Skip to main content

Authentication Bypass

auth CRITICAL

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.

How It Works

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.

The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.

More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.

Impact

  • Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
  • Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
  • System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
  • Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
  • Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties

Real-World Examples

CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.

Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.

SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.

Mitigation

  • Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
  • Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
  • Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
  • Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
  • Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
  • Regular security testing — conduct penetration testing specifically targeting authentication logic and flows

Recent CVEs (31263)

EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Network component (versions prior to 150.0.7871.47) allows a remote attacker to violate cross-origin isolation by delivering a crafted HTML page to a victim. The flaw, rooted in CWE-346 (Origin Validation Error), enables unauthorized cross-origin integrity impacts - an attacker can cause a browser to act on or submit data across origin boundaries it should enforce. With an EPSS of 0.18% at the 8th percentile, no CISA KEV listing, and no public exploit identified, active exploitation risk is low at this time, though Chrome's ubiquitous deployment ensures broad attack surface if exploitation techniques mature.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 allows a remote attacker to circumvent network-level policy enforcement by delivering a crafted HTML page to a victim. The Chrome security team internally rated this as Low severity, consistent with the CVSS 4.3 score and an impact limited to integrity (I:L) with no confidentiality or availability consequences. No public exploit code or active exploitation has been identified; EPSS places this in the 8th percentile of exploitation likelihood.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

No-referrer policy bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to capture referrer URL information that the browser was supposed to suppress. Exploitation requires user interaction - the victim must visit a crafted HTML page served by the attacker - and exploits a client-side enforcement gap (CWE-602) specific to the iOS build of Chrome. EPSS is 0.19% (9th percentile) and no active exploitation or KEV listing exists, consistent with the Low Chromium severity rating.

Authentication Bypass Apple Google +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's WebXR component affects all versions prior to 150.0.7871.47, exploitable by a remote unauthenticated attacker who can induce a user to visit a crafted HTML page. The root cause is insufficient input validation (CWE-20) within the WebXR subsystem, resulting in limited integrity impact via unauthorized navigation. No public exploit exists and EPSS sits at 0.18% (8th percentile), consistent with the Chromium team's own Low severity classification - this represents a genuine but low-priority risk.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS prior to 150.0.7871.47 allows a remote, unauthenticated attacker to circumvent browser-enforced navigation controls by delivering a crafted HTML page. The flaw is confined to the iOS platform - Chrome on Android, Windows, macOS, and Linux is unaffected - and requires the victim to actively visit the attacker-controlled page (UI:R). With a CVSS score of 4.3 (Medium), an EPSS of 0.19% (9th percentile), no CISA KEV listing, and a Chromium-internal severity rating of Low, this vulnerability carries minimal real-world exploitation risk but warrants patching given its zero-privilege attack vector.

Authentication Bypass Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables attackers who have already achieved renderer process compromise to escape certain navigation-level security controls via a crafted HTML page. The flaw resides in the PageInfo component, which handles page metadata, security indicators, and related navigation policy enforcement, and fails to adequately validate attacker-controlled input passed from a compromised renderer. With an EPSS of 0.22% (13th percentile), no CISA KEV listing, and a Chromium-internal severity of Low, real-world exploitation risk is currently low despite the CVSS 6.5 medium rating.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Process memory disclosure in Google Chrome's Dawn WebGPU component (versions prior to 150.0.7871.47) enables remote attackers to read potentially sensitive data from the browser's process memory by luring a victim to a crafted HTML page. The flaw is categorized under CWE-284 (Improper Access Control) within the Dawn graphics abstraction layer, which underpins Chrome's WebGPU implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and Google's own Chromium security team rates the severity as Low despite the NVD CVSS score of 6.5.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 stems from insufficient policy enforcement in the browser's Parser component, allowing a remote unauthenticated attacker to circumvent CSP protections via a crafted HTML page. The attacker achieves limited integrity impact (I:L) - able to load or execute content that a properly enforced CSP would block - but gains no confidentiality or availability impact. EPSS is low at 0.22% (13th percentile), no active exploitation has been confirmed (not in CISA KEV), and Chromium internally rated this Low severity, making it a real but low-priority finding.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's FedCM (Federated Credential Management) implementation allows remote attackers to perform limited cross-origin integrity manipulation by luring a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. With an EPSS of 0.18% (8th percentile), no CISA KEV listing, and no public exploit identified, this represents a low-probability exploitation scenario despite being trivially deliverable via a web page.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 allows a remote attacker to circumvent network-layer policy enforcement by inducing a user to visit a specially crafted HTML page. Rooted in CWE-602 (client-side enforcement of server-side security), the flaw means Chrome's network policy checks governing navigation can be subverted client-side, yielding a low-integrity impact with no confidentiality or availability consequence. No public exploit has been identified and the EPSS exploitation probability stands at 0.18% (8th percentile), consistent with Chromium's own 'Low' severity rating - this is a low-urgency but genuine policy-enforcement gap.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

FileSystem policy enforcement bypass in Google Chrome prior to version 150.0.7871.47 allows a remote attacker to circumvent discretionary access control via a crafted HTML page, resulting in limited unauthorized write operations within the browser's sandboxed filesystem scope. The vulnerability requires user interaction - the victim must navigate to a malicious page - and produces only an integrity impact (I:L) with no confidentiality or availability consequence. With an EPSS of 0.18% (8th percentile) and no CISA KEV listing, real-world exploitation probability is very low; no public exploit has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Extensions subsystem prior to version 150.0.7871.47 allows an attacker who socially engineers a victim into installing a crafted malicious extension to circumvent CSP protections, yielding limited integrity impact. CVSS UI:R and EPSS at 0.12% (2nd percentile) confirm this is a low-probability, user-interaction-dependent attack with no confidentiality or availability consequence. No KEV listing, no known POC, and Google's own 'Low' severity rating collectively position this as a low operational priority despite broad product prevalence.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's CustomTabs component on Android (versions prior to 150.0.7871.47) permits remote attackers to perform limited cross-origin integrity violations by directing a victim to a crafted HTML page. The flaw is classified as CWE-346 (Origin Validation Error), meaning Chrome's CustomTabs implementation incorrectly validates or enforces origin boundaries when rendering attacker-controlled content. No active exploitation has been confirmed (not in CISA KEV) and the EPSS score of 0.18% (8th percentile) reflects very low observed exploitation probability, consistent with the Low severity rating assigned by the Chromium security team.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's GetUserMedia implementation prior to version 150.0.7871.47 allows a remote, unauthenticated attacker to achieve limited cross-origin integrity impact by delivering a crafted HTML page to a victim. Chromium's own severity classification is Low, consistent with the CVSS 4.3 score and an EPSS exploitation probability of just 0.18% (8th percentile). No public exploit code and no active exploitation have been identified at time of analysis; Google has issued a remediated build in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient Bluetooth policy enforcement in Google Chrome prior to 150.0.7871.47 allows remote attackers to read potentially sensitive data from browser process memory by luring a victim to a crafted HTML page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) scores 6.5 Medium at NVD, though Chromium's own severity rating is 'Low,' suggesting Chrome's sandbox architecture limits practical memory exposure. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

WebXR implementation flaw in Google Chrome on Android prior to 150.0.7871.47 permits remote attackers to bypass navigation restrictions by delivering a crafted HTML page to a victim. The vulnerability is Android-specific and requires user interaction to trigger, constraining its reach. With no CISA KEV listing, no public exploit identified at time of analysis, and an EPSS of 0.18% (8th percentile), this represents a low-priority integrity issue that Google itself rates as Low severity.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Media component on Windows allows remote attackers to circumvent cross-origin security boundaries by delivering a specially crafted HTML page to a victim. All Chrome for Windows releases prior to 150.0.7871.47 are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS at 0.18% (8th percentile) and SSVC exploitation status of 'none' consistently indicate low current real-world risk despite the potential severity of an isolation bypass.

Authentication Bypass Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's SanitizerAPI before version 150.0.7871.47 allows a remote attacker to violate cross-origin integrity boundaries through a crafted HTML page that exploits insufficient input validation. The flaw targets a security-critical browser API whose purpose is precisely to prevent unsafe HTML injection, making the bypass particularly notable. EPSS at 0.22% (13th percentile) indicates low near-term exploitation probability, and no active exploitation or public exploit code has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient policy enforcement in PermissionsPolicy in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)

Google Authentication Bypass Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's WebView component on Android (all versions prior to 150.0.7871.47) allows remote unauthenticated attackers to circumvent enforcement of navigation policies via a specially crafted HTML page, producing high integrity impact with no confidentiality or availability consequence. The CVSS vector (PR:N, UI:R) confirms unauthenticated network exploitation gated on victim interaction, consistent with a social-engineering or malicious-redirect delivery. No public exploit exists and CISA has not added this to KEV; EPSS of 0.22% (13th percentile) and SSVC Exploitation:none collectively indicate low active exploitation probability at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient data validation in PDF in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient validation of untrusted input in Blink in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient XML policy enforcement in Google Chrome on Android (prior to 150.0.7871.47) exposes process memory contents to remote attackers who can deliver a crafted HTML page. The flaw is classified under CWE-284 (Improper Access Control), allowing the browser's XML handling to bypass intended isolation boundaries and leak potentially sensitive in-process data - such as cookies, credentials, or other runtime state - to an attacker-controlled origin. No active exploitation is confirmed in CISA KEV and no public proof-of-concept has been identified at time of analysis, though the CVSS score of 6.5 (Medium) reflects meaningful real-world risk given the zero-authentication, high-confidentiality-impact profile.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient policy enforcement in the Payments component of Google Chrome on Android prior to 150.0.7871.47 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a specially crafted HTML page, making this a user-interaction-dependent, network-delivered information disclosure. No active exploitation is confirmed (SSVC: Exploitation: none; not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the CVSS confidentiality impact is rated High due to the potential for process memory leakage.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Google Authentication Bypass Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Passwords component on Android prior to 150.0.7871.47 allows a remote attacker to extract potentially sensitive information from process memory. Exploitation requires luring a target user to visit a specially crafted HTML page, placing this squarely in the social-engineering-assisted drive-by category. No public exploit code has been identified at time of analysis, but the high confidentiality impact (C:H in CVSS) indicates meaningful credential exposure risk given Chrome's role as a primary password manager on Android devices.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insufficient policy enforcement in Chrome's built-in Passwords subsystem (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to read potentially sensitive credential data from process memory via a crafted HTML page. This is a second-stage, chained information-disclosure flaw - not a standalone exploit - that bypasses Chrome's inter-process access boundaries to reach password manager data. No public exploit code has been identified at time of analysis, and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's Sharing feature on Android exposes sensitive page content to remote attackers who have already compromised the renderer process, exploitable via a crafted HTML page. All Chrome for Android builds prior to 150.0.7871.47 are affected; the fixed release is confirmed by Google's stable channel advisory. EPSS of 0.21% (11th percentile) and absence from CISA KEV indicate negligible observed exploitation pressure at time of analysis, though the high confidentiality impact and ubiquitous deployment of Chrome on Android make patching a clear priority.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to manipulate the browser interface via a specially crafted HTML page, potentially deceiving users into interacting with falsified content or controls. The vulnerability stems from an inappropriate implementation in the Media component and is classified as medium severity (CVSS 6.5). No public exploit code or active exploitation has been identified - EPSS sits at the 11th percentile (0.21%) and no CISA KEV listing exists - and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to version 150.0.7871.47 enables remote attackers to circumvent browser policy enforcement via a crafted HTML page targeting the 'Actor' component. The flaw is rooted in CWE-602 (Client-Side Enforcement of Server-Side Security), where controls that should be authoritative are applied within the browser and can be subverted by an adversary-controlled page. EPSS at 0.22% (13th percentile) indicates low current exploitation probability, no public exploit code has been identified, and the vulnerability is not listed in CISA KEV; no public exploit identified at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's DevTools component on Android (all versions prior to 150.0.7871.47) allows a local attacker to circumvent policy-enforced browsing controls by delivering a crafted malicious file. The vulnerability is confined to Android - desktop Chrome is not in scope - and requires user interaction with the malicious file, substantially narrowing the realistic attack surface. No public exploit code exists and no active exploitation has been confirmed; an EPSS score of 0.14% (3rd percentile) corroborates low real-world exploitation probability at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent Chrome's network navigation controls via a crafted HTML page. The vulnerability stems from CWE-20 (Improper Input Validation) in Chrome's Network component, producing a high-integrity impact with no confidentiality or availability loss. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (13th percentile) places exploitation likelihood well below the median, though the pre-compromised renderer prerequisite makes this a chained attack vector relevant primarily within multi-stage browser exploitation chains.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's WebView component on Android enables a remote attacker who has already compromised the renderer process to perform cross-origin integrity violations by serving a crafted HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. This is explicitly a chained attack requiring a pre-existing renderer compromise, making it a second-stage exploit rather than a standalone entry point. No public exploit code exists and no public exploitation has been confirmed at time of analysis.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials component allows remote attackers to violate cross-origin isolation guarantees via a crafted HTML page. Affected are all Chrome desktop releases prior to 150.0.7871.47 on all supported platforms. Exploitation requires user interaction (visiting an attacker-controlled page) and yields high integrity impact - enabling cross-origin state manipulation - with no confidentiality or availability consequence. No active exploitation is confirmed (not in CISA KEV), EPSS is low at 0.22% (13th percentile), and SSVC rates exploitation as none with partial technical impact; a vendor patch is available.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent extension policy enforcement and escape site isolation boundaries via a crafted HTML page. The root cause (CWE-602) is client-side enforcement of security policies in the Extensions subsystem that can be subverted once the renderer is under attacker control. No active exploitation has been confirmed - EPSS is 0.22% (13th percentile), SSVC rates exploitation as none and the attack as non-automatable - and a vendor-released patch is available in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) allows a remote attacker to subvert browser-enforced navigation controls by luring a user into performing specific UI gestures on a crafted HTML page. Classified as CWE-20 (Improper Input Validation), the flaw undermines integrity by permitting unauthorized navigation that the browser is intended to block. No public exploit code exists and EPSS sits at 0.22% (13th percentile), indicating low observed exploitation probability; the vulnerability is not listed in CISA KEV.

Authentication Bypass Apple Google +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Chrome's built-in Passwords subsystem on macOS leaks sensitive process memory contents when a malicious file is processed, potentially exposing stored credentials or authentication tokens to a local attacker. All Google Chrome releases for Mac prior to 150.0.7871.47 are affected. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the confidentiality impact is rated High given the nature of the data at risk within the Passwords feature.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Omnibox on iOS (prior to 150.0.7871.47) enables a remote attacker to circumvent address bar security controls through insufficient input validation, contingent on user interaction with specific UI gestures during exposure to malicious network traffic. The integrity impact is rated High (I:H) with no confidentiality or availability impact, consistent with a content/navigation spoofing class of vulnerability. No public exploit code or CISA KEV listing has been identified; EPSS score of 0.20% (10th percentile) indicates low observed exploitation probability at time of analysis.

Authentication Bypass Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Safe Browsing implementation on iOS allows a remote, unauthenticated attacker to circumvent phishing and malicious-site protections via a specially crafted HTML page, affecting all Chrome for iOS versions prior to 150.0.7871.47. The flaw is classified as CWE-693 (Protection Mechanism Failure), meaning the Safe Browsing guard can be rendered ineffective rather than defeated through cryptographic or authentication means. No public exploit or CISA KEV listing has been identified, and the EPSS score of 0.23% (14th percentile) signals low current exploitation probability - but the zero-prerequisite network delivery and high integrity impact make this a meaningful risk for iOS users who have not updated.

Authentication Bypass Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Chromecast implementation (versions prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to circumvent navigation restrictions via a specially crafted HTML page. This is a post-compromise escalation primitive rather than a standalone entry point - the renderer must already be under attacker control, making this a link in an exploit chain rather than an initial access vector. No public exploit has been identified at time of analysis; EPSS at 0.23% (14th percentile) reflects very low observed exploitation probability, consistent with the chained-exploit requirement.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Insufficient policy enforcement in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Authentication Bypass +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Glic feature (versions prior to 150.0.7871.47) enables remote attackers to circumvent policy enforcement controls by delivering a crafted HTML page that triggers insufficient validation logic. The flaw maps to CWE-602, meaning security enforcement intended to be authoritative is implemented client-side in a bypassable manner, resulting in high integrity impact with no confidentiality or availability consequence. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.22% (13th percentile) reflects low current exploitation probability.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a network-positioned attacker to circumvent browser-enforced navigation policies via a crafted HTML page. The attacker must occupy a privileged network position (e.g., man-in-the-middle) and requires user interaction with the malicious page, per the CVSS UI:R and the description's explicit network-position prerequisite. With an EPSS of 0.15% at the 5th percentile, no public exploit code, and no CISA KEV listing, exploitation probability is low - this is a medium-severity issue with a meaningful but situational attack barrier.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Isolated Web Apps (IWA) subsystem allows remote attackers to circumvent enforcement mechanisms via a specially crafted HTML page, resulting in high-integrity impact with no confidentiality or availability consequence. Affected versions are all Chrome releases prior to 150.0.7871.47. User interaction is required - the victim must visit the attacker-controlled page - and no public exploit or CISA KEV listing has been identified at time of analysis. The low EPSS score of 0.22% (13th percentile) reinforces that active exploitation is not currently observed.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's WebAppInstalls component allows remote attackers to compromise cross-origin integrity via a crafted HTML page, affecting all Chrome versions prior to 150.0.7871.47. The flaw stems from an inappropriate implementation (CWE-346, Origin Validation Error) in the PWA installation subsystem, enabling an attacker to perform unauthorized cross-origin writes or manipulations when a user visits attacker-controlled content. No public exploit identified at time of analysis, and the EPSS score of 0.23% (14th percentile) indicates low near-term exploitation probability, though the ubiquitous deployment of Chrome elevates aggregate exposure.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 is achievable by an attacker holding a privileged network position who can manipulate traffic between the victim's browser and a server. The flaw originates in Chrome's Network component (CWE-693: Protection Mechanism Failure), where an inappropriate implementation allows CSP enforcement to be circumvented via crafted network traffic, yielding a High Integrity impact. No active exploitation is confirmed - the vulnerability is absent from CISA KEV and carries an EPSS score of 0.15% (4th percentile) - but the attack vector is unauthenticated and the integrity impact is significant for high-value targets on adversarial networks.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

GuestView policy enforcement in Google Chrome prior to 150.0.7871.47 can be subverted by an attacker who has already achieved renderer process compromise, allowing site isolation to be bypassed via a crafted HTML page. The flaw (CWE-602: Client-Side Enforcement of Server-Side Security) enables manipulation of cross-origin content or policy in embedded browsing contexts that Chrome's site isolation architecture is designed to protect. No public exploit code has been identified and EPSS places exploitation probability at 0.22% (13th percentile), consistent with the elevated prerequisite of a prior renderer compromise required to trigger this vulnerability.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome on Android prior to 150.0.7871.47 enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to break cross-origin security boundaries using a crafted HTML page. The root cause is CWE-346 (Origin Validation Error) in Chrome's Android-specific network implementation, meaning the network layer fails to enforce origin checks when requests originate from a compromised renderer context. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.22% at the 13th percentile reflects the high chaining complexity required.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker who has already achieved renderer process compromise to cross origin boundaries using a crafted HTML page, enabling high-integrity impact against other open sites. The root cause is CWE-20 (Improper Input Validation) within Chrome's Input subsystem on Android - an input handling implementation flaw that fails to enforce cross-origin separation once the renderer is under adversary control. No public exploit has been identified at time of analysis and EPSS sits at 0.22% (13th percentile), placing this firmly in the category of a meaningful escalation primitive rather than a standalone mass-exploitation risk.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Google Chrome desktop prior to 150.0.7871.47 stems from insufficient policy enforcement in the WebHID subsystem, letting a maliciously crafted extension escape its intended boundaries and gain elevated access to human-interface devices and browser privileges. Exploitation first requires convincing a victim to install the malicious extension, after which a crafted Chrome Extension bypasses WebHID access controls. Chromium rates the issue Medium; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.13%, 3rd percentile).

Authentication Bypass Privilege Escalation Google +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Discretionary access control bypass in Google Chrome for Android before 150.0.7871.47 lets a local attacker abuse the WebAppInstalls component through a crafted HTML page, undermining the platform's integrity and availability boundaries. Google rates the Chromium severity High and has shipped a fix in the Stable channel; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Access-control bypass in Google Chrome for Android before 150.0.7871.47 allows an attacker to subvert discretionary access controls through the WebAppInstalls component by serving a crafted HTML page, stemming from insufficient validation of untrusted input. Rated High by Chromium and scored CVSS 9.1, the flaw carries high integrity and availability impact but no confidentiality loss; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's CSS implementation allows a remote, unauthenticated attacker to violate cross-origin integrity protections by luring a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. Google has released a patch; no active exploitation is confirmed (not listed in CISA KEV), and the EPSS score of 0.22% at the 13th percentile indicates low current exploitation probability.

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Enterprise policy implementation exposes sensitive process memory contents to remote attackers who can direct victims to a crafted HTML page. All Chrome desktop releases prior to 150.0.7871.47 are affected. No public exploit code exists and CISA SSVC classifies exploitation status as none, but the high confidentiality impact and zero-privilege-required attack path make prompt patching advisable for enterprise-managed Chrome deployments.

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in Extensions in Google Chrome on Android prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Passwords subsystem allows a remote attacker to circumvent intended access controls by delivering a crafted HTML page to a user. All Chrome desktop versions prior to 150.0.7871.47 are affected, with integrity rated High by CVSS due to the ability to manipulate navigation behavior. No public exploit exists at time of analysis and EPSS sits at 0.22% (13th percentile), indicating low near-term exploitation probability despite Chrome's enormous global footprint and Chromium's internal 'High' severity classification.

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Insufficient validation of untrusted input in Accessibility in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). A vendor patch is available in the June 2026 Stable Channel release.

Authentication Bypass Privilege Escalation Microsoft +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) permits a remote, unauthenticated attacker to circumvent client-side policy controls by delivering a crafted HTML page to a victim user. The flaw originates from insufficient policy enforcement (CWE-602), where navigation security logic enforced within the browser client can be subverted through malicious web content. No active exploitation has been identified - CISA KEV is not listed, SSVC confirms Exploitation: none, and the EPSS score of 0.22% (13th percentile) reflects minimal real-world exploitation activity at time of analysis.

Authentication Bypass Apple Google +1
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

SSO enforcement bypass in n8n before 2.8.0 allows any authenticated SSO user to disable organization-wide SSO enforcement via the API, then register a local password credential, permanently decoupling their account from the identity provider. This defeats identity-provider-enforced MFA and enables persistent access that survives SSO policy changes or user deprovisioning in the IdP. No public exploit code has been identified at time of analysis, but the technique requires only a valid SSO session and knowledge of the relevant API endpoint.

Authentication Bypass N8n
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing UPDATE row-level security (RLS) policy on Capgo's build_requests table permits low-privileged API-key holders to perform unauthorized status updates against build pipeline records, corrupting build state by leaving rows permanently stuck in a pending state with null last_error values. Capgo versions before 12.128.2 on all platforms are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, exploitation requires only low-privilege network access with no additional complexity, making it a straightforward post-authentication integrity issue.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in Capgo before 12.128.2 lets an authenticated attacker forge device records against any application by supplying an arbitrary org_id to POST /private/create_device, which the backend trusts without checking it matches the target app's owning organization. The CVSS 4.0 score of 7.1 reflects high integrity impact with low privileges required and no user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Account takeover-style destruction in Capgo before 12.128.2 lets remote attackers delete arbitrary user accounts because the deletion endpoint enforces no password re-authentication or secondary verification (CWE-306, Missing Authentication for a Critical Function). Reported by VulnCheck, the flaw is exploitable through CSRF, session hijacking, or parameter tampering, causing irreversible account removal, data loss, and denial-of-service. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass CSRF Capgo
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets unauthenticated remote attackers forge valid signed session cookies and impersonate any user, including administrators. The flaw stems from a publicly known hardcoded default secret ('flowise') used by the express-session middleware whenever the EXPRESS_SESSION_SECRET environment variable is left unset - the default deployment state. No public exploit identified at time of analysis, but forgery is trivial since the signing key is visible in the source code, and CVSS 4.0 rates it 9.3 (Critical).

Authentication Bypass Flowise
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-origin request forgery via a hardcoded CORS wildcard in Flowise's text-to-speech endpoint (versions before 3.1.2) allows any malicious webpage to trigger TTS generation using a victim's stored credentials. The controller file `packages/server/src/controllers/text-to-speech/index.ts` unconditionally sets `Access-Control-Allow-Origin: *`, directly overriding the server's restrictive `getCorsOptions()` CORS policy for that route. No public exploit is identified at time of analysis, but the attack requires only basic web scripting skill given the straightforward CORS bypass mechanism.

Authentication Bypass Flowise
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege-bound authorization bypass in Capgo before 12.128.2 lets any authenticated user holding the app.create_channel permission overwrite existing channels by reusing their names, hijacking ownership and rewriting production channel configurations. The flaw stems from a logic mismatch between the existence-validation check and the upsert operation in the channel-creation endpoint, enabling tampering with live release channels. No public exploit identified at time of analysis; reported by VulnCheck with a vendor security advisory available.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets an authenticated org admin assign org-scoped RBAC roles at the narrower app scope without any validation of scope compatibility, and to do so even for pending (not-yet-accepted) invitees. Because these malformed high-privilege bindings persist through invite acceptance, a nominally low-privilege user who accepts the invite gains unauthorized privileged app-level actions. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited API key by supplying its identifier in the client-controlled x-limited-key-id header, which middlewareKey() trusts without checking ownership. Any low-privilege account can therefore read and act on resources belonging to other tenants across multiple API endpoints. No public exploit identified at time of analysis, though the flaw is trivially reproducible once the key-ID format is known.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindings and member email addresses through the public.get_org_user_access_rbac PostgREST RPC endpoint. An improper NULL comparison in the authorization gate fails open, so anyone holding only a public API key can enumerate org membership, assigned roles, and emails. No public exploit has been identified at time of analysis, and the flaw discloses data only (no integrity or availability impact), but the CVSS 4.0 score of 8.7 reflects easy, unauthenticated, network-reachable confidentiality loss.

Authentication Bypass Capgo
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Information disclosure in the yudao-cloud BPM (business process management) module before 2026.06 lets any authenticated user read arbitrary workflow process-instance records by passing a caller-controlled process-instance ID to a GET endpoint that lacks the @PreAuthorize authorization check. Exposed data includes submitted form variables, approver identities, approval/rejection comments, and raw BPMN XML, with no ownership or tenant validation enforced. Publicly available exploit code exists and a vendor patch is available; the issue is not listed in CISA KEV.

Authentication Bypass Yudao Cloud
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. Publicly available exploit code exists and a vendor fix has been released (commit 77ad416); there is no public exploit identified as being used in active attacks.

Authentication Bypass Invidious
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV.

Authentication Bypass Nginx Docker +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Authentication bypass in FUXA SCADA/HMI versions 1.3.1 and prior lets remote unauthenticated attackers reach protected REST API endpoints by inserting dot-segment sequences (e.g. /api/./users, /api/project/../users) that the router fails to normalize before applying its authentication middleware. Successful exploitation returns sensitive user and role data without any credentials. No public exploit identified at time of analysis, though the technique is trivially reproducible and the issue is documented in a CISA ICS advisory (ICSA-26-181-02).

Authentication Bypass Fuxa Scada Hmi
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM This Month

Unauthorized source code disclosure in GitHub Enterprise Server exposes private repository contents to any authenticated user on the instance, regardless of their actual repository permissions. The Copilot pull request description diff summary endpoint accepted cross-repository comparison ranges and rendered the resulting diff without verifying the requesting user held read access to the target repository - a missing authorization flaw (CWE-862) allowing lateral access to arbitrary private repositories. No active exploitation has been confirmed (not in CISA KEV), the issue was responsibly disclosed via GitHub's Bug Bounty program, and patches are available across four release branches.

Authentication Bypass Enterprise Server
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Client-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an authenticated low-privileged user to bypass access controls and perform actions beyond their authorized role. The root cause (CWE-602) means security decisions are made in client-side logic rather than enforced on the server, enabling bypass via crafted API requests. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the high integrity impact (CVSS I:H) with low attack complexity poses meaningful risk in multi-tenant or role-segregated deployments.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Information disclosure and denial of service in IBM Langflow OSS 1.0.0 through 1.9.6 stem from missing authentication on the /api/v1/build_public_tmp/ endpoints, letting an unauthenticated attacker who supplies a valid job identifier read build event data or cancel running jobs. The flaw carries a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and CWE-287 classification; there is no public exploit identified at time of analysis, and EPSS is low at 0.25% (17th percentile) with CISA SSVC recording no observed exploitation but flagging it as automatable.

Authentication Bypass IBM Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-tenant credential confusion in IBM Langflow OSS 1.0.0 through 1.10.0 lets an authenticated user manipulate the voice-mode shared cache so that other tenants' requests are processed with the wrong upstream API credentials, causing billing and accountability to be misattributed across tenant boundaries. The flaw (CWE-639) requires only low-privilege authentication and is rated critical (CVSS 9.6) because a scope change extends the impact to other users and upstream services. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass IBM Langflow
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.

Authentication Bypass IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach protected MCP (Model Context Protocol) project resources and invoke MCP operations through the Streamable MCP transport endpoint. Because the flaw bypasses authentication entirely on a network-facing endpoint and is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, any exposed Langflow instance is at risk. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.24%, 15th percentile), indicating exploitation has not yet become widespread.

Authentication Bypass IBM Langflow Oss
NVD VulDB
CVSS 5.3
MEDIUM PATCH This Month

Credit double-spend via race condition in Paymenter allows any authenticated user with a non-zero credit balance to settle multiple invoices for the cost of one. The root cause is that `lockForUpdate()` in `app/Livewire/Invoices/Show.php` is called outside a database transaction, rendering the pessimistic lock a no-op in MySQL/MariaDB and leaving the read-check-deduct sequence unprotected against concurrent execution. Successful exploitation results in direct financial or resource loss to the platform operator as `ExtensionHelper::addPayment()` provisions services or digital goods for each winning request. No public exploit has been identified at time of analysis.

Authentication Bypass Race Condition PHP
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Sandbox property allowlist bypass in Twig's `column` filter allows template authors operating under `SourcePolicyInterface`-gated sandboxing to read any public or magic property of any object reachable in the render context, circumventing `SecurityPolicy::$allowedProperties` entirely. This is a residual bypass of CVE-2026-46635, exploitable only when three conditions coexist: `SourcePolicyInterface`-based sandbox mode, `column` present in `allowedFilters`, and attacker-controlled template authoring access. The global sandbox mode and direct attribute access paths are both unaffected, making this a targeted policy enforcement gap rather than a broad sandbox failure. No public exploit has been identified at time of analysis; the vendor-released patch is Twig v3.27.0.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox __toString() policy enforcement in Twig is bypassed via dynamic array mapping keys, allowing sandboxed template authors to invoke __toString() on arbitrary context objects without sandbox policy checks. This is a residual bypass of the previously patched CVE-2026-47732, rooted in ArrayExpression failing to declare dynamic mapping keys as string-coercion sites through CoercesChildrenToStringInterface. The reliable demonstrated impact is unauthorized disclosure of sensitive data returned by __toString() on objects that the sandbox was explicitly configured to protect - no public KEV listing exists, but a clear proof-of-concept is embedded in the advisory.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Sandbox bypass in Twig 3.26.x allows string callables to circumvent the Closure-only restriction when applications use the deprecated `twig_array_some()` and `twig_array_every()` wrapper functions over a sandboxed Environment. The 3.26.0 source-policy hardening changed `CoreExtension::checkArrow()` to accept a boolean sandbox state, but the legacy wrappers in `src/Resources/core.php` were not updated, causing them to silently pass `false` for `$isSandboxed` and accept arbitrary string callables such as `'exec'` or `'system'` that the sandbox was designed to block. No public exploit has been identified at time of analysis, and impact is limited to the narrow subset of applications calling the deprecated wrappers with sandbox mode active.

Authentication Bypass PHP
NVD GitHub
CVSS 2.0
LOW POC PATCH Monitor

Certificate timestamp validation bypass in sigstore-java 2.0.0 allows an attacker who has already exfiltrated an ephemeral Sigstore signing key to reuse an expired Fulcio certificate, causing bundle verification to succeed when it should fail. PR #1008 erroneously removed the check that bounds a Rekor V1 log entry's `integratedTime` against the Fulcio certificate's validity window, a regression only present in the 2.0.0 release and fixed in 2.1.0. No public exploit identified at time of analysis beyond the vendor-provided proof-of-concept test bundle in sigstore-conformance; CVSS base score of 2.0 reflects the extremely narrow, high-privilege, local-only attack conditions required.

Authentication Bypass Jwt Attack Java
NVD GitHub
CVSS 8.8
HIGH PATCH This Week

{id} action yet executed by the restrictive /users list handler. No public exploit identified at time of analysis, but the technique is fully described in the AWS/GitHub advisory and trivially reproducible.

Authentication Bypass
NVD GitHub
CVSS 8.5
HIGH PATCH This Week

Server provisioning parameter tampering in Paymenter (a PHP/Laravel billing and hosting-management platform) lets any authenticated customer override administrator-defined hosting plans and resource limits during checkout. By injecting arbitrary key-value pairs into the URL-bound checkout configuration, a low-privileged user can escalate CPU, RAM, storage, or package tiers without admin rights. Rated CVSS 8.5 (CWE-20); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController and OpenApiPermissionController endpoints, which are missing Shiro authorization annotations, to fully manage OpenAPI AK/SK credentials. Because the list endpoint returns secret keys in plaintext, any logged-in user can harvest every Access Key/Secret Key pair and then create, modify, or delete them, enabling credential theft and unauthorized invocation of the OpenAPI surface. Publicly available exploit code exists and the issue was reported by VulnCheck, though it is not listed in CISA KEV.

Authentication Bypass Jeecgboot
NVD GitHub
Prev Page 12 of 348 Next

Quick Facts

Typical Severity
CRITICAL
Category
auth
Total CVEs
31263

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy