Skip to main content

Authentication Bypass

auth CRITICAL

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.

How It Works

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.

The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.

More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.

Impact

  • Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
  • Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
  • System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
  • Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
  • Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties

Real-World Examples

CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.

Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.

SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.

Mitigation

  • Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
  • Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
  • Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
  • Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
  • Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
  • Regular security testing — conduct penetration testing specifically targeting authentication logic and flows

Recent CVEs (31268)

EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Parse Server's operator-configured route firewall (`routeAllowList`) is bypassed in versions 9.8.0 through 9.9.1-alpha.3 when external clients POST to the `/batch` endpoint with sub-requests targeting routes the operator intended to block. The Express middleware enforcing the allow-list runs only against the outer HTTP request URL; the `/batch` handler dispatches each embedded sub-request to the internal router without re-running that check. Inner authorization controls - Parse authentication, ACL, and CLP - remain in effect, bounding actual data exposure to whatever those controls permit, but the route-level security boundary is defeated entirely. No public exploit has been identified and EPSS is 0.08%, though operators relying on `routeAllowList` as a primary access-control layer are directly and materially affected.

Authentication Bypass Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Improper authorization in Camaleon CMS 2.9.2 allows any low-privileged authenticated user to overwrite draft content belonging to other users by supplying an arbitrary post_id to the administrator draft autosave endpoint. The application authenticates the requesting user but performs no ownership check, meaning a contributor or editor can silently corrupt unpublished drafts they do not own. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Authentication Bypass Camaleon Cms
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Fleet enumeration in the Naxclow smart home platform (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows unauthenticated remote callers to precisely map active device populations by exploiting a registration endpoint that allocates sequential device identifiers without validating caller ownership of the supplied account identifier. Each API call returns a high-water batch counter that directly reveals fleet size, making reconnaissance deterministic and low-noise rather than a side-channel inference. No public exploit code has been identified at time of analysis, but the zero-privilege, network-accessible attack surface and ICS-CERT reporting context (ICSA-26-162-02) indicate meaningful real-world exposure for residential and small-business physical security deployments.

Authentication Bypass Smart Doorbell X3 X Smart Home +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH Act Now

Device takeover in Naxclow's IoT platform (Smart Doorbell X3, X Smart Home, V720, and iX Cam) allows any authenticated attacker to silently reassign victim devices to their own account by replaying the onboarding confirm-then-bind sequence. The affected endpoints validate request signatures but never verify legitimate ownership, enabling remote hijacking without user interaction or device-side awareness. No public exploit identified at time of analysis, but the issue is reported via CISA ICS-CERT advisory ICSA-26-162-02.

Authentication Bypass Smart Doorbell X3 X Smart Home +2
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized disclosure of pending invitation emails and member data in Solidtime prior to v0.12.2 allows any authenticated team member to bypass explicit permission controls via the Jetstream web team page. The team page controller gates access only with a coarse `belongsToTeam()` check and then serializes all invitation and member records into Inertia props embedded in the HTML response body, circumventing the `invitations:view` and `members:view` permissions that protect the same data on the API. This is no public exploit identified at time of analysis, with an EPSS of 0.02% reflecting low exploitation probability, though the bypass requires no skill beyond loading the team page as a valid member.

Authentication Bypass Solidtime
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Unauthorized credential disclosure in the Naxclow IoT platform API (affecting Smart Doorbell X3, X Smart Home, V720, and Ix Cam) allows any actor who can produce a platform-valid request signature to retrieve the persistent relay-registration credentials of arbitrary devices. Reported via CISA ICS-CERT (ICSA-26-162-02), the flaw enables an attacker to impersonate a victim device on the relay and intercept or disrupt its traffic; no public exploit identified at time of analysis.

Authentication Bypass Smart Doorbell X3 X Smart Home +2
NVD GitHub VulDB
EPSS 0% 4.9 CVSS 9.5
CRITICAL POC KEV PATCH THREAT Act Now

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attackers to forge OIDC identity tokens and obtain fully authenticated technician sessions, because the server accepts ID tokens without verifying their cryptographic signature. Publicly available exploit code exists and the flaw can also bypass MFA in some configurations, making vulnerable remote-support deployments a high-priority target despite no current CISA KEV listing.

Jwt Attack Authentication Bypass Simplehelp
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Capgo Console versions prior to 12.28.2 allows an authenticated attacker to lock legitimate users out of authentication and onboarding flows by triggering account deletion while a device identifier is bound to the active session. The platform incorrectly persists the deletion state against the device identifier rather than the account, causing the affected browser or device to be redirected to an account-disabled page for roughly 30 days. No public exploit identified at time of analysis, but a vendor patch and GHSA advisory (GHSA-qmrm-qgwr-55jf) have been published following disclosure by VulnCheck.

