Authentication Bypass
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.
How It Works
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.
The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.
More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.
Impact
- Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
- Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
- System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
- Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
- Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties
Real-World Examples
CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.
Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.
SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.
Mitigation
- Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
- Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
- Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
- Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
- Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
- Regular security testing — conduct penetration testing specifically targeting authentication logic and flows
Recent CVEs (31268)
Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged attacker reaching the T3 or IIOP listeners, with a scope change that lets the compromise propagate to other Fusion Middleware components. CVSS 3.1 is rated 9.9 due to high confidentiality, integrity, and availability impact across a changed scope, and no public exploit identified at time of analysis. The flaw resides in the Client Bundle component of this document-capture product and is fixed in Oracle's June 2026 Critical Patch Update.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Monitor component, where an unauthenticated network attacker can compromise the application over HTTP. Although Oracle classifies the issue as difficult to exploit (AC:H), successful attacks yield full confidentiality, integrity, and availability impact with a CVSS 3.1 base score of 8.1. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor component, allowing unauthenticated network attackers to fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 9.8 critical and describes it as easily exploitable over HTTP, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Server component, where an unauthenticated attacker with HTTP network access can compromise confidentiality, integrity, and availability. Oracle rates the flaw CVSS 8.1 with high attack complexity, and no public exploit identified at time of analysis. The vulnerability is addressed in Oracle's June 2026 Critical Patch Update (CPU).
Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privileged local attacker on the host to escape the guest/host boundary and access or modify critical data across the scope, including resources outside VirtualBox itself. The flaw is rated CVSS 3.1 7.5 with a scope change, but exploitation is rated High complexity by Oracle and there is no public exploit identified at time of analysis. Patch is available per Oracle's June 2026 Critical Patch Update advisory.
Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenticated remote attackers to compromise the Deployment Package component over HTTP. The flaw yields complete read access to PeopleTools-accessible data and partial write (insert/update/delete) capability without any user interaction or credentials. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and network reachability make it a high-priority patching target.
Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic component allows attackers with HTTP access to read and modify critical data across PeopleTools and additional products in scope. Oracle rates the issue 8.7 CVSS 3.1 with high attack complexity but no privileges or user interaction, and the scope-change flag means impact extends beyond PeopleTools itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Privileged takeover of Oracle WebCenter Content (Content Server component) affects supported versions 12.2.1.4.0 and 14.1.2.0.0, enabling a high-privileged attacker with HTTP network access to fully compromise the instance and pivot to additional Fusion Middleware products via a scope change. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting low attack complexity and full CIA impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Unauthorized data modification in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a remote unauthenticated attacker to create, delete, or modify critical identity data via the REST WebServices component over HTTP. Oracle rates the issue as easily exploitable with a CVSS 3.1 base score of 7.5 (integrity-only impact), and no public exploit has been identified at time of analysis.
Account takeover in Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 (Fusion Middleware Core component) allows a low-privileged remote attacker to fully compromise the product via T3 or IIOP protocols, with scope change extending impact to other Fusion Middleware components. The CVSS 9.9 score reflects high confidentiality, integrity, and availability impact combined with low attack complexity. No public exploit identified at time of analysis, but Identity Manager's role as a central identity authority makes this a critical patching priority.
Account takeover in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the Identity Manager instance via its REST WebServices component over HTTP. Oracle rates the flaw CVSS 8.8 with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity lifecycle and provisioning, successful exploitation has cascading impact across downstream applications it manages.
Account takeover in Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker with HTTP access to fully compromise the Identity Manager component of Oracle Fusion Middleware. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation results in takeover of the identity governance platform itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by a low-privileged attacker over HTTP, with a CVSS 3.1 score of 9.9 driven by a scope change that lets the impact spread beyond WebLogic itself. Oracle has issued the fix in the June 2026 Critical Patch Update (cspujun2026), and there is no public exploit identified at time of analysis. Authenticated but low-effort exploitation combined with full confidentiality, integrity and availability impact makes this a top-priority patching item for any Oracle middleware estate.
Authenticated tampering and data exposure in Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 (Market Place component) allows a low-privileged attacker with HTTP network access to read, modify, or delete all data accessible to the product and induce a partial denial of service. Oracle assigns a CVSS 3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L), and no public exploit identified at time of analysis. The flaw is described by Oracle as easily exploitable, raising the priority for any externally reachable ODI deployment.
Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.
Cross-scope data compromise in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 allows a low-privileged remote attacker over HTTPS to read, create, modify, or delete critical data through the administration Console, provided a separate user is induced to perform an action. The CVSS 3.1 base score of 8.7 reflects high confidentiality and integrity impact with scope change reaching beyond WebLogic itself, and no public exploit identified at time of analysis.
Deno's Node.js compatibility TCP path (node:net.connect / node:http.request options form) fails to re-check network permissions against the resolved IP address, allowing numeric IPv4 aliases (e.g., decimal integer '2130706433' or hex '0x7f000001' for 127.0.0.1) to bypass --deny-net rules in Deno versions up to and including 2.7.14. Any code executing inside the Deno process - including supply-chain-compromised dependencies or attacker-controlled input - can reach explicitly denied destinations such as loopback services, private ranges, or cloud instance metadata endpoints by exploiting this pre-resolution-only permission check. No public exploit identified at time of analysis via CISA KEV, but publicly available exploit code exists (proof-of-concept published in GHSA-v8fw-85r8-5m23); fix is available in Deno 2.8.0.
Deno's `process.loadEnvFile()` Node.js compatibility API silently bypasses the runtime's capability-based `env` permission system, allowing environment variable injection into `process.env` without holding any `env` permission. Deno versions v2.3.0 through v2.8.0 are affected: a program (or any imported dependency) that calls `process.loadEnvFile()` while operating under `--deny-env` or a restricted `--allow-env=ALLOWLIST` can have its environment mutated by any party able to write or control a `.env` file covered by the program's `--allow-read` grant. No public exploit has been identified at time of analysis, and no CISA KEV listing was found in the provided data, but the advisory is fully public and the bypass mechanism is well-described.
Deno's fetch() API in versions through 2.8.0 fails to validate resolved IP addresses against --deny-net policy rules, enabling sandbox escape to network destinations explicitly blocked by operators. Scripts executing under a --deny-net restriction can craft or leverage attacker-controlled DNS entries that pass hostname-level checks but resolve to denied IPs such as localhost or internal RFC-1918 addresses, silently bypassing the network isolation boundary. No active exploitation is confirmed (not in CISA KEV), no public proof-of-concept code has been identified, and the vendor has released a confirmed patch in version 2.8.1.
Missing webhook request validation in n8n's MicrosoftAgent365Trigger and StripeTrigger nodes allows unauthenticated remote attackers who know the webhook URL to submit forged payloads and cause arbitrary workflow execution with attacker-controlled data. All n8n npm versions below 2.25.7 and versions 2.26.0-2.26.1 are affected when either node is actively used in a workflow. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:C scoring reflects low-complexity, unauthenticated network exploitation with a scope change indicating potential downstream impact on systems integrated with triggered workflows.
Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.
Authentication bypass in Radiflow iSAP Smart Collector exposes a REST API protected only by a hardcoded constant token, allowing remote attackers to read system settings, modify device configuration, and trigger commands such as a system reboot. The constant token effectively negates authentication, making the API exploitable by anyone who can reach the device's web server. No public exploit identified at time of analysis, but the CVSS 8.6 (high) score reflects network-reachable, unauthenticated, low-complexity abuse leading to high integrity impact.
Allowlist bypass in OpenClaw versions prior to 2026.5.12 allows authenticated operators to execute unapproved shell commands by routing requests through inline-command parser cases that skip the expected allowlist enforcement. The flaw, reported by VulnCheck and tracked under GHSA-f397-5vjw-v2c2, effectively neutralizes the operator-approval boundary in OpenClaw's shell command path. No public exploit identified at time of analysis, and the CVSS 4.0 score of 7.6 reflects high confidentiality and integrity impact with a present attack requirement.
Environment variable sanitization weakness in OpenClaw prior to 2026.5.26 lets attackers smuggle Node.js control variables (such as NODE_OPTIONS) past the host environment sanitizer, enabling them to influence child-process behavior and coverage output paths. Affected attackers must have write access to workspace .env files, tool environment overrides, or skill environment blocks, and no public exploit is identified at time of analysis. The flaw was reported by VulnCheck and is tracked under CWE-184 (Incomplete List of Disallowed Inputs).
OpenClaw versions before 2026.4.25 expose an authorization bypass via unvalidated user-controlled group IDs in the tool group policy resolver, enabling authenticated low-privilege network attackers to manipulate access-control decisions for tool invocations. The CVSS 4.0 vector assigns VI:H (High integrity impact on the vulnerable system), reflecting that successful exploitation can cause the policy engine to grant or deny tool permissions contrary to the intended configuration. No public exploit code has been identified at time of analysis, and the CVSS 4.0 AT:P metric indicates a specific attack requirement limits opportunistic mass exploitation.
OpenClaw's macOS Swift exec feature fails to correctly evaluate combined POSIX inline-command flags against its configured command allowlist, enabling a local low-privileged attacker to execute shell content that should be blocked. Affected versions are all OpenClaw releases before 2026.5.6 on macOS. Exploitation depends on an operator-configured allowlist being in place - when that allowlist is configured, a local user can bypass it entirely by using combined flag forms (e.g., `-abc` instead of `-a -b -c`), achieving high confidentiality and integrity impact. No public exploit code or CISA KEV listing has been identified at time of analysis.
Sender policy bypass in OpenClaw's BlueBubbles integration before version 2026.5.7 allows low-privileged conversation participants to impersonate allowlisted senders by manipulating conversation-level metadata rather than being validated against stable sender identity. An attacker who is already a participant in a conversation can craft or influence mutable conversation identifiers to match configured allowlist entries, causing the agent to respond to them as if they were an authorized sender and circumventing access controls. No public exploit code or active exploitation has been identified at time of analysis; the low CVSS score (2.3) and high attack complexity reflect real-world constraints.
Hostname blocklist bypass in OpenClaw before 2026.5.26 enables authenticated attackers to reach operator-restricted network destinations by supplying trailing-dot notation in model- or workspace-derived URLs. The comparison logic evaluating hostnames against blocklist policies does not normalize fully qualified domain name (FQDN) trailing dots before evaluation, while DNS resolvers treat `blocked.example.com.` and `blocked.example.com` as identical targets. With confidentiality impact rated High by CVSS 4.0 and no public exploit or KEV listing identified at time of analysis, risk is real but bounded to deployments with active blocklist policies and users who control URL parameters.
Authentication bypass in OpenClaw before 2026.5.3 allows remote attackers with low privileges to receive agent responses intended for other Zalo identities by manipulating their mutable display name to match allowFrom policy entries. The flaw stems from policy enforcement relying on mutable display metadata rather than immutable identifiers, and no public exploit has been identified at time of analysis.
Allowlist bypass in OpenClaw before 2026.4.2 lets authenticated operators smuggle inline-eval content through shell positional parameters, defeating the strict allowlist that is meant to constrain which tools and content the shell carrier executes. Successful abuse yields execution of unapproved shell-provided content with high confidentiality and integrity impact, and no public exploit has been identified at time of analysis.
Privilege escalation in OpenClaw before 2026.4.25 allows authenticated low-privileged users to inherit wildcard ownerAllowFrom authorization state across channel boundaries, enabling execution of owner-level commands outside their intended channel scope on both internal and webchat command paths. The flaw (CWE-863) produces high integrity impact (VI:H per CVSS 4.0) without confidentiality or availability consequences, as the attacker gains unauthorized administrative command execution rather than data access. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 6.0 reflects meaningful but condition-dependent risk.
Allowlist bypass in OpenClaw before 2026.5.12 lets authenticated attackers invoke approved executables with arbitrary arguments on Linux and macOS, defeating the argPattern restrictions intended to constrain each binary's permitted invocations. The flaw enables disallowed file access, network access, or command execution under the privileges of the OpenClaw exec subsystem, with no public exploit identified at time of analysis.
Scope containment bypass in OpenClaw before 2026.4.25 allows authenticated operators to recover broader device access than their current authorization permits by exploiting a missing validation path in the device re-pairing flow. By sending re-pairing requests with empty scope sets, an operator can silently skip containment guards and retain or restore access to devices outside their assigned scope boundaries - an especially significant risk in multi-tenant or shared-operator deployments. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
OpenClaw before 2026.5.12 fails to enforce its own notification filter for Slack reaction events, allowing those events to bypass a disabled-notification setting and reach the agent processing pipeline (CWE-862: Missing Authorization). Any user with Slack workspace access can send reaction events to channels monitored by OpenClaw, triggering unintended agent execution with lower-trust input even when administrators have explicitly disabled reaction notifications. No public exploit code exists and no active exploitation has been confirmed at time of analysis; the CVSS 4.0 score of 6.3 reflects a moderate-severity, narrow-impact integrity issue.
OpenClaw before version 2026.4.25 permits authenticated local callers to invoke the focus command without passing proper authorization checks, enabling control scope enforcement bypass (CWE-862: Missing Authorization). Any low-privileged local user can alter focus state outside their intended caller authority, with downstream impact varying by gateway configuration and input trust levels. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Privilege escalation in OpenClaw before 2026.5.7 allows any user with a Discord account to assume the identity of a privileged Discord user authorized in the agent's allowFrom policy by simply renaming their account, because the access-control check matches on mutable display names rather than immutable Discord user IDs (snowflakes). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but exploitation is trivial for anyone who can read the target policy.
OpenClaw before version 2026.5.26 exposes an exec allowlist bypass that lets authenticated operators with low privileges invoke unintended side effects through transparent command wrappers that circumvent allowlist validation at the wrapper layer. The root cause is CWE-184 (Incomplete List of Disallowed Inputs), where allowlist checks succeed at the surface request level but fail to constrain behavior triggered deeper in the wrapper execution path, yielding a limited but confirmed integrity impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the constrained scope: exploitation requires authenticated operator access plus a specific attack target precondition.
Hook-based policy enforcement bypass in OpenClaw before 2026.5.6 allows authenticated low-privilege network attackers to route skill commands through a specific vulnerable dispatch path, causing before-tool-call hooks to be skipped entirely. This silently circumvents audit logging and policy enforcement mechanisms that defenders rely on to detect and govern tool invocation behavior within the framework. No public exploit code has been identified at time of analysis, and CVSS 4.0 rates this at 2.3 (Low) with specific attack requirements (AT:P), limiting real-world risk primarily to environments that actively depend on hook-based security controls.
Session visibility check bypass in OpenClaw's shared memory search component allows authenticated low-privileged users to retrieve memory entries belonging to other sessions without proper authorization. All OpenClaw versions prior to 2026.4.29 are affected; the flaw (CWE-862, Missing Authorization) exists because the session visibility guard is not enforced on the shared memory search code path, yielding a high confidentiality impact against multi-session deployments. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.0 with VC:H signals meaningful data exposure risk for any environment where multiple users or sessions operate concurrently.
Authorization bypass in OpenClaw before 2026.5.26 allows an attacker with a previously paired device to re-establish WebSocket node-level authority after the session has been revoked, effectively defeating the revocation control. The flaw stems from a surviving pairing-scoped device session that can mint new node tokens without renewed approval, letting authenticated attackers retain unauthorized node-level access longer than intended. No public exploit identified at time of analysis, but the issue is acknowledged in a GitHub Security Advisory (GHSA-q99w-vh6v-q3v7) and a VulnCheck advisory.
Authentication bypass in vLLM versions 0.3.0 through 0.21.x allows remote unauthenticated attackers to reach OpenAI-compatible API endpoints without supplying the configured VLLM_API_KEY by injecting URL-special characters into the HTTP Host header. The flaw stems from vLLM's AuthenticationMiddleware reconstructing the request URL via starlette's URL(scope) - which trusts an unsanitized Host value - while FastAPI routing uses the raw HTTP path, producing a mismatch the attacker controls. No public exploit identified at time of analysis, but x41-dsec disclosed full technical details and a vendor-released patch is available in 0.22.0.
Arbitrary code execution in vLLM versions prior to 0.22.0 allows remote unauthenticated attackers to run code on the inference server by publishing a malicious HuggingFace model, when vLLM is launched in Python optimized mode (python -O or PYTHONOPTIMIZE=1). The sole guardrail restricting which activation function classes can be loaded from a model's config.json is implemented with a Python assert, which is stripped at compile time under -O, leaving an unrestricted import gadget directly fed by attacker-controlled data. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q8gq-377p-jq3r) and a coordinated huntr.com submission document the issue in detail.
Cross-tenant data access in Langflow versions prior to 1.9.0 allows any authenticated user to read, modify, rename, or permanently delete other users' messages, sessions, build artifacts, and LLM transaction logs via seven unprotected `/api/v1/monitor` endpoints. The flaw stems from missing ownership checks (IDOR/BOLA) where `flow_id` or resource UUIDs are accepted verbatim without verifying the requester owns them. No public exploit identified at time of analysis beyond the detailed PoC in the vendor advisory, and the issue is not listed in CISA KEV.
Authentication bypass in Perry versions before 0.5.1166 allows remote attackers holding any previously issued bearer token to maintain authenticated access indefinitely, including after logout or administrative revocation. The flaw stems from hardcoded validate_exp=false logic in the stdlib JWT verification path, neutralizing token expiration entirely. No public exploit identified at time of analysis, but the trivial nature of replaying captured tokens against jwt.verify() calls makes this a high-priority fix.
Unauthenticated password change in Rockwell Automation 1794-AENTR Flex I/O EtherNet/IP adapter's embedded web server allows remote attackers to overwrite the web interface password via a crafted HTTP GET request to a specific endpoint, enabling full account takeover of the industrial device. The flaw, reported by Rockwell and tracked as CVE-2026-0647 with a CVSS 4.0 base score of 8.8, has no public exploit identified at time of analysis but is trivially exploitable given no authentication, no user interaction, and low attack complexity over the network.
Authentication bypass in Forem (prior to commit a2ab6d4) allows remote attackers to circumvent email domain allowlist/denylist controls by submitting RFC 2047 encoded-word email addresses, enabling unauthorized registration on invite-only deployments. The flaw arises because the raw email string passes domain checks while downstream mail decoding resolves it to an attacker-controlled address, with no public exploit identified at time of analysis.
Authorization bypass in Rockwell Automation FactoryTalk Analytics PavilionX allows unauthenticated remote attackers to invoke privileged API endpoints, including user and role management functions, enabling full administrative takeover of the analytics platform. The CVSS 4.0 base score of 8.3 reflects high confidentiality impact with limited integrity and availability effects, and at the time of analysis there is no public exploit identified.
Authentication bypass in Rockwell Automation FactoryTalk Historian Site Edition allows remote attackers to obtain a valid authentication token by repeatedly hammering the login endpoint, exploiting a race condition (CWE-362) in the authentication flow. The flaw carries a CVSS 4.0 score of 9.2 with network attack vector and no privileges required, though successful exploitation depends on winning a timing window (AT:P). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Serial device servers in the Moxa NPort 6000 and CN2600 product lines expose a command port that accepts break signal commands without verifying the sender holds a valid associated data port session. Remote unauthenticated attackers with network access to the command port can disrupt active serial communication sessions, causing a denial of service for any device or system relying on that serial link. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.
Security mitigation bypass in the DOM: Security component of Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity of browser-rendered content without user interaction. The flaw carries a critical CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged as an Authentication Bypass class issue, though no public exploit identified at time of analysis. The vulnerability has been patched by Mozilla in Firefox 152 per MFSA2026-57/MFSA2026-60.
Security mitigation bypass in the DOM: Security component of Mozilla Firefox allows remote attackers to circumvent browser security controls, with high impact to confidentiality and integrity. The flaw affects Firefox versions prior to 152 and Firefox ESR prior to 140.12, with no public exploit identified at time of analysis. Given the CVSS 9.1 rating and network-reachable attack vector, any user browsing a malicious page is potentially exposed.
Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Two-factor authentication bypass in syracom AG Secure Login (2FA) plugin 3.4.0.x for Atlassian Jira, Confluence, and Bitbucket allows an attacker holding valid first-factor credentials to skip the 2FA challenge entirely by injecting strings like 'AtlassianMobileApp' or 'JIRA' into the HTTP User-Agent header. The plugin treats such requests as mobile-app traffic and waives 2FA enforcement on protected web resources, effectively neutralizing the security control the plugin exists to provide. No public exploit identified at time of analysis, but the technique is trivial to reproduce from the public advisory text.
Unauthenticated order sabotage in WooCommerce Stripe Payment Gateway (all versions ≤10.7.0) allows any remote attacker to force pending WooCommerce orders into a 'failed' state without owning or authenticating against those orders. The root cause is a missing authorization check on the `ajax_pay_for_order()` function: the only gate is a nonce that is publicly available on any page where Express Checkout is enabled, providing no actual access control. Exploitation is trivially automatable via sequential order ID enumeration, enabling targeted disruption of an entire store's pending transactions. No public exploit has been identified at time of analysis, and no KEV listing exists, but the attack complexity is effectively zero for stores with Express Checkout active.
Missing authorization controls in the Metro Magazine WordPress theme by Rara Themes (versions through 1.4.1) expose unauthenticated network attackers to restricted theme actions, yielding partial integrity and availability impact without any credential requirement. Rooted in CWE-862 (Missing Authorization), the flaw reflects a broken access control pattern common in WordPress themes that register AJAX or REST endpoints without validating the caller's privilege level. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS data was not provided in available intelligence.
Broken access control in the Envira Photo Gallery WordPress plugin (versions <= 1.12.5) allows unauthenticated remote attackers to bypass authorization checks and perform unauthorized operations affecting site integrity and availability. The flaw stems from missing authorization enforcement (CWE-862) on one or more plugin endpoints, exploitable without any credentials or user interaction across default WordPress deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector keeps real-world risk elevated for any site running the affected plugin.
Broken access control in SEO Plugin by Squirrly SEO version 12.4.16 and earlier allows unauthenticated remote attackers to perform unauthorized privileged actions, resulting in high integrity impact against affected WordPress installations. The flaw stems from missing authorization checks (CWE-862), permitting requests to restricted functionality without any credential validation. No public exploit code or active CISA KEV listing has been identified at time of analysis, though the CVSS high-complexity rating suggests exploitation requires meeting specific conditions beyond a simple direct request.
Unauthorized information disclosure in the WooCommerce POS WordPress plugin (versions 1.8.14 and earlier) allows remote unauthenticated attackers to access protected resources due to missing authorization checks. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis. The flaw was disclosed by Patchstack and aligns with CWE-862 (Missing Authorization), a common pattern in WordPress plugin endpoints that omit capability checks.
Unauthorized information disclosure in the Artbees JupiterX Core WordPress plugin (versions 4.14.1 and earlier) allows remote unauthenticated attackers to bypass access controls and read data that should require authentication. The flaw is classified as CWE-862 (Missing Authorization) and was disclosed via Patchstack; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Broken access control in the Arraytics WP Event Solution WordPress plugin through version 4.1.12 allows remote unauthenticated attackers to access protected functionality or data without authorization. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, exposing sensitive event-management capabilities or data to anyone who can reach the WordPress site. No public exploit identified at time of analysis, and the issue is not currently listed in the CISA KEV catalog.
Unauthorized form submission disclosure in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows any Contributor-level WordPress user to read arbitrary form submissions belonging to other users. The root cause is a missing capability check on the get_submission_content AJAX endpoint, enabling horizontal privilege escalation across all stored form entries by iterating numeric entry IDs. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is mechanically trivial for any authenticated user; sites collecting sensitive PII or business data via RTMKit forms should treat this as high operational priority despite the medium CVSS score.
Insecure Direct Object Reference in the Static Block WordPress plugin (versions ≤2.2) allows contributor-level authenticated users to read the full post_content of any post - including private, draft, and pending posts created by administrators - by embedding the [static_block_content id="X"] shortcode and triggering a preview. The shortcode handler in static-block.php calls get_post() with an attacker-supplied numeric ID and outputs the result without any post-status or capability verification. No public exploit code has been identified at time of analysis and this is not listed in CISA KEV, but the attack is low-complexity and requires only a standard contributor WordPress account.
Unauthenticated arbitrary post deletion in the Abandoned Contact Form 7 WordPress plugin (versions ≤ 2.2) allows any remote attacker to permanently erase any post, page, or custom content type from an affected site by submitting a single crafted HTTP request. The plugin's AJAX handler is registered on the `wp_ajax_nopriv_remove_abandoned` hook without capability checks or nonce validation, exposing WordPress's `wp_delete_post()` with the force-delete flag set to true to unauthenticated callers who supply any valid post ID. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the trivially automatable, zero-prerequisite attack surface makes this a high-priority remediation target for any site running the vulnerable plugin version.
Unauthenticated access to Zoom SDK credentials is possible in the Video Conferencing with Zoom WordPress plugin (versions up to and including 4.6.7) due to missing authorization checks on AJAX endpoints. Any unauthenticated remote attacker can retrieve the site's Zoom SDK API key - a persistent, reusable secret - along with a freshly-signed JWT, enabling them to join any Zoom meeting associated with those credentials without a valid invitation. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero authentication requirement make this straightforward to exploit.
Authorization bypass in elixir-grpc (grpc library for Elixir) versions 0.8.0 through 0.x allows authenticated attackers to override path-bound URL parameters via query string or request body values, defeating ownership and multi-tenancy checks. The flaw stems from incorrect Map.merge/2 precedence in GRPC.Server.Transcode.map_request/5, where attacker-controlled query/body values silently overwrite the router-extracted path bindings used by handlers for authorization. No public exploit identified at time of analysis, but upstream patch and detailed regression tests are publicly available.
Authentication bypass in @nestjs/platform-fastify versions 11.1.23 and earlier allows remote attackers to skip route-scoped middleware (including authentication and authorization checks) by simply appending a trailing slash to the request URL. The flaw affects default Fastify adapter configurations with standard CRUD routes registered via MiddlewareConsumer.forRoutes(), and no public exploit identified at time of analysis despite the trivially low exploitation effort.
Unauthenticated Insecure Direct Object References in the VikRentCar WordPress plugin versions 1.4.5 and earlier allow remote attackers to access sensitive resources belonging to other users by manipulating predictable object identifiers. The flaw was disclosed via Patchstack and affects WordPress sites running the e4jvikwp VikRentCar booking plugin, with no public exploit identified at time of analysis but a high CVSS confidentiality impact reflecting potential exposure of booking, customer, or reservation data.
Unauthenticated broken access control in the Welcart e-Commerce WordPress plugin (versions up to and including 2.11.28) permits remote attackers without any credentials to bypass authorization checks and perform restricted actions. Rooted in CWE-862 (Missing Authorization), the flaw exposes low-severity but tangible integrity and availability impacts against any WordPress installation running the affected plugin. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated broken access control in the Knit Pay WordPress plugin versions 9.4.0.0 and earlier allows remote attackers to modify integrity-sensitive data without any authentication or user interaction. The flaw is rooted in missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit identified at time of analysis, the network-reachable nature and zero prerequisites make it attractive for opportunistic abuse against WordPress sites running this payment plugin.
Unauthenticated broken access control in the Hippoo Mobile App for WooCommerce WordPress plugin (versions 1.9.5 and earlier) allows remote attackers to access protected functionality or data without valid credentials. The flaw is reported by Patchstack and stems from missing authorization checks (CWE-862), enabling unauthenticated retrieval or manipulation of resources that should be gated behind authentication. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote attackers to perform unauthorized actions against the help desk system, impacting both integrity and availability. The flaw, rooted in missing authorization checks (CWE-862), allows network-accessible exploitation with no credentials, no user interaction, and low attack complexity. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial exploitation profile warrants prompt remediation on any internet-exposed WordPress deployment.
Unauthorized data tampering in the WPC Product Bundles for WooCommerce WordPress plugin (versions 8.5.3 and earlier) allows remote attackers to manipulate plugin state without authentication due to missing authorization checks. Reported by Patchstack, the flaw carries a CVSS 7.5 reflecting high integrity impact with no confidentiality or availability impact, and no public exploit identified at time of analysis.
Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Broken access control in the Montonio for WooCommerce WordPress plugin versions 10.1.2 and earlier allows remote unauthenticated attackers to perform integrity-impacting actions without proper authorization checks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is trivially reachable over the network against default deployments, with high integrity impact but no direct confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated sensitive data exposure in the EmbedPress WordPress plugin (versions 4.5.2 and earlier) allows remote attackers to retrieve confidential information from affected sites without any credentials or user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any vulnerable installation, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and is classified under CWE-639, suggesting authorization checks are bypassed via predictable or user-controlled object references.
Unauthorized data access in the WordPress Simple Shopping Cart plugin (versions <= 5.2.9) allows remote unauthenticated attackers to retrieve sensitive information belonging to other users through an Insecure Direct Object Reference (IDOR) flaw. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), exploitation is network-reachable with low complexity and no authentication. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.
Unauthenticated bypass in the Stripe Payments WordPress plugin (versions up to and including 2.0.98) allows remote, unauthenticated attackers to circumvent authentication controls, resulting in limited confidentiality and integrity impact against affected WordPress installations. Reported by Patchstack (ENISA EUVD-2026-36838), the flaw is classified under CWE-440 (Expected Behavior Violation), indicating the plugin's actual enforcement diverges from its intended or documented security model. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Unauthenticated information disclosure in the Salon Booking System WordPress plugin (versions up to and including 10.30.25) allows remote attackers to bypass authorization checks and access sensitive data without credentials. The flaw, tracked by Patchstack and tagged as an authentication bypass, is network-reachable with low complexity and no user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated broken access control in the AI Product Search for WooCommerce - Motive Commerce Search WordPress plugin (versions <= 1.38.2) allows remote attackers to invoke privileged functionality without authentication, leading to data integrity tampering and significant availability impact on affected WooCommerce storefronts. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, the issue stems from missing authorization checks (CWE-862) on plugin endpoints reachable over the network with no user interaction.
Unauthenticated authentication bypass in the Event Tickets WordPress plugin (versions ≤ 5.27.5 by Liquid Web / StellarWP) allows remote attackers to circumvent access controls without any credentials, affecting the integrity and availability of ticketing functionality. Classified under CWE-290 (Authentication Bypass by Spoofing), the CVSS vector confirms PR:N and AV:N - meaning any network-accessible attacker can attempt exploitation with low complexity and no user interaction required. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog, indicating no confirmed active exploitation.
Broken Access Control in the Advanced Form Integration WordPress plugin (versions ≤ 1.126.12) allows authenticated subscriber-level users to perform privileged actions that should be restricted to administrators, due to missing authorization checks (CWE-862). The flaw carries a CVSS 3.1 score of 6.5 with high integrity impact (I:H), meaning a low-privilege attacker can substantially alter plugin or form integration configurations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and broad applicability to any multi-user or open-registration WordPress site make this a meaningful operational risk.
Payment bypass in Best Payments Plugin for WP (versions ≤ 4.6.19) allows unauthenticated remote attackers to circumvent payment verification by manipulating HTTP parameters the plugin incorrectly treats as immutable, enabling completion of purchases without actual payment. Rooted in CWE-472 (External Control of Assumed-Immutable Web Parameter), the flaw directly threatens the financial integrity of any WordPress e-commerce site relying on this plugin for order processing. No public exploit is identified and CVSS AC:H indicates exploitation requires deliberate parameter manipulation during an active payment flow, limiting mass-exploitation risk despite the unauthenticated attack vector.
Broken access control in the Classified Listing WordPress plugin (versions ≤ 5.3.9) allows subscriber-level authenticated users to perform actions that should be restricted to higher-privileged roles, yielding partial confidentiality, integrity, and availability impact. Reported by Patchstack and tracked under ENISA EUVD-2026-36819, the flaw stems from missing authorization checks (CWE-862) within plugin functionality accessible to the lowest default WordPress user role. No public exploit identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Broken Access Control in the Classified Listing WordPress plugin (versions ≤ 5.3.8) allows unauthenticated remote attackers to bypass authorization checks, enabling limited read and write access to plugin-managed listing data without any credentials. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is network-exploitable against any internet-exposed WordPress installation running the affected plugin with no authentication or user interaction required. No public exploit code or CISA KEV listing has been identified at time of analysis.
Broken access control in the Amelia booking plugin for WordPress (versions up to and including 2.2) allows low-privileged subscriber-level users to perform unauthorized high-integrity actions within the booking system. The flaw stems from missing authorization checks (CWE-862), permitting registered users - typically clients or end-users of the booking portal - to interact with data or functionality restricted to higher roles such as managers or administrators. No public exploit has been identified at time of analysis, and KEV listing is absent, but the low attack complexity and network accessibility make this a straightforward target once a subscriber account is obtained.
Broken access control in the myCred WordPress plugin (all versions through 3.0.3) allows authenticated users with only subscriber-level privileges to bypass authorization checks and perform actions reserved for higher-privileged roles, yielding high integrity impact on affected installations. The root cause is missing authorization enforcement (CWE-862) on one or more plugin endpoints, meaning the plugin executes sensitive operations - such as manipulating loyalty points or reward data - without verifying the requesting user's actual capabilities. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the low complexity and no-user-interaction requirement make exploitation straightforward for any attacker holding a valid account.
Broken access control in the Groundhogg WordPress CRM/marketing automation plugin (all versions below 4.4.1) allows low-privileged subscriber-level users to perform unauthorized privileged operations due to missing authorization checks (CWE-862), resulting in high integrity impact. The vulnerability is network-exploitable with low complexity, requiring only a subscriber-level WordPress account - a role freely obtainable via self-registration on many WordPress sites. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; a vendor-released patch (version 4.4.1) is confirmed available.
Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows any authenticated subscriber to bypass object-level authorization and access or modify records belonging to other users. Because WordPress subscriber is the default role for self-registered users, this effectively exposes sensitive healthcare data - including patient records, appointments, and prescriptions - to any registered site user who can enumerate or guess object identifiers. No public exploit has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- auth
- Total CVEs
- 31268