Skip to main content

Authentication Bypass

auth CRITICAL

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.

How It Works

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.

The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.

More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.

Impact

  • Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
  • Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
  • System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
  • Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
  • Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties

Real-World Examples

CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.

Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.

SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.

Mitigation

  • Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
  • Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
  • Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
  • Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
  • Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
  • Regular security testing — conduct penetration testing specifically targeting authentication logic and flows

Recent CVEs (31268)

EPSS 0% CVSS 7.1
HIGH This Week

Broken access control in the QuantumCloud ChatBot plugin for WordPress (versions <= 7.9.7) allows authenticated low-privileged users (Subscriber role) to invoke restricted plugin functionality without proper authorization checks, leading to integrity tampering and availability disruption. Reported by Patchstack and tracked as EUVD-2026-36991, with no public exploit identified at time of analysis.

Authentication Bypass Chatbot
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in WPAdverts WordPress plugin versions up to and including 2.3.0 permits unauthenticated remote attackers to bypass authorization gates and perform restricted plugin actions, resulting in limited integrity and availability impact. The flaw is rooted in CWE-862 (Missing Authorization), a well-understood WordPress plugin vulnerability class where endpoints lack capability or permission checks before executing privileged operations. No active exploitation has been confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; however, the fully unauthenticated, low-complexity network attack vector meaningfully lowers the exploitation barrier for any internet-exposed WordPress site running the affected plugin.

Authentication Bypass Wpadverts
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated information disclosure in the Arraytics WP Event Solution (Eventin) WordPress plugin through version 4.1.8 allows remote attackers to bypass access control checks and read data they should not be permitted to access. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36985; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Wp Event Solution
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Broken access control in the Royal MCP WordPress plugin (versions 1.4.2 and earlier) allows remote attackers to invoke protected functionality without proper authorization checks. The flaw, classified as CWE-862 (Missing Authorization), was reported by Patchstack and tracked as EUVD-2026-36984. No public exploit identified at time of analysis, and the CVSS 7.3 score reflects low-complexity network exploitation with partial impact across confidentiality, integrity, and availability.

Authentication Bypass Royal Mcp
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated broken access control in the SaaSProject Booking Package WordPress plugin versions 1.7.06 and earlier allows remote attackers to invoke privileged plugin functionality without authentication, resulting in unauthorized modification of booking data (CVSS 7.5, integrity-only impact). The flaw is a CWE-862 Missing Authorization issue disclosed via Patchstack and tracked in ENISA EUVD as EUVD-2026-36983, with no public exploit identified at time of analysis.

Authentication Bypass Booking Package
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress (versions <= 4.7.9) permits low-privileged authenticated users at the subscriber level to invoke privileged plugin functionality without authorization, yielding high integrity impact. The CVSS vector (PR:L, I:H, AV:N, AC:L, UI:N) confirms that any logged-in subscriber can exploit this remotely without complexity or user interaction, making sites with open user registration particularly exposed. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Rtmedia For Wordpress Buddypress And Bbpress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in Tutor LMS WordPress plugin versions up to and including 3.9.7 permits unauthenticated remote attackers to bypass authorization checks and access or modify restricted LMS resources. The flaw, classified as CWE-862 (Missing Authorization), stems from the plugin failing to enforce appropriate permission checks before executing sensitive operations. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the unauthenticated attack vector and low complexity make this straightforward to exploit opportunistically.

Authentication Bypass Tutor Lms
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Redsys for WooCommerce Light WordPress plugin (versions up to and including 7.0.0) allows remote unauthenticated attackers to invoke privileged functionality without proper authorization checks, leading to integrity impact on payment gateway operations. The flaw stems from missing authorization (CWE-862) on plugin endpoints, and at time of analysis no public exploit was identified, though the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) makes it trivially reachable. The vulnerability was reported by Patchstack and tracked as EUVD-2026-36973.

Authentication Bypass WordPress Redsys For Woocommerce Light
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Broken access control in Ultra Addons for WPForms (WordPress plugin by Themefic) through version 1.0.11 allows authenticated subscriber-level users to perform privileged actions beyond their intended role. The vulnerability stems from missing authorization checks (CWE-862), enabling a low-privilege attacker with only a subscriber account to manipulate plugin functionality in ways restricted to higher-privilege roles such as administrators or editors. With a CVSS 3.1 score of 6.4 Medium and a scope-changed vector, the impact extends beyond the plugin itself to affect WordPress site integrity and availability. No public exploit code and no confirmed active exploitation have been identified at time of analysis.