Authentication Bypass Console Capgo App
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in Mattermost server (11.6.x, 11.5.x, and 10.11.x branches) allows a low-privileged user holding group-link permissions to promote themselves or other group members to team or channel administrator by setting the scheme_admin flag through group syncable link and patch API endpoints. The flaw stems from missing role-management authorization checks, and with a CVSS of 8.8 (network, low complexity, low privileges) it enables tenant-wide takeover of collaboration workspaces; no public exploit identified at time of analysis.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Mattermost's team creation API endpoint (POST /api/v4/teams) fails to enforce the PermissionInviteUser authorization check, allowing authenticated users holding only PermissionCreateTeam to configure invite-controlled team settings - including making a team publicly joinable via open invite and restricting membership by allowed domains - that they are explicitly prohibited from setting on existing teams. Affected versions span the 10.11.x, 11.5.x, and 11.6.x release trains up to their respective latest builds. No public exploit identified at time of analysis, and the flaw has not been listed in CISA KEV.

Authentication Bypass Mattermost
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in Mattermost collaboration platform allows authenticated users holding delegated user-management permissions to modify built-in system role permissions via the role patch API, bypassing a required system-level permission check. Affects Mattermost 10.11.x through 10.11.16, 11.5.x through 11.5.4, and 11.6.x through 11.6.1. No public exploit identified at time of analysis; EPSS is very low (0.03%) and the SSVC framework reports no observed exploitation.

Authentication Bypass Mattermost
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Account takeover in Cap-go (Capgo) versions prior to 12.128.2 allows an attacker holding a temporary authenticated session to change the account's registered email address without re-authentication (no password or MFA prompt), then trigger a password reset to attacker-controlled inbox and seize the account. The flaw, reported by VulnCheck and tracked as a missing-authentication weakness (CWE-306), has a vendor patch but no public exploit identified at time of analysis.

Authentication Bypass Cap Go
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authorization bypass in ChromaDB's Python implementation lets authenticated tenants reach data outside their authorization boundary by invoking the V1 collection-level REST endpoints, which forward None as both the tenant and database identifiers to the authorization layer. The flaw, disclosed by HiddenLayer, exposes high-impact reads and writes to cross-tenant collections in this Python vector database. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Python Authentication Bypass Chromadb
NVD VulDB
EPSS 0%
MEDIUM This Month

CRLF injection in SwiftNIO's outbound HTTP/1.1 start line handling enables HTTP request smuggling and HTTP response splitting in applications built on swift-nio 2.0.0 through 2.99.0. The validators NIOHTTPRequestHeadersValidator and NIOHTTPResponseHeadersValidator enforce header field name and value correctness but leave the request URI, HTTP method, and response reason phrase unvalidated, allowing CR/LF sequences to be injected by any attacker who controls those fields. Successful exploitation can smuggle arbitrary HTTP requests past intermediaries, bypass WAF rules, or poison shared web caches. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, exploitation in vulnerable proxy deployments is described as low-effort by the advisory authors.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.

Checkpoint Nosql Injection Authentication Bypass
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Authorization bypass in jpillora/chisel through version 1.11.4 allows any authenticated client to tunnel TCP traffic to arbitrary host:port destinations reachable from the chisel server, completely defeating the --authfile ACL. The server enforces remote-address restrictions only during the initial config handshake but never re-validates the destination encoded in SSH channel ExtraData, so a client that authenticates with a permitted remote can immediately open channels to any address. Publicly available exploit code exists (full PoC published in the GHSA advisory), though EPSS is low at 0.02% and the issue is not in CISA KEV.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Cross-tenant authorization bypass in ChromaDB's SimpleRBACAuthorizationProvider (versions 0.5.0 and later) allows authenticated users to perform actions against tenants, databases, and collections they do not own. The provider verifies that a user holds a given permission but never validates the scope of that permission against the target resource, enabling lateral movement across multi-tenant deployments. No public exploit identified at time of analysis, but the flaw was disclosed by HiddenLayer and affects any Chroma deployment relying on the built-in RBAC provider for tenant isolation.

Python Authentication Bypass Chromadb +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect / OAuth redirect_uri validation bypass in the Aqara Cloud OAuth authorization endpoint (open-cn.aqara.com/oauth/authorize) allows remote attackers to coerce the IdP into redirecting authorization responses to attacker-controlled hosts due to lax domain-matching logic. With user interaction the flaw can be abused to steal OAuth authorization codes or tokens issued to legitimate Aqara client applications, enabling account takeover of Aqara smart-home accounts. No public exploit identified at time of analysis, though a referenced GitHub repository (xn0tsa/theres-no-place-like-home) and the runZero advisory describe the issue publicly.

Authentication Bypass Cloud Oauth Authorization Endpoint
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated cryptographic oracle exposure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) lets remote attackers submit data for bidirectional AES encrypt/decrypt operations performed with the platform's signing key, with no authentication required. Because the same key that signs SSO tokens can be exercised as an oracle, an attacker can recover protected material and potentially forge or manipulate signed authentication tokens (tagged Authentication Bypass). Publicly available exploit code exists (SSVC exploitation=poc) and CISA's SSVC rates it automatable with total technical impact, though EPSS remains very low at 0.06%.

Authentication Bypass Aqara Iam Sso Gateway
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Missing authentication in the Aqara Board service (op-test.aqara.com) lets remote, unauthenticated attackers submit arbitrary MQTT command payloads that the exposed debug/test API relays to the platform's HiveMQ broker without any credential check. Publicly available proof-of-concept exploit code exists (SSVC: poc), and while EPSS is low (0.06%), runZero documents this as one link in a chain (CVE-2026-50082 through -50085) that together enables a fully unauthenticated remote takeover of affected devices. It is not listed in CISA KEV, so active exploitation in the wild is not confirmed.

Authentication Bypass Board Service
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken authorization in the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) allows any valid developer token to operate against arbitrary user accounts, breaking tenant isolation across the platform. Discovered and disclosed by runZero, the issue stems from missing authorization checks (CWE-862) and, when chained with CVE-2026-50082/50083/50085, enables fully unauthenticated remote takeover of affected smart-home devices. No public exploit identified at time of analysis, though a related researcher repository is referenced in the advisory.

Authentication Bypass Cloud Production Api
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) stems from a hardcoded OAuth client credential shipped in the identity backend, letting remote attackers impersonate a trusted OAuth client and subvert the single sign-on trust boundary. Discovered by runZero and tracked as EUVD-2026-36473, it carries a critical CVSS of 9.8 and a proof-of-concept is publicly available, though EPSS (0.03%) shows no evidence of widespread automated exploitation. On its own it compromises the SSO/authorization layer, but chained with CVE-2026-50082, CVE-2026-50084, and CVE-2026-50085 it enables a fully unauthenticated remote takeover of affected devices.

Authentication Bypass Aquara Iam Sso Gateway
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated developer token issuance in the Aqara Cloud Developer Portal (developer.aqara.com) allows any remote attacker to obtain a valid API token by supplying an arbitrary email address, with no ownership verification performed. This is the entry point of a documented four-CVE attack chain (CVE-2026-50082 through CVE-2026-50085) that, when exploited in sequence, enables full takeover of Aqara smart home devices belonging to the victim account. A public proof-of-concept exists on GitHub; no public exploit identified at time of analysis for active exploitation, but the zero-prerequisite nature of this flaw makes it trivially automatable.

Authentication Bypass Cloud Developer Portal
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Cross-tenant data access in the ChromaDB Rust implementation (version 1.0.0 and later) lets any authenticated tenant user read, write, update, or delete data inside collections owned by other tenants because the server does not validate that the caller's tenant matches the target resource. The flaw, reported by HiddenLayer and tracked as CWE-639, breaks the tenant isolation boundary that multi-tenant ChromaDB deployments rely on, and no public exploit identified at time of analysis.

Authentication Bypass Chromadb
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-tenant data access in ChromaDB Python project version 0.4.17 and later allows any authenticated user to read, write, update, or delete data in collections belonging to other tenants, breaking the tenant isolation boundary that multi-tenant deployments rely on. The flaw, reported by HiddenLayer and tracked under CWE-639, carries a CVSS 4.0 score of 8.8 reflecting high confidentiality and integrity impact on both the vulnerable system and downstream tenants. No public exploit identified at time of analysis and not listed in CISA KEV.

Python Authentication Bypass Chromadb
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Missing authorization checks on multiple Frappe framework endpoints allow remote unauthenticated attackers to access and modify resources without permission. All Frappe installations on the 15.x branch prior to 15.107.0 and the 16.x branch prior to 16.17.0 are affected. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% reflects minimal current exploitation activity, though the attack requires no credentials or special preconditions.

Authentication Bypass Frappe
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper access control in Frappe Framework (all versions prior to 16.17.4) allows any authenticated user to retrieve private files by guessing their server-side file path, bypassing intended authorization restrictions. The flaw is classified under CWE-284 (Improper Access Control) and affects the file-serving layer of the framework, which underlies widely deployed applications such as ERPNext. No public exploit code has been identified at time of analysis, and exploitation probability is very low per EPSS (0.02%, 7th percentile), though the low attack complexity makes it straightforward for any credentialed user to attempt.

Authentication Bypass Frappe
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper access control in Frappe prior to 16.17.4 permits any authenticated user to modify any field in any Onboarding Step record, bypassing expected privilege restrictions. Affected deployments running versions below 16.17.4 expose their onboarding configuration data to unauthorized tampering by low-privileged users. EPSS is extremely low (0.02%, 5th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA KEV, suggesting no observed active exploitation at time of analysis.

Authentication Bypass Frappe
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Missing authorization in Frappe allows any authenticated low-privileged user to invoke the onboarding reset function and wipe onboarding state for all users system-wide, affecting all releases before 15.107.2 and 16.17.4. The CWE-862 root cause indicates the reset endpoint performs no role or privilege check before executing a privileged, system-wide operation. No public exploit code exists and EPSS sits at 0.02% (5th percentile), placing real-world exploitation risk at the lower end despite the disruptive potential of forcing every user through onboarding flows on next login.

Authentication Bypass Frappe
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in the Frappe full-stack web application framework exposes email configuration details of arbitrary users to any authenticated account. The flaw exists in versions prior to 15.107.0 (v15 branch) and 16.17.0 (v16 branch), allowing a low-privilege authenticated attacker to enumerate and read email settings belonging to other users by manipulating object references in requests. No public exploit has been identified and the issue is not listed in CISA KEV, though the low EPSS score (0.02%) and network-accessible vector warrant patching, particularly for multi-tenant Frappe deployments.

Authentication Bypass Frappe
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Authentication bypass in Related Marketing Cloud (RMC) by Hedef Media Promotion Interactive Media Marketing Inc. exposes unauthenticated remote attackers to credential brute-forcing via a spoofing weakness (CWE-290), allowing them to circumvent authentication controls without prior access. All RMC versions through 12052026 are affected, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no privileges, no user interaction, and no special network positioning. No public exploit code or CISA KEV listing has been identified at time of analysis; the advisory originates from TR-CERT via the Turkish national cybersecurity authority.

Authentication Bypass Related Marketing Cloud Rmc
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthorized resource access in the Frappe web application framework exposes the submit_discussion() endpoint to unauthenticated network callers who can bypass access controls and write discussion data to resources they do not own. All Frappe deployments running versions prior to 15.107.0 (v15 branch) or 16.17.0 (v16 branch) are affected, with impact limited to low-severity integrity writes and no confidentiality or availability consequence. No public exploit code exists and EPSS probability is 0.03% (9th percentile), indicating low opportunistic exploitation pressure despite the unauthenticated network attack vector.

Authentication Bypass Frappe
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote access to user-defined REST endpoint OpenAPI specifications is possible in Devolutions PowerShell Universal 2026.1.7 and earlier due to improper access control (CWE-306). Any network-reachable attacker without credentials can retrieve the full OpenAPI specification of internally defined REST APIs, exposing endpoint paths, parameters, and operational structure that administrators intended to be non-public. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, zero-authentication network vector makes enumeration trivially automatable.

Authentication Bypass Powershell Universal
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Hard-coded MQTT broker credentials in Yarbo Android and iOS applications allow remote unauthenticated attackers to subscribe to and publish on the cloud MQTT brokers serving the entire global Yarbo robot fleet. Because the credentials are identical across all users and devices and trivially extractable via APK decompilation, anyone knowing a target robot's serial number can read its telemetry or send arbitrary commands. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CISA ICS advisory reflect the systemic, fleet-wide nature of the exposure.

Google Authentication Bypass Apple +2
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH Act Now

Authorization bypass in Yarbo's cloud MQTT infrastructure allows any authenticated client to subscribe to wildcard topics covering the entire global robot fleet and to publish commands to any robot using only its serial number, which is itself disclosed in the telemetry stream. The flaw affects both the Yarbo Android/iOS mobile application and the backing cloud MQTT broker, and no public exploit identified at time of analysis, but the design defect means a single compromised credential yields fleet-wide control.

Authentication Bypass Yarbo Android Ios Mobile Application Yarbo Cloud Mqtt Infrastructure
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in Başbelen Group's Pause+ Mobile App versions 1.0.6 through 1.4.x allows remote attackers to defeat login protections by exhausting authentication attempts without lockout, per CWE-307. The CVSS 9.8 score and PR:N/UI:N vector indicate unauthenticated network-based exploitation against any user account, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass Pause Mobile App
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined protections (authentication, redirects, headers, prerender/SSR controls) by simply varying URL case, because vue-router matches paths case-insensitively while the routeRules matcher matched case-sensitively. The fix in 3.21.7 and 4.4.7 lowercases the path before matching. EPSS is 0.02% and no public exploit is identified at time of analysis, but the underlying class is trivially abused once an asymmetric rule is known.

Authentication Bypass Nuxt
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Discord role hierarchy bypass in Quest Bot (open-source Discord moderation bot) prior to version 1.1.6 allows moderators to perform privileged actions against users ranked above them in the server role hierarchy. Any moderator holding the relevant Discord permission bit can ban, kick, timeout, untimeout, warn, or rename higher-ranked members so long as the bot itself outranks the target. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Questbot
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in Quest Bot Discord bot prior to version 1.1.6 lets low-privilege guild members invoke the purge and slowmode commands in channels where their channel-level permissions explicitly deny moderation. The bot only validates guild-wide permissions on the invoking member and ignores Discord's per-channel permission overrides, so a user excluded from moderating a specific channel can still delete messages and alter slowmode there. No public exploit identified at time of analysis, and the issue is patched in v1.1.6.

Authentication Bypass Questbot
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Hardcoded database credentials in IEI Integration Corp's iRM-IEI Remote Management (iRM-TSI410X platform) allow remote unauthenticated attackers to authenticate to the backend database with administrative privileges. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 reflects trivial network-accessible exploitation with full confidentiality, integrity, and availability impact. The flaw is reported by TWCERT and tagged as an Authentication Bypass.

Authentication Bypass Irm Tsi410X
NVD VulDB
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Information disclosure in IEI Integration Corp's iRM-IEI Remote Management (iRM-TSI410X) allows unauthenticated remote attackers to retrieve partial system configuration data by invoking a specific function that lacks authentication enforcement. The flaw is reported by TWCERT and carries a CVSS 4.0 base of 7.9, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Irm Tsi410X
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Vivo PcSuite's connection confirmation pop-up - a security gate that prompts users to authorize PC-to-device connections - can be bypassed by an adjacent unauthenticated attacker, rooted in CWE-807 (Reliance on Untrusted Inputs in a Security Decision). All versions of PcSuite are listed as affected per the wildcard CPE (cpe:2.3:a:vivo:pcsuite:*:*:*:*:*:*:*:*), and the attack requires only adjacent network positioning with no privileges or user interaction. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, keeping real-world urgency moderate.

Authentication Bypass Pcsuite
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Information disclosure in Vivo PcSuite versions below 6.2.5 allows adjacent attackers within Bluetooth range to bypass an authentication mechanism in a specific function and obtain sensitive data without user interaction. The flaw is tracked as a missing-authentication weakness (CWE-306) reported directly by Vivo and carries a CVSS 4.0 score of 9.4, with no public exploit identified at time of analysis.

Authentication Bypass Pcsuite
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthorized camera and microphone access in Heptabase by Hepta Platforms is achievable by unauthenticated remote attackers who social-engineer a victim into opening a malicious webpage inside the application, exploiting an exposed dangerous method (CWE-749) that bypasses normal permission gating. The attack yields high confidentiality impact - real-time audio and video capture - with no privileges required on the attacker's side, constrained only by the need for active victim interaction. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, though the surveillance-class outcome makes it attractive for targeted campaigns.

Authentication Bypass Heptabase
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Command restriction bypass in the SSH service of Cellopoint CelloOS allows authenticated remote attackers to escape the restricted shell and execute arbitrary operating system commands beyond their authorized scope. The flaw is tracked as an Improper Access Control issue (CWE-1284) and was disclosed by Taiwan's TWCERT with a CVSS 4.0 score of 8.7. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Celloos
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Improper access control in Ubiquiti UniFi OS allows network-adjacent attackers to make unauthorized configuration changes to UniFi Dream Machine, Cloud Gateway, and Express gateway devices under certain network configurations. The flaw, scored CVSS 8.1 with full CIA impact, requires no authentication (PR:N) but has high attack complexity (AC:H), and no public exploit identified at time of analysis. Disclosed via HackerOne and addressed in Ubiquiti Security Advisory Bulletin 065.

Authentication Bypass Ubiquiti Udm +14
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in phpBB allows an authenticated administrator with limited rights to grant themselves permissions beyond their authorized scope through the Administration Control Panel (ACP), enabling elevation to full administrative control over the forum. The flaw stems from improper verification of access permissions when permissions are modified via the ACP, and no public exploit identified at time of analysis. With CVSS 7.2 (PR:H) and no KEV listing, this is a meaningful but not panic-level risk that primarily threatens multi-admin phpBB deployments where administrative duties are intentionally segmented.

Authentication Bypass Privilege Escalation Phpbb
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cross-tenant privilege escalation in WebPros WordPress Toolkit prior to 6.11.0 (as bundled with cPanel & WHM) allows an authenticated low-privilege account holder to inject arguments into the wp-toolkit CLI and execute commands in the context of another tenant on the same shared server. With a CVSS of 9.9 and scope change, a single compromised hosting account can pivot to siblings on the same host. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

WordPress Authentication Bypass Wordpress Toolkit
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Account hijacking in phpBB is possible due to improper authentication checks in the OAuth implementation, affecting default installations even when OAuth is not configured or enabled. Remote unauthenticated attackers can gain unauthorized access to arbitrary accounts on the forum platform, with no public exploit identified at time of analysis despite the critical 9.8 CVSS score.

Authentication Bypass Phpbb
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

ClipBucket v5's subtitle management feature lacks ownership verification, enabling any authenticated user to upload, rename, or delete subtitle tracks on videos belonging to other users. All releases prior to version 5.5.3 - #133 (CPE: cpe:2.3:a:macwarrior:clipbucket-v5) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and network accessibility present credible risk in any multi-user ClipBucket deployment.

Authentication Bypass Clipbucket V5
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Origin validation failure in CyberArk's Idira Identity Browser Extension for Chrome, Firefox, and Edge (versions prior to 26.8.1) allows a remote attacker to abuse an authenticated user's browser session by luring them to a malicious page. Per CyberArk bulletin CA26-21, the extension's internal web-page verification routine fails to correctly enforce origin checks (CWE-346), enabling unauthorized application interaction in the victim's identity context. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high confidentiality impact and subsequent-system impact via the identity SaaS the extension brokers.

Mozilla Authentication Bypass Google +1
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Site isolation bypass in Google Chrome for Android (versions prior to 149.0.7827.115) enables an attacker who has already achieved renderer process compromise to cross origin boundaries via a crafted HTML page, potentially exposing password data managed by the browser's Passwords component. The vulnerability is rooted in CWE-346 (Origin Validation Error) - Chrome's Passwords implementation on Android fails to properly enforce origin checks in the context of a compromised renderer. No public exploit identified at time of analysis; the low CVSS base score of 3.1 reflects that exploitation is dependent on a prior renderer compromise, making this a chained-exploitation concern rather than a standalone critical risk.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DevTools component exposes all Chrome versions prior to 149.0.7827.115 to cross-origin integrity violations when a victim visits a crafted HTML page. The root cause (CWE-346) is insufficient origin validation within DevTools policy enforcement, allowing a remote unauthenticated attacker to circumvent the browser's fundamental isolation boundary and tamper with cross-origin content. No public exploit identified at time of analysis; EPSS of 0.02% (4th percentile) and absence of a CISA KEV listing indicate currently low real-world exploitation pressure despite the High Chromium severity rating.

Authentication Bypass Google Red Hat
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Site isolation bypass in Google Chrome's Extensions implementation (prior to 149.0.7827.115) enables an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. This is a chained exploit primitive - it cannot be weaponized standalone and requires a preceding renderer compromise, limiting its practical severity despite the network delivery vector. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis. The low CVSS score of 3.1 reflects the high attack complexity and constrained confidentiality impact.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Authenticated format string vulnerability in the ONVIF service of TP-Link Tapo C110 v2 cameras allows adjacent-network attackers with valid credentials to manipulate stack memory and redirect execution to internal functions, triggering an unauthorized factory reset. Successful exploitation wipes configuration, deletes stored credentials, and disrupts video surveillance service. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Authentication Bypass Tapo C110 V2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in WsgiDAV 4.3.3 allows WebDAV clients to read, write, or delete files outside the configured filesystem share root when a sibling directory's name shares a prefix with the share root. The flaw lives in FilesystemProvider._loc_to_file_path(), which performs a string-prefix containment check instead of a path-boundary-aware one, and is reachable via URL-encoded dot segments such as /%2e%2e/. No public exploit is identified at time of analysis, but a proof-of-concept is described in the vendor advisory and a vendor-released patch exists (4.3.4).

Path Traversal Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Improper authorization in DevGuard versions prior to v1.4.2 allows any authenticated user on the instance - including users with no membership in the target organization, project, or asset - to perform write operations on vulnerability-triage endpoints of any public asset. The flaw lets attackers create, modify, or delete VEX rules, dependency-vulnerability events, license risks, external references, and artifacts, corrupting the integrity of published vex.json/sbom.json output consumed by downstream supply-chain users. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%, 11th percentile), reflecting the niche audience but not the integrity blast radius.

Gitlab Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inconsistent server-side scope enforcement in Filament's AttachAction and AssociateAction Select fields allows an authenticated low-privilege user to associate out-of-scope records by tampering with Livewire component state. Developers can scope which records appear in these Select dropdowns via `recordSelectOptionsQuery()`, but the built-in validation rule did not enforce the same scope - meaning the UI restriction was purely cosmetic and bypassable. Patches are available across all three affected major version lines; no public exploit or CISA KEV listing identified at time of analysis.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authorization bypass in OpenClaw before 2026.4.24 allows local, low-privileged callers to circumvent owner-only tool policies and before-tool-call hooks via the MCP loopback feature. By routing requests through the affected loopback path, a non-owner principal can invoke tools that should be restricted to the owner role, effectively escalating effective privileges within the application. No public exploit code has been identified at time of analysis, but a vendor patch has been released and the vulnerability was reported by VulnCheck.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in OpenClaw before 2026.5.22 allows authenticated network attackers to spoof locality information during Control UI device pairing and escalate temporary shared access into durable, admin-capable device tokens that persist across token rotation. The flaw stems from insufficient locality-derived trust validation (CWE-290), enabling lateral conversion of low-privilege sessions into persistent administrative credentials. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.5.18 allows a paired node to forge exec lifecycle events and obtain capabilities reserved for nodes holding system.run authorization. By sending crafted node.event messages, an attacker controlling any peered node can steer gateway sessions into exec-event paths and execute privileged operations, with no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.5.19 allows authenticated lower-trust users to read messages from channels outside their allowlist by abusing missing validation in message read actions. The flaw maps to CWE-862 (Missing Authorization) and carries a CVSS 4.0 score of 7.1 with high confidentiality impact; no public exploit identified at time of analysis, but a vendor patch is available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.7 allows authenticated Matrix users to impersonate other identities by manipulating their mutable display name to match policy entries in the allowFrom feature. The flaw stems from authentication relying on a user-controlled attribute (CWE-290), letting attackers receive agent access intended for another Matrix identity. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

OpenClaw's embedded runner policy incorrectly resolves provider aliases against other aliases rather than their canonical provider identities, enabling an authenticated local user to bypass intended provider policy restrictions. When the affected provider alias feature is active, a low-privileged attacker can select bundled tool access that falls outside the scope their policy should permit, effectively sidestepping the authorization boundary. No public exploit has been identified and no active exploitation is confirmed via CISA KEV; the local attack vector and required feature enablement materially limit real-world exposure.

Canonical Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Approval policy bypass in OpenClaw's Skill Workshop apply flow allows remote attackers to apply workshop configuration changes without completing the required authorization step. Versions prior to 2026.5.6 fail to enforce the `approvalPolicy: pending` gate when agent tool calls include `apply: true`, effectively granting unauthorized write access to skill configurations. No public exploit code has been identified at time of analysis; a vendor-released patch is available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authorization bypass in OpenClaw prior to 2026.5.6 allows authenticated Telegram users to circumvent the commands.allowFrom sender allowlist by invoking interactive callbacks that mark the caller as authorized before validation runs. Reported by VulnCheck with a vendor patch available, this CWE-863 flaw lets attackers execute restricted command behaviors outside configured Telegram sender restrictions, though no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Command execution bypass in OpenClaw before 2026.5.12 lets low-privileged remote users smuggle inline shell content past exec allowlist revalidation by combining POSIX shell flags into a single argument. The flaw exists because parsing logic treats grouped option characters differently from discrete flags, enabling unintended command paths when the affected exec feature is enabled. No public exploit identified at time of analysis, but the issue was reported by VulnCheck and a vendor advisory plus patch are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH Act Now

Unauthenticated snapshot disclosure in Brickcom Cube, Dome, Bullet, and Box IP cameras lets anyone reachable on the camera's /ONVIF endpoint retrieve still images from the live video feed without credentials. The flaw, reported through CISA ICS-CERT (ICSA-26-162-03) and tagged as an authentication bypass, is a classic CWE-306 missing-authentication issue affecting devices typically deployed in physical-security and OT environments. No public exploit identified at time of analysis, but exploitation is trivial once the endpoint is reachable.

Authentication Bypass Cube Dome +2
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Unauthenticated initial-setup hijack in Hermes WebUI before 0.51.358 allows any remote attacker who can reach the settings API endpoint during the first-run window to POST the _set_password parameter, persist an arbitrary password hash, and obtain a valid administrative session cookie. The flaw, reported by VulnCheck and tracked as an improper access control (CWE-306) issue, locks the legitimate operator out of their own instance and grants full administrative control. No public exploit identified at time of analysis, but an upstream fix landed in release v0.51.358.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege escalation and self-defense bypass in CyberArk (Palo Alto Networks) Idira Endpoint Privilege Manager Agent versions prior to 26.5 allows an authenticated local attacker to circumvent internal cryptographic validation and agent tamper-protection controls. Successful exploitation lets the attacker disable EPM enforcement and execute unauthorized operations on the endpoint, undermining the very privilege-management protections the product is meant to provide. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Idira Endpoint Privilege Manager
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Sandbox restriction bypass in macOS prior to Tahoe 26.1 allows a locally-installed malicious app to access sensitive user data outside its permitted sandbox scope. The flaw stems from improper access control (CWE-284) in the macOS application sandbox, a core security boundary meant to isolate app access to system resources. SSVC assessment confirms no known active exploitation and the attack is not automatable, while CVSS signals high confidentiality impact limited to local execution with low privileges.

Authentication Bypass Apple
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthorized access to protected user data is possible in Apple macOS prior to Tahoe 26.1, where a locally installed application can bypass system permission boundaries (CWE-284) to read data normally gated by TCC/entitlement controls. Apple has shipped a fix that adds additional restrictions, and no public exploit has been identified at time of analysis. The NVD CVSS vector advertises network exploitability, but the description clearly describes a local application abuse path, which materially changes the realistic risk picture.

Authentication Bypass Apple
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandbox escape in Apple macOS prior to Sequoia 15.4 allows a locally installed application to break out of the App Sandbox and perform unauthorized actions outside its confinement boundary. Apple addressed the issue with improved checks; no public exploit identified at time of analysis, though SSVC rates technical impact as total.

Authentication Bypass Apple
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Improper access control in Apple macOS allows a locally-executed app to cause unexpected system termination, effectively producing a denial-of-service condition against the host. All three actively-supported macOS release lines - Sequoia, Sonoma, and Ventura - are confirmed affected, with fixes delivered simultaneously across all three branches. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.01% at the 3rd percentile indicates negligible observed exploitation probability at time of analysis.

Authentication Bypass Apple
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper access control via flawed authorization state management in Apple iOS/iPadOS (before 18.4) and macOS Sequoia (before 15.4) permits a locally installed app to leak sensitive user information without proper authorization. Fixed in iOS 18.4, iPadOS 18.4, and macOS Sequoia 15.4, as confirmed by Apple security advisories. No public exploit code has been identified and no active exploitation is recorded in CISA KEV at time of analysis, though SSVC flags the vulnerability as automatable with partial technical impact.

Authentication Bypass Apple Ios And Ipados
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-signed requests to inject unvalidated metadata - such as Content-Type or protected HTTP headers - by placing it in the first signature entry of a multi-signature JWS JSON token, even when that entry's signature was never verified. Affected deployments using the cxf-rt-rs-security-jose-jaxrs module may incorrectly trust attacker-controlled content type or header values, steering JAX-RS entity parsing or signed-header consistency checks in unintended ways. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-released patches 4.2.2 and 4.1.7 were published June 10, 2026.

Apache Authentication Bypass Jwt Attack +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in Idira Secrets Manager SaaS Edge prior to version 1.8 allows remote unauthenticated attackers to obtain valid access tokens by submitting specially crafted requests that subvert internal validation logic. Reported by Palo Alto Networks researchers and tracked under CyberArk Security Bulletin CA26-20, the flaw carries a CVSS 4.0 score of 9.1 (Critical) due to high confidentiality and integrity impact on a product whose entire purpose is custody of enterprise secrets. There is no public exploit identified at time of analysis, but the secrets-management use case makes any token theft a high-leverage compromise.

Authentication Bypass Conjur Cloud Edge Finding Only
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission in any guild delete AutoMod rules belonging to other guilds. The flaw stems from looking up rules by global database ID without verifying guild ownership, and rule IDs are discoverable via the bot's autocomplete feature. No public exploit identified at time of analysis, but the GitHub Security Advisory and patched release v1.0.5 are public.

Authentication Bypass Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access to invoke moderator-only /automod add, /automod remove, and /automod list commands due to missing Discord default permission requirements and absent runtime permission checks. Exploitation enables a low-privileged member to register automod rules matching common text patterns, causing the bot to delete other users' legitimate messages. No public exploit identified at time of analysis, but the trivial nature of the abuse and public advisory increase likelihood of weaponization in active Discord servers.

Authentication Bypass Quest Bot
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Improper access control in CyberArk Conjur Enterprise (Idira Secrets Manager Self-Hosted) versions 13.8.0 and earlier allows authenticated attackers with standard node-level credentials to abuse internal cluster endpoints to retrieve unauthorized secrets or trigger denial of service. The flaw is rated CVSS 4.0 base 8.4 with high confidentiality impact extending to subsequent systems, but no public exploit identified at time of analysis. CyberArk has published Security Bulletin CA26-20 alongside fixed releases.

Authentication Bypass Denial Of Service Conjur Enterprise
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.

Python Microsoft Docker +3
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Authentication bypass in Apache CXF's OAuth2 TokenIntrospectionService allows unauthenticated network access to the token introspection endpoint due to a missing 'throw' keyword in the internal security context check, causing the guard to silently pass rather than reject unauthorized callers. Affected are deployments using cxf-rt-rs-security-oauth2 versions 4.2.0-4.2.1 and all 4.1.x releases before 4.1.7 that relied solely on CXF's built-in check without independent authentication at the container or gateway layer. No public exploit code or active exploitation has been identified; vendor-confirmed patches (4.2.2 and 4.1.7) were released June 10, 2026.

Apache Authentication Bypass Cxf
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Path traversal in node-tmp 0.2.6 allows remote attackers to create files or directories outside the temp directory by supplying non-string `prefix`, `postfix`, or `template` values (arrays, Buffers, or objects) whose `includes('..')` check returns falsy but whose string coercion contains `../`. The 0.2.6 `_assertPath` guard checks only strings, so JSON body fields or `qs`-parsed bracket arrays such as `?prefix[]=..` bypass it and write at attacker-controlled paths with host-process privileges. No public exploit identified at time of analysis, but the bypass pattern is trivial and the library is widely used in Node.js applications.

Authentication Bypass Node.js Node Tmp +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Insecure direct object reference (IDOR) in IBM Langflow OSS 1.0.0 through 1.9.1 allows an authenticated user to read or modify sensitive resources belonging to other users by manipulating object identifiers. The flaw carries a CVSS 8.1 (High) rating due to high confidentiality and integrity impact over the network, though EPSS exploitation probability remains low at 0.04% and there is no public exploit identified at time of analysis. SSVC classifies exploitation as 'none' but flags the issue as automatable with partial technical impact, indicating defenders should still prioritize patching given the trivial attack complexity.

Authentication Bypass IBM Langflow Oss
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated information disclosure in openSIS Classic 9.3 lets any logged-in user with messaging-module access read other users' sent messages by tampering with the mail_id parameter sent to modules/messaging/SentMail.php. The flaw is a textbook insecure direct object reference (CWE-639) with no public exploit identified at time of analysis, though the upstream commit fixing it is published on GitHub, effectively documenting the vulnerable code path.

Authentication Bypass PHP
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. A working proof-of-concept is published in GHSA-9gw6-46qc-99vr; no public exploit identified at time of analysis as a separate weaponized tool, but the PoC is sufficient to reproduce end-to-end.

Python Authentication Bypass Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Route-level authentication bypass in Traefik's StripPrefix middleware allows unauthenticated remote attackers to reach protected backend endpoints (e.g., /admin, /internal/config) by crafting request paths such as /api../admin or /api%2e%2e/admin. The public router matches before path normalization, but StripPrefix subsequently normalizes the path via JoinPath() so the backend receives the protected path without the authentication middleware ever running. Publicly available exploit code exists (full PoC in the advisory), patches are released, and EPSS sits at 0.22% (45th percentile) with no CISA KEV listing.

Python Authentication Bypass Docker
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

XML injection in guzzlehttp/guzzle-services allows unauthenticated remote attackers to smuggle arbitrary XML elements into outgoing API requests by embedding the CDATA terminator `]]>` in attacker-controlled input. The PHP XMLWriter::writeCData() call used by the request serializer for values containing `<`, `>`, or `&` terminates the CDATA section prematurely when the payload contains `]]>`, causing the remainder to be interpreted as raw XML markup by the downstream service. Depending on downstream service behavior, this can enable privilege escalation, parameter boundary bypass, or operation semantic manipulation — the advisory's canonical example shows injection of a `<Role>admin</Role>` element that a receiving service may honor. No public exploit has been identified at time of analysis, and this vulnerability is not in the CISA KEV catalog.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels.3.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Metrostore
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing Authorization vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder allows Exploiting Incorrectly Configured Access Control Security Levels.8.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Contact Form Lead Form Elementor Builder Elementor
NVD VulDB
Prev Page 24 of 348 Next

Quick Facts

Typical Severity
CRITICAL
Category
auth
Total CVEs
31268

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy