment.
The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-based cookie computation deterministic and fully predictable to any network observer for the 0-to-15-second window before the first secret rotation. Any attacker who can observe a plaintext DTLS ClientHello during this window can forge valid cookies, bypassing the RFC 6347 §4.2.1 source address verification mechanism and enabling handshake amplification attacks with spoofed source IPs. No public exploit has been identified at time of analysis; vendor-released patches are available in OTP 29.0.3, 28.5.0.3, and 27.3.4.14.
Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.
Privilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevated privileges within the application through an improper access control (CWE-284) weakness, tracked as CVE-2026-55119 and rated CVSS 8.1. Ubiquiti tagged the issue as an Authentication Bypass, and a successful attack yields high confidentiality and integrity impact (C:H/I:H) over an existing authenticated session without any user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain granted privileges within the controller even after those privileges are supposed to have been revoked, due to an Incorrect Authorization (CWE-863) flaw. The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N) with high confidentiality, integrity, and availability impact, meaning an actor whose access was removed can continue to act with the old authorization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires prior authenticated access plus specific unstated conditions (AC:H).
Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network to elevate their permissions within the application by abusing an Improper Access Control weakness (CWE-284). The CVSS 3.1 score of 8.3 reflects that a network-reachable actor holding limited credentials can, under certain conditions, gain high integrity and availability impact over the controller. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Ubiquiti has published Security Advisory Bulletin 066 addressing it.
Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.
Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.
Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority.
Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.
Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints without valid credentials due to improper access control (CWE-284). Rated CVSS 8.6, the flaw combines low confidentiality and integrity impact with high availability impact, meaning an unauthenticated actor on the network could interact with protected surveillance-management functions. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network vector with no privileges required (AV:N/PR:N) makes it a meaningful exposure for internet- or LAN-reachable deployments.
Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).
SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. No public exploit has been identified at time of analysis, but exploitation requires only the ability to set an arbitrary HTTP header, making this trivially accessible to any network attacker targeting deployments using the BalancerForward helper.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- auth
- Total CVEs
- 31263