Authentication Bypass Ultra Addons For Wpforms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the RepairBuddy WordPress plugin (versions ≤ 4.1132) allows subscriber-level authenticated users to access restricted functionality or sensitive data without adequate authorization checks. The CVSS vector (PR:L, C:H, I:N, A:N) confirms that low-privileged users - specifically WordPress subscribers, the lowest authenticated role - can achieve high confidentiality impact, likely by reading repair orders, customer PII, or administrative data reserved for shop managers and admins. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Repairbuddy
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated broken access control in the WP Directory Kit WordPress plugin (versions ≤ 1.5.0) allows remote attackers to bypass authorization checks on plugin endpoints and access functionality or data that should require authentication. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36963; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Wp Directory Kit
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Availability-impacting broken access control in the AWP Classifieds (Another WordPress Classifieds Plugin) WordPress plugin through version 4.4.4 allows unauthenticated remote attackers to invoke privileged functionality due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) indicates the flaw exposes a sensitive action - most plausibly a destructive or resource-consuming operation - over the network with no credentials or user interaction. No public exploit identified at time of analysis.

Authentication Bypass Awp Classifieds
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Booking Activities WordPress plugin (versions up to and including 1.16.48.1) enables unauthenticated remote attackers to perform restricted booking-related operations without authorization. Rooted in CWE-862 (Missing Authorization), the flaw bypasses access controls at the network level with no privileges or user interaction required, resulting in low-severity integrity and availability impacts - likely allowing unauthorized creation, modification, or cancellation of bookings. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Booking Activities
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Masteriyo - LMS WordPress plugin (versions up to and including 2.1.5) allows remote unauthenticated attackers to bypass payment workflows and tamper with protected resources without authorization. The Patchstack advisory characterizes this as a payment bypass issue rooted in a missing authorization check (CWE-862), and no public exploit identified at time of analysis. EPSS data was not provided and the CVE is not currently listed in CISA KEV.

Authentication Bypass Masteriyo Lms
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Insecure direct object reference in the EventPrime WordPress plugin (versions up to and including 4.3.0.0) allows authenticated users holding only the low-privilege Subscriber role to access or manipulate event records belonging to other users by tampering with object identifiers. The flaw was disclosed by Patchstack and carries CVSS 7.1 reflecting high confidentiality impact with limited integrity impact, but no public exploit identified at time of analysis and no CISA KEV listing. Because WordPress sites frequently allow open subscriber registration, the low PR:L barrier is practically trivial to clear on affected installations.

Authentication Bypass Eventprime
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level authenticated users to invoke privileged actions that trigger a high availability impact, without passing appropriate authorization checks. Reported by Patchstack and tracked under EUVD-2026-36954, this flaw targets WordPress sites running an unpatched Motors plugin where the lowest default user role - subscriber - can reach restricted functionality. No public exploit has been identified at time of analysis and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

Authentication Bypass Motors
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated information disclosure in the Easy Appointments WordPress plugin (versions ≤ 3.12.21) allows remote attackers to access protected appointment data without authentication due to missing authorization checks. Patchstack reports the issue as a broken access control flaw with high confidentiality impact (CVSS 7.5); no public exploit identified at time of analysis, and the plugin is not currently listed in CISA KEV.

Authentication Bypass Easy Appointments
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated broken access control in the Easy Digital Downloads WordPress plugin (versions <= 3.6.5) allows remote attackers to invoke privileged plugin functions without authentication, leading to unauthorized modification of plugin data. The flaw stems from a missing authorization check (CWE-862) and primarily impacts integrity of the affected WordPress sites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Easy Digital Downloads
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Event Tickets Manager for WooCommerce WordPress plugin (versions up to and including 1.5.3) allows remote unauthenticated attackers to perform restricted actions or modify data without proper authorization checks. The flaw stems from a missing authorization layer (CWE-862) on one or more plugin endpoints, making it reachable directly over HTTP by anyone who can talk to the WordPress site. No public exploit has been identified at time of analysis, but the vulnerability was reported by Patchstack and is tracked under EUVD-2026-36920.

Authentication Bypass WordPress Event Tickets Manager For Woocommerce
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Rank Math SEO WordPress plugin (versions ≤ 1.0.271) allows authenticated subscribers to invoke privileged functionality beyond their authorization level. The missing authorization check (CWE-862) permits low-privileged WordPress Subscriber-role users to manipulate SEO settings or execute actions normally gated to editors or administrators, with a confirmed High integrity impact per CVSS. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.

Authentication Bypass Rank Math Seo
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the WordPress Simple Membership plugin (versions ≤4.7.1) allows remote unauthenticated attackers to modify protected resources due to missing authorization checks. The flaw, reported by Patchstack and tracked as EUVD-2026-36917, carries a CVSS 3.1 score of 7.5 reflecting high integrity impact with no confidentiality or availability effect. No public exploit identified at time of analysis, but the network-reachable, no-auth profile makes WordPress sites running this plugin a realistic target.

Authentication Bypass Simple Membership
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Authentication bypass in the MagePeople WpTravelly WordPress plugin through version 2.1.7 allows remote unauthenticated attackers to circumvent identity verification and tamper with integrity-protected data. The flaw, reported by Patchstack and tracked as EUVD-2026-36914, is a CWE-290 Authentication Bypass by Spoofing impacting tour booking workflows on any WordPress site running the affected plugin. No public exploit identified at time of analysis, but the network-reachable, no-interaction attack vector elevates urgency for site operators.

Authentication Bypass Wptravelly
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated Broken Access Control in the Essential Addons for Elementor WordPress plugin (all versions prior to 6.6.0) allows remote unauthenticated attackers to perform restricted actions without proper authorization. The root cause is a missing authorization check (CWE-862), permitting requests that should be gated behind authentication or capability checks to succeed. No public exploit code or active exploitation has been identified at time of analysis; however, the unauthenticated network-accessible nature (PR:N, AV:N) lowers the barrier to abuse significantly.

Authentication Bypass Essential Addons For Elementor Elementor
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated availability-impacting broken access control affects the ThemeGrill User Registration WordPress plugin versions 5.1.2 and earlier, allowing remote attackers to invoke privileged actions without credentials. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N) reflects pure availability impact (A:H) with no confidentiality or integrity loss, and no public exploit identified at time of analysis. The flaw is classified as CWE-862 Missing Authorization and tracked by Patchstack and ENISA EUVD-2026-36911.

Authentication Bypass User Registration
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Bookify WordPress plugin (versions ≤ 1.1.1) allows authenticated subscriber-level users to access resources or functionality reserved for higher-privileged roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to retrieve sensitive data they should be denied. No public exploit or CISA KEV listing has been identified at time of analysis, though Patchstack has documented the vulnerability with a CVSS 6.5 score reflecting high confidentiality impact.

Authentication Bypass Bookify
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Broken Access Control in the bunny.net WordPress plugin (versions ≤ 2.3.6) enables subscriber-level authenticated users to invoke functionality restricted to higher-privileged roles, such as administrators. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated requestor holds sufficient privileges before executing sensitive operations. Reported by Patchstack, this is a medium-severity finding (CVSS 6.3); no public exploit code and no CISA KEV listing have been identified at time of analysis, though the low barrier of a standard subscriber account on any affected WordPress site makes it noteworthy for multi-tenant or membership-based deployments.

Authentication Bypass Bunny Net
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Information disclosure in the Projectopia WordPress plugin (versions <= 5.1.25.2) allows remote unauthenticated attackers to access custom role data belonging to other users via Insecure Direct Object Reference flaws. The CVSS 7.5 score reflects high confidentiality impact with no integrity or availability consequences, and no public exploit identified at time of analysis.

Authentication Bypass Projectopia
NVD VulDB
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

OliveTin's ValidateArgumentType RPC endpoint exposes action binding IDs and argument configurations to unauthenticated network requesters in all versions prior to 3000.13.0, functioning as an enumeration oracle. The bypass is particularly counterintuitive because it manifests specifically when AuthRequireGuestsToLogin is enabled - the hardened security posture - meaning operators who consciously locked down their instance are the ones exposed. The confidentiality impact is limited to internal action metadata (no credentials, no command execution), and no public exploit has been identified at time of analysis.

Authentication Bypass Oracle Olivetin
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

TLS SNI hostname validation in aiohttp is silently bypassed when a keep-alive connection is reused from the connection pool, allowing per-request `server_hostname` overrides to be ignored on subsequent requests to the same host. Applications relying on dynamic per-request SNI to enforce tenant isolation, proxy routing, or custom certificate validation are at risk of connecting under the wrong TLS identity without any error raised. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in aiohttp 3.14.1.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

CAPTCHA challenge controls in Discuz! X5.0 (releases 20260320-20260501) can be reliably defeated by unauthenticated remote attackers who harvest samples from exposed forum endpoints and train a custom optical character recognition model to predict challenge text. The underlying weakness - CWE-804 - stems from a limited, predictable character set and insufficient visual distortion in generated images, enabling automation of login, registration, and other abuse-protected flows. Critically, a publicly available exploit exists and KarmaInsecurity has documented chaining this bypass with a race condition to achieve full remote code execution, substantially elevating practical risk beyond the standalone CVSS 4.0 score of 6.9.

Authentication Bypass Discuz X5 0
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee.

PHP Authentication Bypass Oracle +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in Symfony's Security component (symfony/security-http) lets unauthenticated attackers reach access_control-protected GET routes by abusing the DefaultAuthenticationFailureHandler. When a firewall uses form-login (or any authenticator on that handler) with failure_forward: true, an attacker-supplied _failure_path parameter is dispatched as a trusted internal SUB_REQUEST that skips the Firewall/AccessListener perimeter, exposing protected read endpoints such as data exports and internal APIs. No public exploit identified at time of analysis, and the flaw is not in CISA KEV; CVSS 4.0 base is 8.7 (High) reflecting high confidentiality impact with no auth required, though it depends on the non-default failure_forward configuration.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authorization bypass in Mastodon's experimental Collections feature allows remote attackers to forge FeatureAuthorization objects and falsely list non-consenting accounts in remote Collections. The flaw stems from a missing cross-reference between the featured object's actor URI and the authorization's interactionTarget, letting an attacker assert consent on behalf of another account on the same domain. Patched in 4.6.0-beta.1; no public exploit identified at time of analysis and the issue only manifests when the EXPERIMENTAL_FEATURES env var explicitly enables 'collections'.

Authentication Bypass Mastodon
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing Authorization in StylemixThemes MasterStudy LMS Pro (WordPress plugin) exposes restricted LMS functionality to unauthenticated remote attackers, enabling unauthorized modification of course content or platform data and limited disruption of availability. All versions before 4.7.16 are affected, with the flaw rooted in the plugin's failure to enforce access control checks on certain endpoints - effectively allowing callers to bypass intended privilege gates entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low-complexity, unauthenticated attack surface warrants prompt patching on any publicly reachable WordPress installation.

Authentication Bypass Masterstudy Lms Pro
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the Really Simple SSL WordPress plugin versions 9.5.9 and earlier permits any authenticated subscriber - the lowest default WordPress user role - to perform privileged actions that should be restricted to administrators. The CVSS vector (PR:L/I:H) confirms that low-privilege authenticated users can achieve high-integrity impact, likely by manipulating SSL redirect rules or plugin security settings without authorization. No public exploit has been identified at time of analysis, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any user who can obtain a subscriber account on an affected installation.

Authentication Bypass Really Simple Ssl
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in WP Engine's Faust.js (faustwp) plugin through version 1.8.7 enables password recovery exploitation, allowing an attacker with low privileges to abuse an alternate authentication path and take over accounts. The flaw maps to CWE-288 and carries a CVSS 3.1 score of 8.8 (high) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the low attack complexity and network vector make this a high-priority concern for WordPress headless deployments.

Authentication Bypass Faust Js
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Improper access control in MIA Technology Inc. Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticated remote attackers to bypass authorization checks and access resources or actions outside their permission level. The flaw was reported by TR-CERT and carries a CVSS 3.1 base score of 7.1, with high confidentiality impact but only low integrity impact and no availability impact; no public exploit identified at time of analysis.

Authentication Bypass Pizzy Library
NVD
EPSS 0% CVSS 8.7
HIGH POC Monitor

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Information Disclosure WordPress +2
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Authentication Bypass +3
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Account takeover in team-alembic AshAuthentication (0.1.0 to <4.14.0 and 5.0.0-rc.0 to <5.0.0-rc.10) lets an unauthenticated attacker hijack any local user account by completing an OAuth2 or OIDC sign-in with the victim's email address. The library matched federated logins to local users by email rather than by the OpenID Connect iss/sub pair, so any accepted provider that allows an attacker to register or reuse the victim's email - including providers that return email_verified: false - resolves to the victim's existing account. No public exploit identified at time of analysis, but the underlying technique (OIDC email-claim takeover) is well-documented and trivially reproducible.

Authentication Bypass Ash Authentication Alembic
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

IP restriction bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an attacker holding valid branch user credentials to authenticate from any unauthorized network location by spoofing the expected branch IP address via a manipulated X-Forwarded-For HTTP header. The system - designed to control physical vault room and safe deposit locker access - enforces branch-location login restrictions based entirely on this attacker-controllable header when it is present, nullifying a key network-based access control boundary. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is constrained to actors with valid branch credentials.

Authentication Bypass Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables low-privileged authenticated users to reach hidden web endpoints and perform restricted operations including branch switching, arbitrary file upload/download, and viewing details of arbitrary branches. The flaw stems from missing access control on endpoints that exist server-side but are not surfaced in the UI, breaking the product's tenancy/segregation between branches. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.6 (high).

Authentication Bypass Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-branch authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an authenticated low-privileged branch user to tamper with WebSocket messages handled by the SafeController WebMessageBroker and act on safe-deposit boxes belonging to other branches. The flaw stems from missing tenant/branch enforcement on supplied controller identifiers, enabling activation of vault boxes outside the user's authorized scope. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated remote access to ShopXO's Scheduled Task (Crontab) API endpoint in versions up to 6.7.1 allows any network attacker to invoke order-state mutation functions - including OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral - without any credentials or authorization. This authorization bypass (CWE-639) directly threatens e-commerce integrity: attackers can fraudulently mark unpaid orders as successful, prematurely close active orders, or artificially award loyalty points. A public proof-of-concept exploit is available on GitHub, no vendor patch has been released, and the vendor did not respond to responsible disclosure - making this an immediately actionable risk for any internet-exposed ShopXO deployment.

Authentication Bypass PHP Shopxo
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.

Microsoft Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.

RCE N A Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

{key} endpoint in bl-plugins/api/plugin.php. Publicly available exploit code exists as a gist, though EPSS rates exploitation probability at only 0.21% (11th percentile).

Authentication Bypass PHP RCE +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.

N A Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.

N A Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized information disclosure in Sismics Docs (Teedy) v1.11 allows remote attackers to bypass access controls on share-based read endpoints and retrieve sensitive document data via crafted requests. The flaw stems from broken access control logic (CWE-284) on endpoints intended for shared documents, enabling unauthenticated retrieval of resources that should be restricted. There is no public exploit identified at time of analysis, EPSS is low (0.15%), and the vulnerability is not listed in CISA KEV.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Server-Side Request Forgery in Project Firefly III v6.5.9 allows remote attackers to scan internal network resources by abusing improper access controls in the webhook management component via crafted POST requests. SSVC indicates a proof-of-concept exists and exploitation is automatable with total technical impact, though EPSS remains low (0.15%) and no public exploit identified at time of analysis beyond a referenced gist. The flaw is unauthenticated per the CVSS vector (PR:N) and provides a pivot point into otherwise unreachable internal services.

Authentication Bypass N A
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

N A Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

Nginx N A Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote unauthenticated authentication bypass in Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux allows any HTTP client to obtain administrator-level access by POSTing arbitrary credentials to /php/ajax-login.php, which unconditionally returns userid=1. Downstream privileged endpoints under /php/ajax-main.php and /modules/* fail to validate a server-side session, exposing full control over fuel dispensers, tank gauges, pricing, POS, bank terminals, and relays. No public exploit identified at time of analysis, but a public reference to a proof-of-concept repository (ciprobe/bukts_auth_bypass) suggests trivially reproducible exploitation against ICS/OT infrastructure.

Authentication Bypass PHP
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Meow Gallery plugin for WordPress (all versions through 5.4.4) exposes an unprotected REST API endpoint that permits any authenticated user with Author-level access or above to overwrite or create arbitrary gallery shortcode records by supplying a user-controlled `id` parameter. The endpoint `/wp-json/meow-gallery/v1/save_shortcode` performs direct database write operations without verifying ownership of the referenced record, making this a classic CWE-639 (IDOR) pattern. No public exploit or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and wide availability of Author-level accounts in multi-contributor WordPress environments elevate real-world risk above what the CVSS 4.3 score alone suggests.

Authentication Bypass WordPress Meow Gallery
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Incorrect authorization in the Pagelayer WordPress plugin (versions up to and including 2.0.9) allows authenticated attackers with Contributor-level access to inject arbitrary contact-form mail templates into post metadata via the pagelayer_save_content AJAX handler, which are subsequently consumed without privilege enforcement by the unauthenticated pagelayer_contact_submit endpoint through user-controlled post and form identifiers. The practical impact is attacker-defined control over outbound email templates dispatched from the affected site, exploitable by any registered Contributor without admin interaction. No public exploit has been identified at time of analysis, but the Wordfence advisory notes this vulnerability may be chained with CVE-2026-2442 to further amplify attacker control over outbound email behavior.

Authentication Bypass WordPress Page Builder
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Cross-site scripting in Allegra's downloadAttachment method enables authenticated remote attackers to inject and execute arbitrary JavaScript within a victim user's browser session. Exploitation requires an authenticated low-privilege attacker account and mandatory victim interaction - the target must visit a malicious page or open a crafted file - limiting the realistic attack surface. Reported by Zero Day Initiative (ZDI-CAN-28236 / ZDI-26-358), patched in Allegra 9.0.0. No public exploit code and no active exploitation (CISA KEV) identified at time of analysis.

Authentication Bypass XSS Allegra
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Capgo before 12.128.2 allows remote unauthenticated attackers to lock legitimate users out of the platform for 30 days by registering accounts with arbitrary unverified email addresses and immediately initiating account deletion, placing the targeted email in a pending-deletion lock state. The CVSS 4.0 score of 8.7 (High) reflects high availability impact achievable over the network without privileges or interaction; no public exploit identified at time of analysis, though the attack is trivially reproducible from the description.

Authentication Bypass Denial Of Service Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Orphaned profile image retention in Capgo before 12.128.2 exposes previously uploaded user images indefinitely after replacement or deletion, because the backend storage object is never purged when the application record is updated. Attackers who possess a prior image URL - obtained via browser history, referrer logs, network interception, or prior caching - can retrieve user-uploaded content even after the user intended to remove it, violating data erasure expectations. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector (PR:L) indicates prior authenticated access or URL knowledge is a prerequisite, limiting opportunistic mass exploitation.

Authentication Bypass Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

State mutation in OpenClaw's node pairing reconnection logic allows a low-privilege paired node to escalate its effective authority by confusing the approval scope engine, potentially bypassing access restrictions within the system. Affected versions are all OpenClaw releases before 2026.5.27, as identified by CPE cpe:2.3:a:openclaw:openclaw. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the integrity impact is rated High given an attacker can restore or inflate node authority beyond what was originally sanctioned.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper access control in OpenClaw's Mattermost event handler integration allows remote unauthenticated attackers to bypass direct message (DM) policy enforcement by submitting crafted Mattermost events that deliberately omit channel type metadata. All OpenClaw versions prior to 2026.5.6 are affected. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible and unauthenticated nature of the flaw (PR:N per CVSS 4.0) makes it actionable for deployments that rely on DM policies as a meaningful access control boundary.

Authentication Bypass Mattermost Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Configuration enforcement bypass in OpenClaw's Feishu dynamic-agent binding subsystem permits authenticated senders to create or update sender-agent bindings while circumventing configured config-write access controls. All OpenClaw versions prior to 2026.5.6 are affected; an attacker holding valid sender credentials can modify binding state beyond intended policy, potentially redirecting or hijacking agent associations belonging to other users. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.3 reflects the narrow impact scope and prerequisite deployment conditions.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authorization bypass in OpenClaw's QQBot component before version 2026.4.27 allows authenticated senders to invoke slash commands before allowFrom policy checks execute, effectively skipping operator-configured access controls. The flaw stems from pre-dispatch command handling that runs prior to policy enforcement, enabling blocked senders to trigger command handlers depending on deployment configuration. No public exploit identified at time of analysis, and CVSS 4.0 scoring of 8.2 reflects high integrity impact with an attack requirement (AT:P) suggesting non-trivial conditions.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authorization bypass in OpenClaw versions prior to 2026.4.29 allows authenticated QQBot senders to modify streaming configuration without satisfying the intended allowFrom allowlist policy, when those entries lack non-wildcard restrictions. The flaw stems from missing identity verification on the QQBot streaming command path (CWE-290) and was reported by VulnCheck; no public exploit identified at time of analysis.

Authentication Bypass Qqbot
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Identity header forgery in OpenClaw before 2026.5.18 allows local same-host callers with access to the proxy-facing Gateway port to spoof trusted-proxy identity headers and assume operator identity. The flaw stems from missing validation of headers normally set by an upstream trusted proxy, enabling privilege escalation when the Gateway port is reachable locally. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Webhook secret revocation bypass in OpenClaw before 2026.4.22 allows callers possessing previously-issued Slack and Zalo webhook secrets to continue submitting accepted events after an operator invokes the secrets.reload function. The stale-secret acceptance window undermines the integrity guarantees of secret rotation, enabling unauthorized webhook payload injection into what operators believe is a secured endpoint. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the integrity impact is rated high per the CVSS 4.0 vector.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Command approval bypass in OpenClaw versions prior to 2026.5.18 allows authenticated users to smuggle malicious instructions past human approvers by exploiting how the approval UI truncates oversized exec commands. The flaw (CWE-451, UI misrepresentation) lets an attacker craft a request with a benign-looking prefix while a malicious suffix is hidden from the reviewer's display, resulting in unauthorized execution once the request is approved. No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.5.6 allows authenticated senders to invoke owner-only native commands without satisfying the configured owner-command policy. Any user with valid credentials can therefore execute privileged operations reserved for the resource owner, undermining the access control model. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-p73f-w79w-jqr5) and a VulnCheck advisory document the flaw.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw before version 2026.4.24 permits users whose slash command tokens have been explicitly revoked to continue issuing slash commands during the active monitor refresh window, violating the expected access boundary. The flaw stems from a revocation propagation lag: the token invalidation state is not synchronously enforced but instead depends on a periodic monitor cycle, allowing a briefly stale authorization check to pass. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact depends heavily on the duration of the monitor refresh interval and the sensitivity of slash commands exposed by the operator.

Microsoft Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.3 allows attackers with access to a Slack account to spoof identity by changing their mutable Slack display name to match an allowFrom policy entry, gaining agent access intended for another user. The root cause is authentication binding to a mutable identifier (CWE-290) rather than a stable Slack user ID. No public exploit identified at time of analysis, though an upstream advisory (GHSA-c29c-2q9c-pc86) and VulnCheck writeup describe the flaw in detail.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.18 allows WebSocket-connected Control UI clients to claim operator.admin scope without server-side validation against pairing or trusted-proxy authorization state. Attackers with low-privileged WebSocket access can invoke admin-gated Gateway RPCs, and no public exploit identified at time of analysis despite CVSS 4.0 score of 8.7.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

OpenClaw's bundled MCP loopback session-spawn path fails to enforce its exec denylist, allowing authenticated low-privilege callers to execute commands that should be restricted. Affected versions are all OpenClaw releases prior to 2026.5.12. An attacker with local, authenticated access can spawn MCP sessions through the loopback path to gain command reach exceeding their authorized scope, resulting in high integrity impact on the vulnerable system. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated information disclosure in File Browser (filebrowser/filebrowser) versions <= 2.63.5 allows public share recipients to bypass owner-defined deny rules and read or list files explicitly blocked beneath a shared directory. The flaw stems from the public share handler rebasing the filesystem root but evaluating access rules against the rebased relative path rather than the owner's original scope. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA advisory and EPSS sits at 0.04% (13th percentile).

Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Sharing group authorization bypass in MISP's object add/edit workflow allows an authenticated user with object-editing permissions to assign objects and their contained attributes to sharing groups they are not authorized to access or view. The flaw stems from a structural data merging step in ObjectsController.php that silently relocates field keys, causing the sharing group validation check to evaluate a stale, already-removed data path and thus never fire. An attacker exploiting this can probe the existence and names of non-visible sharing groups and improperly alter the distribution metadata of objects and embedded attributes. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass Misp
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre-populate their server record with nonexistent DDNS profile IDs, then hijack any future victim-owned DDNS profile whose auto-assigned ID collides with a pre-stored value. Affected versions span 2.0.14 through pre-2.1.0 of the self-hosted nezhahq/nezha platform. When the collision occurs, the DDNS worker dispatches DNS updates on behalf of the attacker's server using the victim's DDNS provider credentials and configuration, achieving cross-tenant DNS manipulation and disrupting the victim's legitimate DDNS service. No public exploit identified at time of analysis; vendor-released patch available in version 2.1.0.

Authentication Bypass Nezha
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Nezha Monitoring versions 2.0.14 through 2.1.0 (exclusive) allows any authenticated user to exploit the NAT-based Host claiming mechanism to preempt all dashboard routing, resulting in complete availability loss for the monitoring platform. The vulnerability stems from CWE-284 (Improper Access Control) - the application fails to properly restrict which authenticated principals may register or override a dashboard Host identity via NAT traversal. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Nezha
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cross-user share-link deletion in File Browser (filebrowser/filebrowser v2 ≤ 2.63.5) lets a low-privileged authenticated user with create+delete permissions in their own isolated scope irrevocably wipe share-link records owned by any other account, including the administrator. Deleting a file whose logical path is a byte-prefix of another user's stored share.Link.Path triggers an unbounded prefix match that bypasses the per-user ownership check enforced everywhere else. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 5th percentile), but a vendor patch (v2.63.6) is available.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object.prototype via the $pullAll patch operator, ultimately bypassing authorization on all piece-type REST API endpoints for unauthenticated requests until the Node.js process restarts. The flaw stems from apos.util.set() failing to sanitize __proto__ in dot-notation paths, and no public exploit identified at time of analysis but the advisory describes a confirmed exploitation gadget in publicApiCheck(). No vendor-released patch identified at time of analysis, making this an open-window risk for any internet-exposed editor account.

Prototype Pollution Authentication Bypass Node.js +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Unauthorized sharing group assignment in MISP's non-REST event edit path allows any authenticated event editor to assign an event to a restricted sharing group they are not a member of by tampering with submitted form data. The REST API path enforced sharing group authorization via Event::_edit(), but the web form save path wrote sharing_group_id directly from POST data without equivalent validation - a classic split-path authorization gap (CWE-863). Successful exploitation leaks the restricted sharing group's name in event listings and corrupts the event's distribution metadata. No public exploit has been identified at time of analysis, and the fix is available as commit 609ff6c from the MISP maintainers (CIRCL).

Authentication Bypass Misp
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both information disclosure and unauthorized write actions: calendar event API payloads expose the associated chat channel's last message - potentially a private DM - to unauthenticated users, while separate flaws allow read-only users to create chat threads, authors to restore their own deleted messages after losing channel access, and moderators reviewing flagged messages to inadvertently view unrelated DM content. Vendor-released patches exist for all supported branches; no public exploit identified at time of analysis and EPSS is 0.04% (11th percentile), but the unauthenticated DM disclosure warrants prompt patching on public-facing instances.

Authentication Bypass Discourse
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of content into staff-only whisper threads visible to moderators and staff. Affected release trains span 2026.1.0-latest through pre-2026.1.4, 2026.3.0-latest through pre-2026.3.1, and 2026.4.0-latest through pre-2026.4.1, with all fixes confirmed by the vendor in the GitHub Security Advisory. An attacker holding only a standard forum account can exploit the reply mechanism to post messages that surface inside privileged staff whisper channels, potentially poisoning internal moderation communications or probing staff responses for sensitive operational detail. No public exploit is identified at time of analysis, and EPSS places exploitation probability at the 9th percentile.

Authentication Bypass Discourse
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Mass assignment flaws in MISP (Malware Information Sharing Platform) let authenticated users overwrite server-controlled fields such as id, org_id, orgc_id, and user_id when submitting requests to several edit endpoints, enabling ownership transfer, hijacking of arbitrary collection/delegation/proposal records, and unauthorized access to threat-intelligence objects belonging to other organizations. No public exploit identified at time of analysis, and the issue is not in CISA KEV; the underlying CWE-639 weakness is addressed by upstream commit 9341690.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Mass assignment in MISP's sharing group creation endpoint allows authenticated users with add-sharing-group permission to hijack arbitrary existing sharing groups by submitting the target group's primary key in the add() request. The CakePHP create()+save() pattern treats a supplied id as an update, bypassing the normal edit ACL on app/Controller/SharingGroupsController.php and exposing confidentiality and integrity of shared threat intelligence. No public exploit identified at time of analysis, though a fix commit is publicly visible on GitHub.

Authentication Bypass PHP
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in MISP (Malware Information Sharing Platform) allows an authenticated organization administrator to target site administrator accounts within their own organization via the administrative email functionality, enabling privileged actions such as triggering a password-reset workflow against a higher-privileged user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. Successful exploitation results in full takeover of the targeted site admin account and complete compromise of the MISP instance.

Privilege Escalation Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Incorrect authorization in MISP's event template builder exposes organisation-private galaxy definitions to any authenticated user due to a PHP operator-precedence bug that silently voids the intended access-control filter. In multi-tenant MISP deployments, authenticated non-site-admin users can enumerate all enabled galaxies - including organisation-only custom galaxies belonging to other organisations - through the template builder galaxy list. No active exploitation is confirmed (not listed in CISA KEV), but the low exploitation barrier (any valid account, no special privileges) makes this a meaningful metadata-disclosure risk wherever multiple organisations share a MISP instance.

Authentication Bypass PHP Misp
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Improper authorization in MISP permits an authenticated organization administrator to read or overwrite user settings and login profile data belonging to site administrator accounts that share the same organization. The ACL checks in UserLoginProfilesController, UserSettingsController, and the UserSetting model correctly scoped operations by org_id membership but failed to exclude users holding site-admin roles, allowing a lower-privileged admin to cross the intended privilege boundary. No public exploit has been identified at time of analysis; a patch is available via a CIRCL-reported upstream commit.

Authentication Bypass Misp
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Missing authentication in @agenticmail/mcp prior to 0.9.27 allows unauthenticated remote clients to invoke master-key-only MCP tools when the server is started with --http or MCP_HTTP=1. The /mcp Streamable HTTP endpoint accepts session initialization and tool calls without any Authorization check, and the server forwards calls using its configured AGENTICMAIL_MASTER_KEY, enabling administrative actions such as setup_email_relay, delete_agent, and send_test_email. Publicly available exploit code exists in the GHSA advisory (one-command PoC), though EPSS remains low at 0.06% (19th percentile) and the issue is not on CISA KEV.

Authentication Bypass Agenticmail
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated access to the `POST /openid/config` endpoint in Actual Budget sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration-including the OAuth2 `client_secret`-to any caller who can supply the bootstrap password. Because the endpoint enforces no rate limiting, the bootstrap password itself is brute-forceable, compounding the exposure. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low current exploitation probability; however, internet-exposed instances with OIDC configured are at meaningful risk of credential harvesting.

Authentication Bypass Actual
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated relation membership disclosure in Parse Server allows any client holding only standard public API credentials to read objects linked through a Relation field that is explicitly hidden by protectedFields, or linked to a parent object that is inaccessible under its ACL or class-level permissions. By supplying only a known or guessed owning object's objectId, a remote unauthenticated caller can enumerate all objects in a protected relation or use the $relatedTo operator as a membership oracle - confirming whether a specific child object is privately linked to a given parent. This directly undermines applications that use Parse Server's access control primitives to protect sensitive relationships such as private group memberships, block lists, or account-to-resource associations. No public exploit identified at time of analysis; vendor-released patches exist at versions 8.6.80 and 9.9.1-alpha.6.

Authentication Bypass Node.js Oracle +1
NVD GitHub VulDB
Prev Page 23 of 348 Next

Quick Facts

Typical Severity
CRITICAL
Category
auth
Total CVEs
31268

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy