Skip to main content

Authentication Bypass

auth CRITICAL

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.

How It Works

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.

The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.

More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.

Impact

  • Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
  • Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
  • System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
  • Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
  • Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties

Real-World Examples

CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.

Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.

SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.

Mitigation

  • Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
  • Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
  • Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
  • Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
  • Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
  • Regular security testing — conduct penetration testing specifically targeting authentication logic and flows

Recent CVEs (31268)

EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged attacker reaching the T3 or IIOP listeners, with a scope change that lets the compromise propagate to other Fusion Middleware components. CVSS 3.1 is rated 9.9 due to high confidentiality, integrity, and availability impact across a changed scope, and no public exploit identified at time of analysis. The flaw resides in the Client Bundle component of this document-capture product and is fixed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Monitor component, where an unauthenticated network attacker can compromise the application over HTTP. Although Oracle classifies the issue as difficult to exploit (AC:H), successful attacks yield full confidentiality, integrity, and availability impact with a CVSS 3.1 base score of 8.1. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor component, allowing unauthenticated network attackers to fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 9.8 critical and describes it as easily exploitable over HTTP, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Server component, where an unauthenticated attacker with HTTP network access can compromise confidentiality, integrity, and availability. Oracle rates the flaw CVSS 8.1 with high attack complexity, and no public exploit identified at time of analysis. The vulnerability is addressed in Oracle's June 2026 Critical Patch Update (CPU).

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privileged local attacker on the host to escape the guest/host boundary and access or modify critical data across the scope, including resources outside VirtualBox itself. The flaw is rated CVSS 3.1 7.5 with a scope change, but exploitation is rated High complexity by Oracle and there is no public exploit identified at time of analysis. Patch is available per Oracle's June 2026 Critical Patch Update advisory.

Authentication Bypass Oracle Oracle Vm Virtualbox
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenticated remote attackers to compromise the Deployment Package component over HTTP. The flaw yields complete read access to PeopleTools-accessible data and partial write (insert/update/delete) capability without any user interaction or credentials. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and network reachability make it a high-priority patching target.

Authentication Bypass Oracle Peoplesoft Enterprise Pt Peopletools
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic component allows attackers with HTTP access to read and modify critical data across PeopleTools and additional products in scope. Oracle rates the issue 8.7 CVSS 3.1 with high attack complexity but no privileges or user interaction, and the scope-change flag means impact extends beyond PeopleTools itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Authentication Bypass Oracle Peoplesoft Enterprise Pt Peopletools
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Privileged takeover of Oracle WebCenter Content (Content Server component) affects supported versions 12.2.1.4.0 and 14.1.2.0.0, enabling a high-privileged attacker with HTTP network access to fully compromise the instance and pivot to additional Fusion Middleware products via a scope change. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting low attack complexity and full CIA impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data modification in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a remote unauthenticated attacker to create, delete, or modify critical identity data via the REST WebServices component over HTTP. Oracle rates the issue as easily exploitable with a CVSS 3.1 base score of 7.5 (integrity-only impact), and no public exploit has been identified at time of analysis.

Authentication Bypass Oracle Identity Manager
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Account takeover in Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 (Fusion Middleware Core component) allows a low-privileged remote attacker to fully compromise the product via T3 or IIOP protocols, with scope change extending impact to other Fusion Middleware components. The CVSS 9.9 score reflects high confidentiality, integrity, and availability impact combined with low attack complexity. No public exploit identified at time of analysis, but Identity Manager's role as a central identity authority makes this a critical patching priority.

Oracle Identity Manager Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the Identity Manager instance via its REST WebServices component over HTTP. Oracle rates the flaw CVSS 8.8 with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity lifecycle and provisioning, successful exploitation has cascading impact across downstream applications it manages.

Oracle Identity Manager Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker with HTTP access to fully compromise the Identity Manager component of Oracle Fusion Middleware. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation results in takeover of the identity governance platform itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Identity Manager Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by a low-privileged attacker over HTTP, with a CVSS 3.1 score of 9.9 driven by a scope change that lets the impact spread beyond WebLogic itself. Oracle has issued the fix in the June 2026 Critical Patch Update (cspujun2026), and there is no public exploit identified at time of analysis. Authenticated but low-effort exploitation combined with full confidentiality, integrity and availability impact makes this a top-priority patching item for any Oracle middleware estate.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Authenticated tampering and data exposure in Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 (Market Place component) allows a low-privileged attacker with HTTP network access to read, modify, or delete all data accessible to the product and induce a partial denial of service. Oracle assigns a CVSS 3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L), and no public exploit identified at time of analysis. The flaw is described by Oracle as easily exploitable, raising the priority for any externally reachable ODI deployment.

