Authentication Bypass

WWBN AVideo is an open source video platform. versions up to 25.0 is affected by missing authentication for critical function.

PowerSync Service 1.20.0 with config.edition: 3 fails to enforce subquery filters in sync streams, allowing authenticated users to access data that should be restricted based on their permissions. The vulnerability affects only configurations using unpartitioned subqueries for synchronization gating and is resolved in version 1.20.1. No patch is currently available for affected deployments.

Pocket ID versions prior to 2.4.0 fail to properly validate authorization codes at the OIDC token endpoint, enabling attackers with valid credentials to exchange codes across different clients or reuse expired codes. This authentication bypass affects any service relying on Pocket ID for passkey-based authentication and allows token acquisition without proper authorization. Public exploit code exists for this vulnerability, and no patch is currently available.

Tutor LMS Pro WordPress plugin has an authentication bypass enabling unauthenticated users to access premium learning content and admin functions.

SiYuan Note prior to version 3.5.10 contains an insufficient authorization flaw in the /api/block/appendHeadingChildren endpoint that allows authenticated users with read-only (RoleReader) privileges to modify notebook content by appending blocks to documents. The vulnerability exists because the endpoint applies only basic authentication checks instead of enforcing stricter administrative or read-only restrictions. Affected users should upgrade to version 3.5.10 or later, as no workaround is currently available and exploitation requires only network access and valid read-only credentials.

Misskey versions 10.93.0 through 2026.3.0 allow authenticated users to import arbitrary user data due to insufficient ownership validation, enabling attackers with knowledge of target file IDs to access other users' information. The vulnerability requires valid login credentials and knowledge of specific file identifiers, limiting its practical impact. No patch is currently available.

federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryptographic signature.

Misskey is an open source, federated social media platform.

Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escalate privileges and perform unauthorized actions reserved for Tenant Admins and Owners. An authenticated attacker with Creator permissions can promote themselves to Tenant Admin, demote existing administrators, modify owner accounts, and manipulate organizational orders, resulting in complete tenant compromise. No patch is currently available for this high-severity vulnerability.

FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64.

self-hostable RSS aggregator. versions up to 1.28.0 is affected by improper access control (CVSS 7.5).

Improper access control in Devolutions Server 2025.3.11.0 and earlier allows authenticated low-privileged users to restore deleted users and roles through crafted API requests, potentially enabling unauthorized account recovery and privilege escalation. Organizations running affected versions are at risk as attackers with basic authentication credentials can manipulate user and role restoration without proper authorization checks. No patch is currently available.

An incorrect access control vulnerability exists in Tenda W15E V02.03.01.26_cn. [CVSS 7.5 HIGH]

Keygraph Shannon's router component exposes a hard-coded API key that allows unauthenticated network attackers to intercept and proxy requests through the application when the router is enabled and accessible. Attackers can leverage this static credential to abuse upstream provider API resources and potentially access sensitive request/response data belonging to legitimate users. No patch is currently available for this vulnerability.

Universal Bacnet Router Firmware is affected by improper verification of cryptographic signature (CVSS 7.2).

Unauthorized file upload via wwwupload.cgi endpoint. Same product as CVE-2025-41764 — second unauthorized upload vector.

Unauthorized firmware upload via wwwupdate.cgi endpoint due to insufficient authorization. Remote attackers can upload and apply arbitrary firmware updates.

An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates. [CVSS 6.2 MEDIUM]

DoraCMS 3.0.x Email API endpoint /api/v1/mail/send contains an authentication bypass vulnerability that allows unauthenticated remote attackers to send emails and potentially access sensitive functionality. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. The flaw carries a CVSS score of 7.3 with moderate confidentiality, integrity, and availability impact.

Improper authentication in suitenumerique messages 0.2.0 allows authenticated remote attackers to bypass access controls on ThreadAccess objects via the ThreadAccessSerializer component, with public exploit code available. The vulnerability affects the serializer logic in src/backend/core/api/serializers.py and can be exploited by users with valid credentials to gain unauthorized access. Upgrading to version 0.3.0 resolves this issue.

WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.

Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.

ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

Wallos prior to version 4.6.2 contains an authorization bypass allowing authenticated users to delete avatar files belonging to other users due to missing ownership verification on the avatar deletion endpoint. An attacker with valid credentials can enumerate or guess other users' avatar filenames to remove their files. Public exploit code exists for this vulnerability, and a patch is available in version 4.6.2 and later.

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification.

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoofing an internal request header, granting access to sensitive administrative functions including API key and credential management. Public exploit code exists for this vulnerability, and an attacker with valid tenant credentials can escalate to administrative privileges without additional authentication. No patch is currently available for affected deployments.

Predictable session identifier generation in XikeStor SKS8310-8X network switch allows session hijacking even if the command injection (CVE-2026-25070) is patched.

Unauthenticated remote attackers can download sensitive configuration files from ZikeStor SKS8310-8X network switches (firmware 1.04.B07 and earlier) via an unprotected /switch_config.src endpoint, exposing VLAN settings and IP addressing details without requiring credentials. This HIGH severity vulnerability (CVSS 7.5) affects confidentiality of device configurations and currently has no available patch.

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the content, which is inconsistent with stricter checks used by other endpoints. This issue has been patched...

self-hostable file sharing platform that integrates with screenshot tools. versions up to 1.7.2 is affected by authorization bypass through user-controlled key.

OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a stolen session cookie to maintain authenticated access even after the legitimate user logs out. The vulnerability persists because browser cookies are cleared while the corresponding server session remains valid for approximately one year by default. Public exploit code exists for this session management bypass.

OliveTin gives access to predefined shell commands from a web interface. [CVSS 8.8 HIGH]

Missing authorization in Vito server management before 3.20.3. CVSS 9.9.

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.

Wekan versions 8.32 and 8.33 allow authenticated users to modify custom fields across any board due to insufficient access validation in the custom fields API endpoints. An attacker with access to one board can exploit this Insecure Direct Object Reference vulnerability to manipulate custom fields on other boards by supplying foreign field IDs. A patch is available to address this authorization bypass.

Fastify improperly validates Content-Type headers by accepting RFC 9110-violating malformed values with trailing characters, allowing attackers to bypass content-type restrictions and route requests to unintended parsers. When regex-based content-type parsing is enabled, requests with invalid Content-Type headers such as "application/json garbage" are processed normally instead of being rejected, potentially enabling request misrouting and manipulation of parser behavior. No patch is currently available for this medium-severity vulnerability affecting Fastify applications.

Auth bypass in Rocket.Chat before 7.10.8+. Second auth bypass CVE.

Auth bypass in Rocket.Chat before 7.8.6+. Multiple versions affected.

Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs. [CVSS 7.5 HIGH]

Charging station authentication credentials are exposed through publicly accessible web-based mapping platforms, allowing unauthenticated remote attackers to obtain valid authentication identifiers. An attacker with these credentials could gain unauthorized access to charging station networks and potentially manipulate charging operations or access connected infrastructure. No patch is currently available for this vulnerability.

WebSocket session handling in charging station backends allows multiple connections to use identical session identifiers, enabling attackers to hijack active sessions and impersonate legitimate stations without authentication. An adversary can intercept backend commands intended for a target charging station or launch denial-of-service attacks by flooding the backend with spoofed session requests. This vulnerability affects any system relying on this WebSocket implementation and currently lacks an available patch.

Charging station authentication credentials are exposed through publicly accessible web-based mapping platforms, allowing unauthenticated remote attackers to obtain sensitive authentication identifiers. An attacker with these credentials could potentially gain unauthorized access to charging infrastructure management systems or perform unauthorized operations on affected stations. No patch is currently available for this vulnerability.

Unrestricted authentication attempts against WebSocket APIs enable attackers to launch denial-of-service attacks that disrupt charger telemetry reporting or execute brute-force credential compromise attacks. This vulnerability affects systems relying on WebSocket-based authentication without rate limiting protections. No patch is currently available to address this threat.

Unrestricted authentication requests in the WebSocket API enable attackers to launch denial-of-service attacks against charger telemetry systems or execute brute-force attacks to gain unauthorized access. The vulnerability affects systems relying on this API without rate-limiting controls, and no patch is currently available. An unauthenticated remote attacker can exploit this over the network with minimal complexity to disrupt service availability or compromise system access.

WebSocket session management in charging station backends allows multiple connections using identical session identifiers, enabling attackers to hijack legitimate sessions and intercept commands or impersonate authorized stations. Unauthenticated remote attackers can exploit this predictable identifier scheme to displace active connections, redirect backend communications, or launch denial-of-service attacks against the charging infrastructure. The vulnerability affects any deployment relying on this WebSocket backend without an available patch.

Navtor NavBox devices allow unauthenticated remote attackers to retrieve sensitive operational data including ECDIS information, device identifiers, and service logs by sending HTTP requests to the unprotected API on port 8080. An attacker with network access can obtain this configuration and system information without any credentials, potentially facilitating further attacks against maritime navigation systems. No patch is currently available for this vulnerability.

ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. [CVSS 8.2 HIGH]

GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. [CVSS 8.2 HIGH]

Rank Math SEO PRO through version 3.0.95 contains an authorization bypass in its access control implementation that allows authenticated users to perform unauthorized modifications. An attacker with valid login credentials could exploit this misconfiguration to alter content or settings they should not have access to. No patch is currently available to address this vulnerability.

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts.

Privilege escalation in Gokapi prior to version 2.2.3 allows authenticated users to generate API keys with elevated permissions for file request management, despite lacking those privileges themselves. This affects deployments where no administrative users have access to the upload menu, enabling unauthorized users to create or modify file requests. No patch is currently available.

Prototype pollution in oRPC before 1.13.6. PoC and patch available.

OneUptime versions 10.0.11 and earlier contain an improper WebAuthn implementation where server-side challenge validation is missing, allowing attackers with a captured assertion to replay valid authentication tokens indefinitely and bypass multi-factor authentication. The vulnerability affects authenticated users and requires only low privileges to exploit, with public exploit code already available. No patches are currently available for this high-severity flaw.

Kimai versions prior to 2.51.0 lack proper customer-level access controls in the invoice API endpoint, allowing any user with the TEAMLEAD role to enumerate and read all invoices across the entire system regardless of customer ownership. Public exploit code exists for this authorization bypass vulnerability, which can lead to unauthorized disclosure of sensitive financial and customer data. A patch is available in version 2.51.0 and should be applied immediately.

Talishar is a fan-made Flesh and Blood project. [CVSS 5.3 MEDIUM]

Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).

Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated users to read, modify, or delete charts from other projects they shouldn't access. An attacker with valid credentials to any project can exploit this authorization bypass to manipulate arbitrary charts across the application. Public exploit code exists for this vulnerability, and no patch is currently available.

Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.

Integer overflow in TinyWeb before 2.03.

Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. [CVSS 4.3 MEDIUM]

Improper access control in Acronis Cyber Protect 17 (Linux and Windows) prior to build 41186 allows authenticated users to view sensitive information they should not have access to. The vulnerability requires valid credentials and network access but does not enable data modification or system availability impacts. No patch is currently available for this medium-severity disclosure risk.

Acronis Cyber Protect 17 prior to build 41186 contains insufficient access control validation that permits authenticated users to read sensitive data they should not have access to. The vulnerability affects both Linux and Windows deployments and requires valid credentials to exploit, limiting the attack surface to authenticated attackers. No patch is currently available.

Acronis Cyber Protect 17 (Linux, Windows) before build 41186 contains an improper access control vulnerability allowing authenticated users to delete reports they should not have permission to access. An attacker with valid credentials could exploit this to remove audit trails or other critical reports, potentially compromising compliance and forensic capabilities. No patch is currently available for this issue.

Acronis Cyber Protect 17 on Linux and Windows before build 41186 allows authenticated users to modify application settings due to inadequate authorization validation. An attacker with valid credentials could exploit this to alter configurations and potentially compromise system integrity or bypass security controls. No patch is currently available.

Acronis Cyber Protect 17 on Linux and Windows (before build 41186) fails to properly validate user permissions, allowing authenticated users to modify resources they should not have access to. The vulnerability requires valid credentials and does not enable remote code execution or denial of service, but could allow privilege escalation or unauthorized data manipulation within the application. No patch is currently available.

Unrestricted authentication attempts in the WebSocket API enable attackers to launch denial-of-service attacks against charger telemetry systems or execute brute-force credential compromise attempts without rate-limiting protections. Organizations operating connected charging infrastructure are vulnerable to service disruption and unauthorized access exploitation. No patch is currently available to remediate this vulnerability.

Charging station authentication credentials are exposed through public web-based mapping platforms, allowing unauthenticated remote attackers to obtain sensitive authentication identifiers. This exposure enables attackers to potentially gain unauthorized access to charging infrastructure and associated systems. No patch is currently available for this vulnerability.

WebSocket session handling in charging station backends accepts duplicate session identifiers, allowing attackers to hijack active sessions and intercept commands intended for legitimate stations or impersonate authenticated users. An unauthenticated remote attacker can exploit this predictable session management to displace legitimate connections, redirect backend communications, or launch denial-of-service attacks by flooding the system with valid session requests. No patch is currently available.

Sensitive information disclosure and manipulation due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124. [CVSS 5.5 MEDIUM]

Payment Orchestrator Service Elevation of Privilege Vulnerability [CVSS 8.6 HIGH]

Openclaw versions up to 2026.2.14 is affected by missing authentication for critical function (CVSS 6.5).

Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 8.4).

OpenClaw prior to version 2026.2.14 fails to properly validate Telegram allowlist entries by accepting mutable usernames instead of immutable user IDs, enabling attackers to register recycled usernames and bypass access controls. An unauthenticated attacker can exploit this flaw to impersonate legitimate users and send unauthorized commands to OpenClaw bots. No patch is currently available.

Display name spoofing bypass in OpenClaw Nextcloud Talk plugin before 2026.2.6.

OpenClaw prior to version 2026.2.2 allows authenticated users with operator.write scope to bypass approval controls and resolve execution requests through a chat command that circumvents authorization checks. An attacker with this scope can approve or deny exec approval requests without having the required operator.approvals permission, effectively gaining unauthorized approval authority. A patch is available for affected installations.

Openclaw versions up to 2026.2.2 is affected by missing authentication for critical function (CVSS 8.1).

OpenClaw versions 2026.1.14-1 through 2026.2.1 with the Matrix plugin enabled fail to validate homeserver identity when checking direct message allowlists, allowing remote attackers to impersonate authorized users by spoofing display names or local identifiers from different homeservers. This bypass enables unauthorized access to routing and agent pipelines for authenticated Matrix users on remote servers. A patch is available in version 2026.2.2 and later.

Exec allowlist bypass in OpenClaw before 2026.2.2 via argument injection. Patch available.

Openclaw versions up to 2026.2.14 is affected by missing authentication for critical function (CVSS 7.7).

Gateway authorization bypass in OpenClaw before 2026.2.14. Unsanitized approval fields in node.invoke. Patch available.

OpenClaw voice-call plugin versions before 2026.2.3 allow remote attackers to forge webhook events by exploiting improper authentication in reverse-proxy environments where forwarded headers are implicitly trusted. An unauthenticated attacker can manipulate Forwarded or X-Forwarded-* headers to bypass webhook verification and spoof legitimate events. A patch is available to address this authentication bypass vulnerability.

Openclaw versions up to 2026.2.1 is affected by missing authentication for critical function (CVSS 8.1).

Openclaw versions up to 2026.2.2 is affected by insufficient verification of data authenticity (CVSS 7.5).

OpenClaw versions before 2026.2.12 with the Nostr plugin enabled contain unauthenticated API endpoints that allow remote attackers to read and modify Nostr profiles without authentication when the gateway HTTP port is network-accessible. Attackers can exploit this to steal sensitive profile data, alter gateway configuration, and sign malicious Nostr events using the bot's private key. A patch is available for affected installations.

OpenClaw versions before 2026.2.1 fail to properly validate access controls in the Twitch plugin when role restrictions are not configured, allowing unauthenticated remote attackers to trigger agent dispatch through Twitch chat mentions. Public exploit code exists for this vulnerability, enabling attackers to invoke the agent pipeline and potentially cause unintended actions or resource exhaustion. Organizations running affected versions with the Twitch plugin enabled should apply the available patch immediately.

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.

Unauthorized file operations in File Browser before fix. PoC and patch available.