Authentication Bypass

Frappe versions prior to 15.98.0 and 14.100.0 contain an improper access control vulnerability that allows authenticated users to grant document permissions they do not possess to other users. An attacker with valid credentials could escalate privileges by sharing documents with elevated permissions, potentially exposing sensitive information or enabling unauthorized modifications. No patch is currently available.

ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass UI restrictions and remove critical system files and directories. Public exploit code exists for this vulnerability, and the lack of input validation on path parameters enables attackers with API access to potentially render the system unbootable or cause denial of service. No patch is currently available.

Premature token unlock in Graph Protocol Contracts versions before 3.0.0 allows authenticated users to bypass vesting restrictions and access locked tokens before their scheduled release date. An attacker with valid credentials can manipulate the vesting contract logic to drain funds that should remain locked, resulting in unauthorized token theft. A patch is available in version 3.0.0.

OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier parameter. [CVSS 8.1 HIGH]

Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.

Unauthorized wiki page creation in OpenProject prior to versions 17.0.5 and 17.1.2 allows authenticated attackers to bypass project access controls and create pages in projects they lack permission to access. The vulnerability stems from improper authentication validation on wiki page creation requests, enabling an attacker to modify project documentation without proper authorization. No patch is currently available for affected versions.

Cognix Platform's web API lacks authentication and authorization controls, enabling unauthenticated remote attackers to access restricted application functionality over the network. This vulnerability affects Tata Consultancy Services Cognix Recon Client v3.0 and poses a high risk due to its ease of exploitation and lack of authentication requirements. No patch is currently available.

Cognix Platform's password reset function fails to properly validate user permissions, enabling authenticated attackers to reset passwords for any user account through specially crafted requests. This broken access control vulnerability affects Cognix Recon Client v3.0 and carries high severity due to the potential for unauthorized account takeovers. No patch is currently available.

Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Unauthenticated attackers can abuse missing authorization controls in RustDesk Server's rendezvous and relay modules (hbbs/hbbr) to gain unauthorized privileges through exposed critical functions like punch hole requests and peer registration. This vulnerability affects RustDesk Server versions through 1.7.5 and 1.1.15, enabling remote privilege escalation over the network with no authentication required. No patch is currently available.

Octopus Server allows authenticated attackers to generate new API keys from existing access tokens with extended lifetimes that exceed the original token's validity period. This token lifetime extension vulnerability (CWE-863) could enable attackers with valid credentials to maintain persistent access beyond intended restrictions. The vulnerability affects Octopus Server with no patch currently available.

Permission bypass vulnerability in the system service framework. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 7.3 HIGH]

Auth bypass in device authentication module.

EC-CUBE administrative authentication can be bypassed by attackers possessing valid admin credentials, allowing them to circumvent multi-factor authentication protections and access the admin panel. This vulnerability (CVSS 6.5) affects administrators or high-privileged users whose credentials have been compromised, potentially enabling unauthorized administrative access.

Site Suggest plugin version 1.3.9 and earlier lacks proper access control checks, enabling unauthenticated remote attackers to access restricted functionality and modify data. The vulnerability affects installations without authentication requirements and could allow attackers to manipulate site suggestions or related content without authorization. No patch is currently available.

Frenify Guff versions 1.0.1 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to access sensitive information through improperly configured access controls. An attacker can exploit this flaw to read confidential data without authentication or user interaction. No patch is currently available for this vulnerability.

Unauthorized access in PixFort Core through version 3.2.22 allows authenticated attackers to bypass access control restrictions and modify system data due to improper authorization checks. An attacker with valid credentials could exploit this vulnerability to access or modify resources they should not have permission to interact with. No patch is currently available for this vulnerability.

Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons is affected by missing authorization (CVSS 6.5).

The SiteGuard WP Plugin for WordPress through version 1.7.9 contains a guessable CAPTCHA implementation that allows attackers to bypass security protections without authentication. This vulnerability enables attackers to circumvent the plugin's functionality controls and potentially gain unauthorized access to protected resources or perform actions that should be restricted.

Improper access control in e-plugins Directory Pro up to version 2.5.6 enables unauthenticated attackers to bypass authorization checks and gain unauthorized access to sensitive directory information. The vulnerability allows attackers to read, modify, or delete data depending on the misconfigured security levels without requiring authentication or user interaction. A patch is not currently available.

designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon contains a security vulnerability (CVSS 8.8).

Auth bypass in WeDesignTech Ultimate Booking Addon for WordPress.

designthemes DesignThemes Booking Manager designthemes-booking-manager is affected by missing authorization (CVSS 7.5).

designthemes DesignThemes Directory Addon designthemes-directory-addon is affected by missing authorization (CVSS 7.5).

kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by missing authorization (CVSS 6.5).

WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro is affected by missing authorization (CVSS 7.5).

Inseri Core versions up to 1.0.5 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability has a CVSS score of 5.3 and currently lacks a patch, putting deployments at risk until remediation is available.

Themeum Tutor LMS through version 3.9.5 contains an authorization bypass that allows authenticated users to modify content they should not have access to due to improper access control validation. An attacker with valid credentials can exploit this vulnerability to alter course materials and settings without proper permission checks. No patch is currently available for this medium-severity issue.

ESC/POS printer control language lacks authentication/authorization. Any device on the network can send print commands.

Improper access control in Ruby's ThemeRuby Easy Post Submission plugin through version 2.2.0 allows unauthenticated remote attackers to bypass authorization checks and gain unauthorized read access to sensitive data. The vulnerability stems from misconfigured security levels that fail to properly enforce access restrictions on protected functionality. No patch is currently available for affected installations.

Improper access control in the Blend Media WordPress CTA easy-sticky-sidebar plugin through version 1.7.4 allows unauthenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive functionality. The vulnerability affects WordPress installations running the vulnerable plugin versions and could enable attackers to read restricted information or disrupt service availability. No security patch is currently available.

BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon is affected by missing authorization (CVSS 7.5).

Pingora's default HTTP cache key implementation excludes the host header when generating cache keys, allowing attackers to poison the cache and serve cross-origin responses to victims. This affects deployments using the default CacheKey implementation in multi-tenant environments, where an attacker could cause users from one tenant to receive cached responses belonging to another tenant. No patch is currently available for this high-severity vulnerability.

Hono versions prior to 4.12.4 suffer from an authentication bypass in serveStatic when combined with route-based middleware protections due to inconsistent URL decoding between the router and file serving components. An unauthenticated remote attacker can exploit this mismatch by encoding slashes (%2F) in request paths to access protected static resources that should be restricted by middleware rules. A patch is available in version 4.12.4 and later.

JWT authentication bypass in pac4j-jwt before 4.5.9/5.7.9/6.3.3 when processing encrypted JWTs. PoC available.

Vaultwarden versions up to 1.35.4 is affected by authorization bypass through user-controlled key (CVSS 5.4).

Two-factor authentication bypass in Vaultwarden 1.34.3 and earlier allows authenticated attackers to circumvent 2FA protections on sensitive operations, enabling unauthorized access to API keys and destructive actions against vaults and organizations. Public exploit code exists for this vulnerability, which affects the unofficial Bitwarden-compatible server and currently lacks an available patch. Attackers with legitimate account credentials can escalate privileges to perform administrative actions typically restricted by 2FA controls.

LangSmith Studio contains a URL parameter injection vulnerability that allows attackers to steal authentication tokens, user IDs, and workspace credentials from users who click malicious links, enabling account takeover and unauthorized access to workspace resources. Both LangSmith Cloud and self-hosted Kubernetes deployments are affected, with exploitation requiring social engineering to trick authenticated users into clicking attacker-controlled URLs. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

Dell Device Management Agent versions before 26.02 suffer from an authorization bypass that allows local attackers with low privileges to escalate their access on affected systems. The vulnerability stems from improper privilege validation and requires only local access with no user interaction to exploit. No patch is currently available for this issue.

Unauthenticated auth bypass in Cisco FMC web interface. CVSS 10.0.

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. [CVSS 8.2 HIGH]

Simple Job Script contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the app_id parameter. [CVSS 8.2 HIGH]

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the job_id parameter. [CVSS 8.2 HIGH]

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. [CVSS 8.2 HIGH]

Unauthenticated attackers can trigger activation emails for pending user accounts in Craft CMS versions prior to 5.9.0-beta.2 and 4.17.0-beta.2 by exploiting an unprotected endpoint that lacks permission checks. If an attacker controls the target user's email address, they can complete account activation and gain unauthorized system access. A patch is available in the latest beta versions.

Craft CMS prior to versions 5.9.0-beta.1 and 4.17.0-beta.1 fails to properly authorize the "Duplicate" entry action, allowing authenticated users to bypass UI restrictions and duplicate entries via direct requests. An attacker with minimal "View Entries" permissions can exploit predictable, incremental Entry IDs to brute-force and duplicate other users' restricted content, gaining unauthorized access to sensitive data. Public exploit code exists for this vulnerability.

Craft CMS prior to versions 4.17.0-beta.1 and 5.9.0-beta.1 allows users with entry creation permissions to arbitrarily assign authorship of new entries to any user, including administrators, through mass assignment of the authorId parameter. Public exploit code exists for this vulnerability, enabling attackers to spoof entry authorship and manipulate content attribution. The vulnerability is fixed in the specified beta releases.

Craft is a content management system (CMS). [CVSS 7.5 HIGH]

Arubaos contains a vulnerability that allows attackers to bypass Layer 2 (L2) communication restrictions between clients and redirect traf (CVSS 4.3).

Improper cryptographic validation in ArubaOS Wi-Fi encryption allows adjacent network attackers to forge authenticated frames by spoofing the primary BSSID and inject tampered data to targeted clients without authentication. This medium-severity flaw (CVSS 5.4) bypasses standard encryption separation between wireless endpoints, enabling data manipulation on affected networks. No patch is currently available.

Dell Device Management Agent versions before 26.02 store passwords in plaintext, allowing high-privileged local attackers to gain unauthorized access to sensitive systems. The vulnerability requires administrative-level access and local presence but poses a confidentiality risk to affected deployments. No patch is currently available.

Access Commander contains a vulnerability that allows attackers to bypass password policy for backup file encryption (CVSS 7.2).

Data loss in Checkmk versions before 2.4.0p23, 2.3.0p43, and 2.2.0 results from a logic error in the remove_password() function that allows low-privileged users to delete sensitive information. An authenticated attacker can exploit this vulnerability to cause unintended data loss without requiring user interaction. No patch is currently available for affected deployments.

The server certificate was not verified when an Arc agent connected to a Guardian or CMC. A malicious actor could perform a man-in-the-middle attack and intercept the communication between the Arc agent and the Guardian or CMC. [CVSS 6.5 MEDIUM]

Dell PowerScale OneFS, versions 9.10.0.0 through 9.10.1.5 and versions 9.11.0.0 through 9.12.0.1, contains an external control of system or configuration setting vulnerability. [CVSS 3.4 LOW]

SEPPmail Secure Email Gateway versions before 15.0.1 fail to properly validate S/MIME certificates with whitespace characters in email addresses, enabling attackers to forge digital signatures and impersonate legitimate senders. This integrity bypass affects organizations relying on SEPPmail for secure email validation and could undermine trust in digitally signed communications. No patch is currently available for affected installations.

Missing authentication in Apache ActiveMQ Artemis. Unauthenticated remote attacker can access message broker. EPSS 0.20%.

Local privilege escalation in IDC SFX2100 Satellite Receiver firmware stems from a hardcoded root password hash stored in the installation configuration file that is vulnerable to offline dictionary attacks. An attacker with low-privileged local access can exploit this weak credential to escalate to root, though no patch is currently available. The vulnerability requires prior system compromise but provides a reliable path to full administrative control on affected devices.

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.

Missing authorization in OpenText Filr allows auth bypass via XSRF tokens.

Homebox prior to version 0.24.0 fails to validate the TrustProxy configuration setting, allowing attackers to bypass authentication rate limiting by forging the X-Real-IP header on direct connections. This enables an attacker to attempt unlimited authentication attempts by spoofing a different IP address for each request, compromising both confidentiality and integrity of the system. The vulnerability affects all Homebox installations where the TrustProxy option is disabled or misconfigured.

Azure AD auth bypass in Devolutions Server 2025.3.15.0 and earlier.

Privilege escalation and auth bypass in OpenSTAManager 2.9.8. PoC available.

Unauthenticated token disclosure in OpenEMR before 8.0.0. CVSS 10.0. PoC and patch available.

The Labkotec LID-3300IP has an existing vulnerability in the ice detector software that enables an unauthenticated attacker to alter device parameters and run operational commands when specially crafted packets are sent to the device.

Brocade Active Support Connectivity Gateway versions up to 3.4.0 contains a vulnerability that allows attackers to an unauthorized user to perform ASCG operations related to Brocade Support Link( (CVSS 8.8).

Incorrect access control in the VNC component of Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 allows unauthorized attackers to access the HMI system. [CVSS 6.5 MEDIUM]

Auth bypass in Weintek cMT-3072XH2 authorization mechanism.

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to contain a hardcoded encryption key which could allow attackers to access sensitive information. [CVSS 5.3 MEDIUM]

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to contain a hardcoded password in the FTP protocol. [CVSS 7.5 HIGH]

Incorrect access control in the component download_wb.cgi of Weintek cMT-3072XH2 easyweb Web Version v2.1.53, OS v20231011 allows unauthenticated attack to download arbitrary files. [CVSS 7.5 HIGH]

Tranzman versions up to 4.0 is affected by insufficient verification of data authenticity (CVSS 7.2).

Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers to escalate privileges to root and read and write arbitrary files. [CVSS 7.2 HIGH]

WatchGuard Fireware OS contains a filesystem integrity bypass vulnerability in versions 12.0-12.11.7, 12.5.9-12.5.16, and 2025.1-2026.1.1 that allows authenticated attackers with high privileges to deploy malicious firmware updates and establish limited persistence on affected appliances. An attacker could circumvent security checks designed to validate firmware authenticity, though currently no patch is available.

A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function validateEmbedded of the file backend/apps/system/middleware/auth.py of the component JWT Token Handler. Performing a manipulation results in improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made public and could be used. A comment in the source code warns use...

Auth bypass in All-in-One Microsoft 365 SSO WordPress plugin.

Nocodb versions up to 0.301.3 is affected by authorization bypass through user-controlled key (CVSS 6.3).

In ExtremeCloud IQ - Site Engine (XIQ‑SE) before 26.2.10, a vulnerability in the NAC administration interface allows an authenticated NAC administrator to retrieve masked sensitive parameters from HTTP responses.

Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. [CVSS 7.1 HIGH]

A remote authentication bypass vulnerability  exists in HPE AutoPass License Server (APLS).

SimStudio has a second authorization flaw in the OAuth token endpoint that allows privilege escalation through crafted token requests.

The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users. [CVSS 7.5 HIGH]

The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials.