Authentication Bypass

Insufficient authorization checks in JetBrains TeamCity before version 2025.11.3 permit project developers to modify build configuration parameters without proper access controls. An authenticated attacker with developer privileges could inject malicious parameters into build configurations, potentially altering build behavior or exposing sensitive information. No patch is currently available for this vulnerability.

Authenticated users in JetBrains YouTrack versions prior to 2025.3.121962 can bypass authorization controls to access the app permissions endpoint, potentially allowing privilege escalation or unauthorized modification of application settings. This vulnerability requires valid login credentials but has no complexity requirements, enabling attackers with low-level access to gain high-impact capabilities including confidentiality and integrity violations. No patch is currently available.

Missing authentication for critical functions in ePati Antikor Next Generation firewall. Unauthenticated remote access to firewall management capabilities.

Unprivileged users can extract LUKS encryption headers from the udisks daemon due to missing authorization checks on a privileged D-Bus method, allowing attackers to read sensitive cryptographic metadata and potentially compromise encrypted storage confidentiality. The vulnerability affects systems running vulnerable versions of udisks and requires local access to exploit. No patch is currently available.

Improper authorization in the udisks D-Bus API allows local unprivileged users to manipulate LUKS encryption headers on block devices with root privileges, potentially destroying encryption keys and rendering volumes inaccessible. An attacker with local access can exploit this to cause permanent data loss through denial-of-service. No patch is currently available for this vulnerability.

A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. [CVSS 3.8 LOW]

A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the -cacert flag results in the CLI attempting to fetch CA certificates stored in Rancher’s setting cacerts. [CVSS 8.3 HIGH]

Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal addresses by exploiting IPv4-mapped IPv6 address handling in permission and channel binding requests. The vulnerability bypasses "denied-peer-ip" restrictions designed to block loopback ranges, enabling an attacker to interact with internal services that should be unreachable. Public exploit code exists for this flaw, and a patch is available in version 4.9.0 and later.

Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to properly authorize access to the AI Agent API endpoint, allowing authenticated users to access other apps' agent functionalities and read-only users to escalate privileges by obtaining the master key with write permissions. Attackers can exploit this to read, modify, or delete data across any app on affected Parse Server instances where agent configuration is enabled. No patch is currently available; administrators should disable the agent configuration block as a temporary mitigation.

OpenEMR versions prior to 8.0.0 fail to properly enforce permission checks, allowing authenticated users to access sensitive information belonging to other authorized users. The vulnerability requires valid credentials and network access but does not enable data modification or denial of service. Public exploit code exists and a patch is available in version 8.0.0 and later.

OpenEMR is a free and open source electronic health records and medical practice management application. [CVSS 8.1 HIGH]

Devolutions Server 2025.3.14.0 and earlier contains insufficient access control in REST API endpoints that enables authenticated view-only users to retrieve sensitive connection data they should not access. An attacker with basic authentication credentials could exploit this to gain unauthorized visibility into protected connection information, compromising confidentiality without requiring user interaction or elevated privileges.

Persistent authentication token in Tattile ANPR cameras firmware 1.181.5 and prior. Authentication tokens never expire, enabling indefinite session reuse. PoC available.

Default credentials in Tattile Smart+, Vega, and Basic ANPR camera families firmware 1.181.5 and prior. License plate recognition cameras ship with known default credentials. PoC available.

Unauthenticated RTSP stream access in multiple Tattile and Vega firmware versions allows remote attackers to view live video and audio feeds without credentials, exposing surveillance data across affected devices. Public exploit code exists for this vulnerability, which impacts Axle Counter, Vega11, Vega53, Vega33, and Anpr Mobile firmware lineups version 1.181.5 and earlier. No patch is currently available for this high-severity issue.

Dell Wyse Management Suite, versions prior to WMS 5.5, contain a Client-Side Enforcement of Server-Side Security vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to Protection mechanism bypass. [CVSS 2.7 LOW]

Dell Wyse Management Suite versions prior to 5.5 suffer from improper access controls that allow authenticated remote attackers to escalate their privileges. An attacker with low-level credentials can bypass authorization checks to gain high-privilege access to the system, potentially compromising confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Devolutions Server before version 2025.3.15 contains a permission cache poisoning flaw that allows authenticated users to circumvent access controls and retrieve restricted entries. The vulnerability affects any system running the vulnerable version where an attacker with valid credentials can exploit improper permission validation to access data they should not be authorized to view. No patch is currently available to remediate this issue.

Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe to account events and request content backfill, affecting only servers with the experimental FASP feature enabled. While individual requests cause minor information disclosure of publicly available URIs, repeated exploitation enables denial-of-service attacks. A patch is available to address this authorization bypass.

Multiple Finka programs use hard-coded Firebird database credentials (shared across all instances of this software). A malicious attacker in local network who knows default credentials is able to read and edit database content. [CVSS 7.1 HIGH]

10G08-0800Gsm Firmware is affected by improper restriction of excessive authentication attempts (CVSS 7.5).

Hardcoded admin credentials in Binardat 10G08-0800GSM network switch firmware V300SP10260209 and prior. Known credentials provide full administrative access.

Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.

Actual is a local-first personal finance tool. [CVSS 7.5 HIGH]

Spoofing in Firefox for Android WebAuthn component before 148. Allows phishing attacks through WebAuthn UI manipulation.

Cache-based mitigation bypass in Firefox Networking before 148. Caching mechanism can be exploited to bypass security mitigations.

Same-origin policy bypass in Firefox Networking JAR component before 148. Allows cross-origin data access through JAR protocol handling.

DOM Security mitigation bypass in Firefox before 148. Security mechanisms protecting DOM operations can be circumvented.

HTML parser mitigation bypass in Firefox DOM before 148. Bypasses content sanitization protections via alternate authentication path in the HTML parser.

Sandbox escape via IndexedDB in Firefox before 148 and Thunderbird. CVSS 10.0 — the Storage: IndexedDB component allows escaping the content process sandbox.

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. [CVSS 7.7 HIGH]

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 allow local attackers to bypass the secure policy's stdin/stdout restrictions by using fd:<n> pseudo-filenames (e.g., fd:0, fd:1), enabling unauthorized reading and writing to standard streams. This vulnerability affects systems relying on ImageMagick's default security policies to prevent stream manipulation. No patch is currently available, though administrators can manually update their security policy configuration as a workaround.

Smart Heating Integrated Management Platform versions up to 1.0.0 is affected by improper access control (CVSS 7.3).

Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. [CVSS 8.1 HIGH]

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. [CVSS 7.1 HIGH]

Security Center's access control implementation fails to properly restrict authenticated users to their authorized scope, allowing privilege escalation to view sensitive data. An attacker with valid credentials can bypass authorization checks to access confidential information outside their assigned permissions. No patch is currently available for this vulnerability.

Authenticated users of Security Center can manipulate the 'owner' parameter to gain unauthorized elevated privileges through an indirect object reference flaw. This network-accessible vulnerability requires valid credentials but no user interaction, enabling privilege escalation attacks with moderate impact on confidentiality, integrity, and availability. No patch is currently available.

An issue pertaining to CWE-295: Improper Certificate Validation was discovered in fofolee uTools-quickcommand 5.0.3. [CVSS 6.5 MEDIUM]

FastApiAdmin up to 2.2.0 contains an unrestricted file upload vulnerability in the user avatar upload endpoint that allows authenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials could leverage this to compromise system integrity and potentially execute malicious code.

Unrestricted file upload in FastApiAdmin up to version 2.2.0 allows authenticated remote attackers to upload arbitrary files through the Scheduled Task API endpoint. Public exploit code exists for this vulnerability, enabling potential remote code execution or system compromise. Affected organizations should immediately upgrade beyond version 2.2.0 or implement access controls on the upload functionality until a patch is released.

FastApiAdmin versions up to 2.2.0 contain an unrestricted file upload vulnerability in the Scheduled Task API's upload controller that allows authenticated attackers to upload arbitrary files remotely. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials could leverage this to achieve unauthorized file write access and potentially further compromise the application.

A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is now public and may be used. The vendor was contacted early about this di...

Tronclass by WisdomGarden contains an insecure direct object reference flaw that allows authenticated attackers to bypass access controls and obtain course invitation codes by manipulating course ID parameters. An attacker exploiting this vulnerability can enroll in arbitrary courses without authorization. No patch is currently available for this medium-severity issue.

Unauthorized Discord moderation actions in OpenClaw versions 2026.2.17 and below allow non-admin users to execute timeouts, kicks, and bans by spoofing sender identity parameters in tool-driven requests. The vulnerability affects deployments where Discord moderation is enabled and the bot has necessary guild permissions, enabling privilege escalation through identity manipulation. A patch is available in version 2026.2.18.

Missing authorization in ERPNext ERP before 15.98.0/16.6.0. Patch available.

Prototype pollution in Swiper versions 6.5.1 through 12.1.1 allows local authenticated attackers to manipulate Object.prototype through improperly validated user input, enabling authentication bypass, denial of service, and remote code execution. Public exploit code exists for this vulnerability, which affects applications on Linux and Windows using Node.js or Bun runtimes. A patch is available and should be applied immediately to affected systems processing untrusted input.

SAML authentication bypass in Sentry 21.12.0 through 26.1.0.

Default password auth bypass in MLflow ML platform. EPSS 1.4%.

Auth bypass in GFI Archiver via MArc.Store missing authorization. EPSS 0.59%.

Auth bypass in GFI Archiver via MArc.Core missing authorization. EPSS 0.59%.

Deviceviewer versions up to 3.12.0.1 contains a vulnerability that allows attackers to change passwords without proper validation of the old password field (CVSS 6.5).

Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to login by injecting SQL syntax into authentication parameters. [CVSS 7.5 HIGH]

The web management interface of the device renders the passwords in a plaintext input field. [CVSS 5.7 MEDIUM]

Wi-Fi routers lacking management frame protection are susceptible to forged deauthentication and disassociation attacks, enabling unauthenticated remote attackers to disconnect legitimate users and disrupt network availability. This vulnerability allows attackers to broadcast spoofed wireless management frames without credentials, creating denial-of-service conditions affecting all connected devices. No patch is currently available for this high-severity issue.

Unauthenticated remote attackers can manipulate the underlying PLC controller on affected devices due to missing authentication controls, enabling modification of device operations and potential service disruption. The vulnerability requires no user interaction and can be exploited over the network, with no official patch currently available to mitigate the risk.

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used.

Auth bypass in Smanga 3.2.7 allows unauthenticated password reset for any user including admin.

A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. [CVSS 5.4 MEDIUM]

themeplugs Authorsy authorsy is affected by authorization bypass through user-controlled key (CVSS 7.5).

Inadequate access control in weDevs Subscribe2 plugin version 10.44 and earlier permits unauthenticated attackers to bypass authorization checks and gain unauthorized access to restricted functionality. An attacker can exploit misconfigured security levels to perform actions they should not be permitted to execute, potentially exposing sensitive subscriber data or modifying plugin settings. No patch is currently available.

Insufficient authorization controls in PDF for Elementor Forms + Drag And Drop Template Builder version 6.3.1 and earlier allow authenticated users to modify or create PDF forms without proper permission validation. An attacker with user-level access could bypass access control restrictions to manipulate form configurations or data integrity. No patch is currently available for this vulnerability.

Booked scheduling software versions 3.0.0 and earlier contain an authentication bypass flaw that allows authenticated users to abuse alternate authentication paths or channels to gain unauthorized access. An attacker with valid credentials could exploit this vulnerability to escalate privileges or access restricted functionality without proper authorization. No patch is currently available for affected installations.

mdalabar WooODT Lite byconsole-woo-order-delivery-time is affected by authentication bypass by spoofing (CVSS 7.5).

Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cnvrse: from n/a through <= 026.02.10.20. [CVSS 7.5 HIGH]

Missing Authorization vulnerability in Jthemes Exzo exzo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Exzo: from n/a through <= 1.2.4. [CVSS 7.5 HIGH]

modeltheme ModelTheme Framework modeltheme-framework is affected by missing authorization (CVSS 7.5).

Missing Authorization vulnerability in GhostPool Gauge gauge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gauge: from n/a through <= 6.56.4. [CVSS 7.5 HIGH]

Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a through <= 2.19. [CVSS 7.5 HIGH]

Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.0. [CVSS 8.6 HIGH]

ahachat AhaChat Messenger Marketing ahachat-messenger-marketing contains a security vulnerability (CVSS 6.5).

Missing Authorization vulnerability in sendy Sendy sendy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendy: from n/a through <= 3.4.2. [CVSS 6.5 MEDIUM]

vgdevsolutions Checkout Gateway for IRIS checkout-gateway-iris is affected by missing authorization (CVSS 6.5).

Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 6.3.0. [CVSS 6.5 MEDIUM]

Cozmoslabs Paid Member Subscriptions paid-member-subscriptions is affected by authorization bypass through user-controlled key (CVSS 6.5).

Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10. [CVSS 7.1 HIGH]

Shiprocket Shiprocket shiprocket is affected by authorization bypass through user-controlled key (CVSS 7.4).

Missing Authorization vulnerability in Leadpages Leadpages leadpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadpages: from n/a through <= 1.1.3. [CVSS 6.5 MEDIUM]

XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite is affected by missing authorization (CVSS 7.5).

Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LottieFiles: from n/a through <= 3.0.0. [CVSS 7.3 HIGH]

Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelpayouts: from n/a through <= 1.2.1. [CVSS 6.5 MEDIUM]

Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1. [CVSS 6.5 MEDIUM]

Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.5. [CVSS 6.5 MEDIUM]

Missing Authorization vulnerability in themewant Easy Hotel Booking easy-hotel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Hotel Booking: from n/a through <= 1.8.7. [CVSS 6.5 MEDIUM]

Missing Authorization vulnerability in PickPlugins Testimonial Slider testimonial allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonial Slider: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]

Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7. [CVSS 8.8 HIGH]

Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3. [CVSS 7.5 HIGH]

Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.2.1. [CVSS 6.5 MEDIUM]

VillaTheme HAPPY happy-helpdesk-support-ticket-system is affected by missing authorization (CVSS 8.2).

Missing Authorization vulnerability in aDirectory aDirectory adirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects aDirectory: from n/a through <= 3.0.3. [CVSS 6.5 MEDIUM]

Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4. [CVSS 7.5 HIGH]