Authentication Bypass Denial Of Service Oracle +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass Oracle Oracle Access Manager
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Cross-scope data compromise in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 allows a low-privileged remote attacker over HTTPS to read, create, modify, or delete critical data through the administration Console, provided a separate user is induced to perform an action. The CVSS 3.1 base score of 8.7 reflects high confidentiality and integrity impact with scope change reaching beyond WebLogic itself, and no public exploit identified at time of analysis.

Authentication Bypass Oracle Weblogic Server +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Deno's Node.js compatibility TCP path (node:net.connect / node:http.request options form) fails to re-check network permissions against the resolved IP address, allowing numeric IPv4 aliases (e.g., decimal integer '2130706433' or hex '0x7f000001' for 127.0.0.1) to bypass --deny-net rules in Deno versions up to and including 2.7.14. Any code executing inside the Deno process - including supply-chain-compromised dependencies or attacker-controlled input - can reach explicitly denied destinations such as loopback services, private ranges, or cloud instance metadata endpoints by exploiting this pre-resolution-only permission check. No public exploit identified at time of analysis via CISA KEV, but publicly available exploit code exists (proof-of-concept published in GHSA-v8fw-85r8-5m23); fix is available in Deno 2.8.0.

Authentication Bypass Node.js
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Deno's `process.loadEnvFile()` Node.js compatibility API silently bypasses the runtime's capability-based `env` permission system, allowing environment variable injection into `process.env` without holding any `env` permission. Deno versions v2.3.0 through v2.8.0 are affected: a program (or any imported dependency) that calls `process.loadEnvFile()` while operating under `--deny-env` or a restricted `--allow-env=ALLOWLIST` can have its environment mutated by any party able to write or control a `.env` file covered by the program's `--allow-read` grant. No public exploit has been identified at time of analysis, and no CISA KEV listing was found in the provided data, but the advisory is fully public and the bypass mechanism is well-described.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Deno's fetch() API in versions through 2.8.0 fails to validate resolved IP addresses against --deny-net policy rules, enabling sandbox escape to network destinations explicitly blocked by operators. Scripts executing under a --deny-net restriction can craft or leverage attacker-controlled DNS entries that pass hostname-level checks but resolve to denied IPs such as localhost or internal RFC-1918 addresses, silently bypassing the network isolation boundary. No active exploitation is confirmed (not in CISA KEV), no public proof-of-concept code has been identified, and the vendor has released a confirmed patch in version 2.8.1.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Missing webhook request validation in n8n's MicrosoftAgent365Trigger and StripeTrigger nodes allows unauthenticated remote attackers who know the webhook URL to submit forged payloads and cause arbitrary workflow execution with attacker-controlled data. All n8n npm versions below 2.25.7 and versions 2.26.0-2.26.1 are affected when either node is actively used in a workflow. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:C scoring reflects low-complexity, unauthenticated network exploitation with a scope change indicating potential downstream impact on systems integrated with triggered workflows.

Authentication Bypass Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.

Authentication Bypass Devolutions Server
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Authentication bypass in Radiflow iSAP Smart Collector exposes a REST API protected only by a hardcoded constant token, allowing remote attackers to read system settings, modify device configuration, and trigger commands such as a system reboot. The constant token effectively negates authentication, making the API exploitable by anyone who can reach the device's web server. No public exploit identified at time of analysis, but the CVSS 8.6 (high) score reflects network-reachable, unauthenticated, low-complexity abuse leading to high integrity impact.

Authentication Bypass Isap Smart Collector
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Allowlist bypass in OpenClaw versions prior to 2026.5.12 allows authenticated operators to execute unapproved shell commands by routing requests through inline-command parser cases that skip the expected allowlist enforcement. The flaw, reported by VulnCheck and tracked under GHSA-f397-5vjw-v2c2, effectively neutralizes the operator-approval boundary in OpenClaw's shell command path. No public exploit identified at time of analysis, and the CVSS 4.0 score of 7.6 reflects high confidentiality and integrity impact with a present attack requirement.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Environment variable sanitization weakness in OpenClaw prior to 2026.5.26 lets attackers smuggle Node.js control variables (such as NODE_OPTIONS) past the host environment sanitizer, enabling them to influence child-process behavior and coverage output paths. Affected attackers must have write access to workspace .env files, tool environment overrides, or skill environment blocks, and no public exploit is identified at time of analysis. The flaw was reported by VulnCheck and is tracked under CWE-184 (Incomplete List of Disallowed Inputs).

Authentication Bypass Node.js Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw versions before 2026.4.25 expose an authorization bypass via unvalidated user-controlled group IDs in the tool group policy resolver, enabling authenticated low-privilege network attackers to manipulate access-control decisions for tool invocations. The CVSS 4.0 vector assigns VI:H (High integrity impact on the vulnerable system), reflecting that successful exploitation can cause the policy engine to grant or deny tool permissions contrary to the intended configuration. No public exploit code has been identified at time of analysis, and the CVSS 4.0 AT:P metric indicates a specific attack requirement limits opportunistic mass exploitation.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenClaw's macOS Swift exec feature fails to correctly evaluate combined POSIX inline-command flags against its configured command allowlist, enabling a local low-privileged attacker to execute shell content that should be blocked. Affected versions are all OpenClaw releases before 2026.5.6 on macOS. Exploitation depends on an operator-configured allowlist being in place - when that allowlist is configured, a local user can bypass it entirely by using combined flag forms (e.g., `-abc` instead of `-a -b -c`), achieving high confidentiality and integrity impact. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Apple Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Sender policy bypass in OpenClaw's BlueBubbles integration before version 2026.5.7 allows low-privileged conversation participants to impersonate allowlisted senders by manipulating conversation-level metadata rather than being validated against stable sender identity. An attacker who is already a participant in a conversation can craft or influence mutable conversation identifiers to match configured allowlist entries, causing the agent to respond to them as if they were an authorized sender and circumventing access controls. No public exploit code or active exploitation has been identified at time of analysis; the low CVSS score (2.3) and high attack complexity reflect real-world constraints.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Hostname blocklist bypass in OpenClaw before 2026.5.26 enables authenticated attackers to reach operator-restricted network destinations by supplying trailing-dot notation in model- or workspace-derived URLs. The comparison logic evaluating hostnames against blocklist policies does not normalize fully qualified domain name (FQDN) trailing dots before evaluation, while DNS resolvers treat `blocked.example.com.` and `blocked.example.com` as identical targets. With confidentiality impact rated High by CVSS 4.0 and no public exploit or KEV listing identified at time of analysis, risk is real but bounded to deployments with active blocklist policies and users who control URL parameters.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Authentication bypass in OpenClaw before 2026.5.3 allows remote attackers with low privileges to receive agent responses intended for other Zalo identities by manipulating their mutable display name to match allowFrom policy entries. The flaw stems from policy enforcement relying on mutable display metadata rather than immutable identifiers, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Allowlist bypass in OpenClaw before 2026.4.2 lets authenticated operators smuggle inline-eval content through shell positional parameters, defeating the strict allowlist that is meant to constrain which tools and content the shell carrier executes. Successful abuse yields execution of unapproved shell-provided content with high confidentiality and integrity impact, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Privilege escalation in OpenClaw before 2026.4.25 allows authenticated low-privileged users to inherit wildcard ownerAllowFrom authorization state across channel boundaries, enabling execution of owner-level commands outside their intended channel scope on both internal and webchat command paths. The flaw (CWE-863) produces high integrity impact (VI:H per CVSS 4.0) without confidentiality or availability consequences, as the attacker gains unauthorized administrative command execution rather than data access. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 6.0 reflects meaningful but condition-dependent risk.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

Allowlist bypass in OpenClaw before 2026.5.12 lets authenticated attackers invoke approved executables with arbitrary arguments on Linux and macOS, defeating the argPattern restrictions intended to constrain each binary's permitted invocations. The flaw enables disallowed file access, network access, or command execution under the privileges of the OpenClaw exec subsystem, with no public exploit identified at time of analysis.

Authentication Bypass Apple Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Scope containment bypass in OpenClaw before 2026.4.25 allows authenticated operators to recover broader device access than their current authorization permits by exploiting a missing validation path in the device re-pairing flow. By sending re-pairing requests with empty scope sets, an operator can silently skip containment guards and retain or restore access to devices outside their assigned scope boundaries - an especially significant risk in multi-tenant or shared-operator deployments. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before 2026.5.12 fails to enforce its own notification filter for Slack reaction events, allowing those events to bypass a disabled-notification setting and reach the agent processing pipeline (CWE-862: Missing Authorization). Any user with Slack workspace access can send reaction events to channels monitored by OpenClaw, triggering unintended agent execution with lower-trust input even when administrators have explicitly disabled reaction notifications. No public exploit code exists and no active exploitation has been confirmed at time of analysis; the CVSS 4.0 score of 6.3 reflects a moderate-severity, narrow-impact integrity issue.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

OpenClaw before version 2026.4.25 permits authenticated local callers to invoke the focus command without passing proper authorization checks, enabling control scope enforcement bypass (CWE-862: Missing Authorization). Any low-privileged local user can alter focus state outside their intended caller authority, with downstream impact varying by gateway configuration and input trust levels. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Privilege escalation in OpenClaw before 2026.5.7 allows any user with a Discord account to assume the identity of a privileged Discord user authorized in the agent's allowFrom policy by simply renaming their account, because the access-control check matches on mutable display names rather than immutable Discord user IDs (snowflakes). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but exploitation is trivial for anyone who can read the target policy.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.5.26 exposes an exec allowlist bypass that lets authenticated operators with low privileges invoke unintended side effects through transparent command wrappers that circumvent allowlist validation at the wrapper layer. The root cause is CWE-184 (Incomplete List of Disallowed Inputs), where allowlist checks succeed at the surface request level but fail to constrain behavior triggered deeper in the wrapper execution path, yielding a limited but confirmed integrity impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the constrained scope: exploitation requires authenticated operator access plus a specific attack target precondition.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Hook-based policy enforcement bypass in OpenClaw before 2026.5.6 allows authenticated low-privilege network attackers to route skill commands through a specific vulnerable dispatch path, causing before-tool-call hooks to be skipped entirely. This silently circumvents audit logging and policy enforcement mechanisms that defenders rely on to detect and govern tool invocation behavior within the framework. No public exploit code has been identified at time of analysis, and CVSS 4.0 rates this at 2.3 (Low) with specific attack requirements (AT:P), limiting real-world risk primarily to environments that actively depend on hook-based security controls.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Session visibility check bypass in OpenClaw's shared memory search component allows authenticated low-privileged users to retrieve memory entries belonging to other sessions without proper authorization. All OpenClaw versions prior to 2026.4.29 are affected; the flaw (CWE-862, Missing Authorization) exists because the session visibility guard is not enforced on the shared memory search code path, yielding a high confidentiality impact against multi-session deployments. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.0 with VC:H signals meaningful data exposure risk for any environment where multiple users or sessions operate concurrently.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.5.26 allows an attacker with a previously paired device to re-establish WebSocket node-level authority after the session has been revoked, effectively defeating the revocation control. The flaw stems from a surviving pairing-scoped device session that can mint new node tokens without renewed approval, letting authenticated attackers retain unauthorized node-level access longer than intended. No public exploit identified at time of analysis, but the issue is acknowledged in a GitHub Security Advisory (GHSA-q99w-vh6v-q3v7) and a VulnCheck advisory.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in vLLM versions 0.3.0 through 0.21.x allows remote unauthenticated attackers to reach OpenAI-compatible API endpoints without supplying the configured VLLM_API_KEY by injecting URL-special characters into the HTTP Host header. The flaw stems from vLLM's AuthenticationMiddleware reconstructing the request URL via starlette's URL(scope) - which trusts an unsanitized Host value - while FastAPI routing uses the raw HTTP path, producing a mismatch the attacker controls. No public exploit identified at time of analysis, but x41-dsec disclosed full technical details and a vendor-released patch is available in 0.22.0.

Nginx Authentication Bypass Request Smuggling
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary code execution in vLLM versions prior to 0.22.0 allows remote unauthenticated attackers to run code on the inference server by publishing a malicious HuggingFace model, when vLLM is launched in Python optimized mode (python -O or PYTHONOPTIMIZE=1). The sole guardrail restricting which activation function classes can be loaded from a model's config.json is implemented with a Python assert, which is stripped at compile time under -O, leaving an unrestricted import gadget directly fed by attacker-controlled data. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q8gq-377p-jq3r) and a coordinated huntr.com submission document the issue in detail.

Python Authentication Bypass Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-tenant data access in Langflow versions prior to 1.9.0 allows any authenticated user to read, modify, rename, or permanently delete other users' messages, sessions, build artifacts, and LLM transaction logs via seven unprotected `/api/v1/monitor` endpoints. The flaw stems from missing ownership checks (IDOR/BOLA) where `flow_id` or resource UUIDs are accepted verbatim without verifying the requester owns them. No public exploit identified at time of analysis beyond the detailed PoC in the vendor advisory, and the issue is not listed in CISA KEV.

Python Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Perry versions before 0.5.1166 allows remote attackers holding any previously issued bearer token to maintain authenticated access indefinitely, including after logout or administrative revocation. The flaw stems from hardcoded validate_exp=false logic in the stdlib JWT verification path, neutralizing token expiration entirely. No public exploit identified at time of analysis, but the trivial nature of replaying captured tokens against jwt.verify() calls makes this a high-priority fix.

Authentication Bypass Perry
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated password change in Rockwell Automation 1794-AENTR Flex I/O EtherNet/IP adapter's embedded web server allows remote attackers to overwrite the web interface password via a crafted HTTP GET request to a specific endpoint, enabling full account takeover of the industrial device. The flaw, reported by Rockwell and tracked as CVE-2026-0647 with a CVSS 4.0 base score of 8.8, has no public exploit identified at time of analysis but is trivially exploitable given no authentication, no user interaction, and low attack complexity over the network.

Authentication Bypass Flex I O Ethernet Ip Adapters
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Authentication bypass in Forem (prior to commit a2ab6d4) allows remote attackers to circumvent email domain allowlist/denylist controls by submitting RFC 2047 encoded-word email addresses, enabling unauthorized registration on invite-only deployments. The flaw arises because the raw email string passes domain checks while downstream mail decoding resolves it to an attacker-controlled address, with no public exploit identified at time of analysis.

Authentication Bypass Forem
NVD GitHub
EPSS 0% CVSS 8.3
HIGH This Week

Authorization bypass in Rockwell Automation FactoryTalk Analytics PavilionX allows unauthenticated remote attackers to invoke privileged API endpoints, including user and role management functions, enabling full administrative takeover of the analytics platform. The CVSS 4.0 base score of 8.3 reflects high confidentiality impact with limited integrity and availability effects, and at the time of analysis there is no public exploit identified.

Authentication Bypass Factorytalk Analytics Pavilionx
NVD
EPSS 0% CVSS 9.2
CRITICAL Act Now

Authentication bypass in Rockwell Automation FactoryTalk Historian Site Edition allows remote attackers to obtain a valid authentication token by repeatedly hammering the login endpoint, exploiting a race condition (CWE-362) in the authentication flow. The flaw carries a CVSS 4.0 score of 9.2 with network attack vector and no privileges required, though successful exploitation depends on winning a timing window (AT:P). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Race Condition Authentication Bypass Factorytalk Historian Se
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Serial device servers in the Moxa NPort 6000 and CN2600 product lines expose a command port that accepts break signal commands without verifying the sender holds a valid associated data port session. Remote unauthenticated attackers with network access to the command port can disrupt active serial communication sessions, causing a denial of service for any device or system relying on that serial link. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Nport 6000 Series Cn2600 Series
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Security mitigation bypass in the DOM: Security component of Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity of browser-rendered content without user interaction. The flaw carries a critical CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged as an Authentication Bypass class issue, though no public exploit identified at time of analysis. The vulnerability has been patched by Mozilla in Firefox 152 per MFSA2026-57/MFSA2026-60.

Authentication Bypass Mozilla Suse +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Security mitigation bypass in the DOM: Security component of Mozilla Firefox allows remote attackers to circumvent browser security controls, with high impact to confidentiality and integrity. The flaw affects Firefox versions prior to 152 and Firefox ESR prior to 140.12, with no public exploit identified at time of analysis. Given the CVSS 9.1 rating and network-reachable attack vector, any user browsing a malicious page is potentially exposed.

Authentication Bypass Mozilla Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.

Authentication Bypass Mozilla Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.

Authentication Bypass Mozilla Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Two-factor authentication bypass in syracom AG Secure Login (2FA) plugin 3.4.0.x for Atlassian Jira, Confluence, and Bitbucket allows an attacker holding valid first-factor credentials to skip the 2FA challenge entirely by injecting strings like 'AtlassianMobileApp' or 'JIRA' into the HTTP User-Agent header. The plugin treats such requests as mobile-app traffic and waives 2FA enforcement on protected web resources, effectively neutralizing the security control the plugin exists to provide. No public exploit identified at time of analysis, but the technique is trivial to reproduce from the public advisory text.

Atlassian Authentication Bypass Secure Login 2Fa For Jira +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated order sabotage in WooCommerce Stripe Payment Gateway (all versions ≤10.7.0) allows any remote attacker to force pending WooCommerce orders into a 'failed' state without owning or authenticating against those orders. The root cause is a missing authorization check on the `ajax_pay_for_order()` function: the only gate is a nonce that is publicly available on any page where Express Checkout is enabled, providing no actual access control. Exploitation is trivially automatable via sequential order ID enumeration, enabling targeted disruption of an entire store's pending transactions. No public exploit has been identified at time of analysis, and no KEV listing exists, but the attack complexity is effectively zero for stores with Express Checkout active.

Authentication Bypass WordPress Woocommerce Stripe Payment Gateway
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization controls in the Metro Magazine WordPress theme by Rara Themes (versions through 1.4.1) expose unauthenticated network attackers to restricted theme actions, yielding partial integrity and availability impact without any credential requirement. Rooted in CWE-862 (Missing Authorization), the flaw reflects a broken access control pattern common in WordPress themes that register AJAX or REST endpoints without validating the caller's privilege level. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS data was not provided in available intelligence.

Authentication Bypass Metro Magazine
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Envira Photo Gallery WordPress plugin (versions <= 1.12.5) allows unauthenticated remote attackers to bypass authorization checks and perform unauthorized operations affecting site integrity and availability. The flaw stems from missing authorization enforcement (CWE-862) on one or more plugin endpoints, exploitable without any credentials or user interaction across default WordPress deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector keeps real-world risk elevated for any site running the affected plugin.

Authentication Bypass Envira Photo Gallery
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Broken access control in SEO Plugin by Squirrly SEO version 12.4.16 and earlier allows unauthenticated remote attackers to perform unauthorized privileged actions, resulting in high integrity impact against affected WordPress installations. The flaw stems from missing authorization checks (CWE-862), permitting requests to restricted functionality without any credential validation. No public exploit code or active CISA KEV listing has been identified at time of analysis, though the CVSS high-complexity rating suggests exploitation requires meeting specific conditions beyond a simple direct request.

Authentication Bypass Seo Plugin By Squirrly Seo
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized information disclosure in the WooCommerce POS WordPress plugin (versions 1.8.14 and earlier) allows remote unauthenticated attackers to access protected resources due to missing authorization checks. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis. The flaw was disclosed by Patchstack and aligns with CWE-862 (Missing Authorization), a common pattern in WordPress plugin endpoints that omit capability checks.

Authentication Bypass WordPress Woocommerce Pos
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized information disclosure in the Artbees JupiterX Core WordPress plugin (versions 4.14.1 and earlier) allows remote unauthenticated attackers to bypass access controls and read data that should require authentication. The flaw is classified as CWE-862 (Missing Authorization) and was disclosed via Patchstack; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Jupiterx Core
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Arraytics WP Event Solution WordPress plugin through version 4.1.12 allows remote unauthenticated attackers to access protected functionality or data without authorization. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, exposing sensitive event-management capabilities or data to anyone who can reach the WordPress site. No public exploit identified at time of analysis, and the issue is not currently listed in the CISA KEV catalog.

Authentication Bypass Wp Event Solution
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized form submission disclosure in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows any Contributor-level WordPress user to read arbitrary form submissions belonging to other users. The root cause is a missing capability check on the get_submission_content AJAX endpoint, enabling horizontal privilege escalation across all stored form entries by iterating numeric entry IDs. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is mechanically trivial for any authenticated user; sites collecting sensitive PII or business data via RTMKit forms should treat this as high operational priority despite the medium CVSS score.

Authentication Bypass WordPress Rtmkit
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Static Block WordPress plugin (versions ≤2.2) allows contributor-level authenticated users to read the full post_content of any post - including private, draft, and pending posts created by administrators - by embedding the [static_block_content id="X"] shortcode and triggering a preview. The shortcode handler in static-block.php calls get_post() with an attacker-supplied numeric ID and outputs the result without any post-status or capability verification. No public exploit code has been identified at time of analysis and this is not listed in CISA KEV, but the attack is low-complexity and requires only a standard contributor WordPress account.

Authentication Bypass WordPress Static Block
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated arbitrary post deletion in the Abandoned Contact Form 7 WordPress plugin (versions ≤ 2.2) allows any remote attacker to permanently erase any post, page, or custom content type from an affected site by submitting a single crafted HTTP request. The plugin's AJAX handler is registered on the `wp_ajax_nopriv_remove_abandoned` hook without capability checks or nonce validation, exposing WordPress's `wp_delete_post()` with the force-delete flag set to true to unauthenticated callers who supply any valid post ID. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the trivially automatable, zero-prerequisite attack surface makes this a high-priority remediation target for any site running the vulnerable plugin version.

Authentication Bypass WordPress Abandoned Contact Form 7
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated access to Zoom SDK credentials is possible in the Video Conferencing with Zoom WordPress plugin (versions up to and including 4.6.7) due to missing authorization checks on AJAX endpoints. Any unauthenticated remote attacker can retrieve the site's Zoom SDK API key - a persistent, reusable secret - along with a freshly-signed JWT, enabling them to join any Zoom meeting associated with those credentials without a valid invitation. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero authentication requirement make this straightforward to exploit.

Authentication Bypass WordPress Video Conferencing With Zoom
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Authorization bypass in elixir-grpc (grpc library for Elixir) versions 0.8.0 through 0.x allows authenticated attackers to override path-bound URL parameters via query string or request body values, defeating ownership and multi-tenancy checks. The flaw stems from incorrect Map.merge/2 precedence in GRPC.Server.Transcode.map_request/5, where attacker-controlled query/body values silently overwrite the router-extracted path bindings used by handlers for authorization. No public exploit identified at time of analysis, but upstream patch and detailed regression tests are publicly available.

Authentication Bypass Grpc
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in @nestjs/platform-fastify versions 11.1.23 and earlier allows remote attackers to skip route-scoped middleware (including authentication and authorization checks) by simply appending a trailing slash to the request URL. The flaw affects default Fastify adapter configurations with standard CRUD routes registered via MiddlewareConsumer.forRoutes(), and no public exploit identified at time of analysis despite the trivially low exploitation effort.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated Insecure Direct Object References in the VikRentCar WordPress plugin versions 1.4.5 and earlier allow remote attackers to access sensitive resources belonging to other users by manipulating predictable object identifiers. The flaw was disclosed via Patchstack and affects WordPress sites running the e4jvikwp VikRentCar booking plugin, with no public exploit identified at time of analysis but a high CVSS confidentiality impact reflecting potential exposure of booking, customer, or reservation data.

Authentication Bypass Vikrentcar
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated broken access control in the Welcart e-Commerce WordPress plugin (versions up to and including 2.11.28) permits remote attackers without any credentials to bypass authorization checks and perform restricted actions. Rooted in CWE-862 (Missing Authorization), the flaw exposes low-severity but tangible integrity and availability impacts against any WordPress installation running the affected plugin. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Welcart E Commerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated broken access control in the Knit Pay WordPress plugin versions 9.4.0.0 and earlier allows remote attackers to modify integrity-sensitive data without any authentication or user interaction. The flaw is rooted in missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit identified at time of analysis, the network-reachable nature and zero prerequisites make it attractive for opportunistic abuse against WordPress sites running this payment plugin.

Authentication Bypass Knit Pay
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Unauthenticated broken access control in the Hippoo Mobile App for WooCommerce WordPress plugin (versions 1.9.5 and earlier) allows remote attackers to access protected functionality or data without valid credentials. The flaw is reported by Patchstack and stems from missing authorization checks (CWE-862), enabling unauthenticated retrieval or manipulation of resources that should be gated behind authentication. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.

Authentication Bypass WordPress Hippoo Mobile App For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote attackers to perform unauthorized actions against the help desk system, impacting both integrity and availability. The flaw, rooted in missing authorization checks (CWE-862), allows network-accessible exploitation with no credentials, no user interaction, and low attack complexity. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial exploitation profile warrants prompt remediation on any internet-exposed WordPress deployment.

Authentication Bypass Js Help Desk
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data tampering in the WPC Product Bundles for WooCommerce WordPress plugin (versions 8.5.3 and earlier) allows remote attackers to manipulate plugin state without authentication due to missing authorization checks. Reported by Patchstack, the flaw carries a CVSS 7.5 reflecting high integrity impact with no confidentiality or availability impact, and no public exploit identified at time of analysis.

Authentication Bypass WordPress Wpc Product Bundles For Woocommerce
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass Truebooker
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Montonio for WooCommerce WordPress plugin versions 10.1.2 and earlier allows remote unauthenticated attackers to perform integrity-impacting actions without proper authorization checks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is trivially reachable over the network against default deployments, with high integrity impact but no direct confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass WordPress Montonio For Woocommerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated sensitive data exposure in the EmbedPress WordPress plugin (versions 4.5.2 and earlier) allows remote attackers to retrieve confidential information from affected sites without any credentials or user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any vulnerable installation, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and is classified under CWE-639, suggesting authorization checks are bypassed via predictable or user-controlled object references.

Authentication Bypass Information Disclosure Embedpress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data access in the WordPress Simple Shopping Cart plugin (versions <= 5.2.9) allows remote unauthenticated attackers to retrieve sensitive information belonging to other users through an Insecure Direct Object Reference (IDOR) flaw. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), exploitation is network-reachable with low complexity and no authentication. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Simple Shopping Cart
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.

Authentication Bypass Contact Form By Wpforms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated bypass in the Stripe Payments WordPress plugin (versions up to and including 2.0.98) allows remote, unauthenticated attackers to circumvent authentication controls, resulting in limited confidentiality and integrity impact against affected WordPress installations. Reported by Patchstack (ENISA EUVD-2026-36838), the flaw is classified under CWE-440 (Expected Behavior Violation), indicating the plugin's actual enforcement diverges from its intended or documented security model. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Stripe Payments
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated information disclosure in the Salon Booking System WordPress plugin (versions up to and including 10.30.25) allows remote attackers to bypass authorization checks and access sensitive data without credentials. The flaw, tracked by Patchstack and tagged as an authentication bypass, is network-reachable with low complexity and no user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Salon Booking System
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Unauthenticated broken access control in the AI Product Search for WooCommerce - Motive Commerce Search WordPress plugin (versions <= 1.38.2) allows remote attackers to invoke privileged functionality without authentication, leading to data integrity tampering and significant availability impact on affected WooCommerce storefronts. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, the issue stems from missing authorization checks (CWE-862) on plugin endpoints reachable over the network with no user interaction.

Authentication Bypass WordPress Ai Product Search For Woocommerce 8211 Motive Commerce Search
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated authentication bypass in the Event Tickets WordPress plugin (versions ≤ 5.27.5 by Liquid Web / StellarWP) allows remote attackers to circumvent access controls without any credentials, affecting the integrity and availability of ticketing functionality. Classified under CWE-290 (Authentication Bypass by Spoofing), the CVSS vector confirms PR:N and AV:N - meaning any network-accessible attacker can attempt exploitation with low complexity and no user interaction required. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog, indicating no confirmed active exploitation.

Authentication Bypass Event Tickets
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken Access Control in the Advanced Form Integration WordPress plugin (versions ≤ 1.126.12) allows authenticated subscriber-level users to perform privileged actions that should be restricted to administrators, due to missing authorization checks (CWE-862). The flaw carries a CVSS 3.1 score of 6.5 with high integrity impact (I:H), meaning a low-privilege attacker can substantially alter plugin or form integration configurations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and broad applicability to any multi-user or open-registration WordPress site make this a meaningful operational risk.

Authentication Bypass Advanced Form Integration
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Payment bypass in Best Payments Plugin for WP (versions ≤ 4.6.19) allows unauthenticated remote attackers to circumvent payment verification by manipulating HTTP parameters the plugin incorrectly treats as immutable, enabling completion of purchases without actual payment. Rooted in CWE-472 (External Control of Assumed-Immutable Web Parameter), the flaw directly threatens the financial integrity of any WordPress e-commerce site relying on this plugin for order processing. No public exploit is identified and CVSS AC:H indicates exploitation requires deliberate parameter manipulation during an active payment flow, limiting mass-exploitation risk despite the unauthenticated attack vector.

Authentication Bypass Best Payments Plugin For Wp
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Broken access control in the Classified Listing WordPress plugin (versions ≤ 5.3.9) allows subscriber-level authenticated users to perform actions that should be restricted to higher-privileged roles, yielding partial confidentiality, integrity, and availability impact. Reported by Patchstack and tracked under ENISA EUVD-2026-36819, the flaw stems from missing authorization checks (CWE-862) within plugin functionality accessible to the lowest default WordPress user role. No public exploit identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Classified Listing
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken Access Control in the Classified Listing WordPress plugin (versions ≤ 5.3.8) allows unauthenticated remote attackers to bypass authorization checks, enabling limited read and write access to plugin-managed listing data without any credentials. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is network-exploitable against any internet-exposed WordPress installation running the affected plugin with no authentication or user interaction required. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Classified Listing
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Amelia booking plugin for WordPress (versions up to and including 2.2) allows low-privileged subscriber-level users to perform unauthorized high-integrity actions within the booking system. The flaw stems from missing authorization checks (CWE-862), permitting registered users - typically clients or end-users of the booking portal - to interact with data or functionality restricted to higher roles such as managers or administrators. No public exploit has been identified at time of analysis, and KEV listing is absent, but the low attack complexity and network accessibility make this a straightforward target once a subscriber account is obtained.

Authentication Bypass Amelia
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the myCred WordPress plugin (all versions through 3.0.3) allows authenticated users with only subscriber-level privileges to bypass authorization checks and perform actions reserved for higher-privileged roles, yielding high integrity impact on affected installations. The root cause is missing authorization enforcement (CWE-862) on one or more plugin endpoints, meaning the plugin executes sensitive operations - such as manipulating loyalty points or reward data - without verifying the requesting user's actual capabilities. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the low complexity and no-user-interaction requirement make exploitation straightforward for any attacker holding a valid account.

Authentication Bypass Mycred
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken access control in the Groundhogg WordPress CRM/marketing automation plugin (all versions below 4.4.1) allows low-privileged subscriber-level users to perform unauthorized privileged operations due to missing authorization checks (CWE-862), resulting in high integrity impact. The vulnerability is network-exploitable with low complexity, requiring only a subscriber-level WordPress account - a role freely obtainable via self-registration on many WordPress sites. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; a vendor-released patch (version 4.4.1) is confirmed available.

Authentication Bypass Groundhogg
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows any authenticated subscriber to bypass object-level authorization and access or modify records belonging to other users. Because WordPress subscriber is the default role for self-registered users, this effectively exposes sensitive healthcare data - including patient records, appointments, and prescriptions - to any registered site user who can enumerate or guess object identifiers. No public exploit has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass Kivicare
NVD
Prev Page 22 of 348 Next

Quick Facts

Typical Severity
CRITICAL
Category
auth
Total CVEs
31268

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy