Authentication Bypass

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4. [CVSS 8.1 HIGH]

The anti-theft protection mechanism can be bypassed by attackers due to weak response generation algorithms for the head unit. It is possible to reveal all 32 corresponding responses by sniffing CAN traffic or by pre-calculating the values, which allow to bypass the protection. [CVSS 4.0 MEDIUM]

SmarterTools SmarterMail prior to build 9511 contains a critical authentication bypass in the password reset API (CVE-2026-23760) that allows unauthenticated attackers to reset system administrator passwords without verification. With EPSS 65% and KEV listing, this trivially exploitable vulnerability enables complete email server takeover, compromising all hosted mailboxes and organizational communications.

NervesHub OTA firmware management has a weak random number generation vulnerability that allows attackers to predict firmware update tokens and push malicious updates.

Solvera Software Services Trade Inc. Teknoera is affected by authorization bypass through user-controlled key (CVSS 7.5).

EXERT Computer Technologies Software Ltd. Co. Education Management System is affected by authorization bypass through user-controlled key (CVSS 7.5).

Meetinghub Paperless Meetings is affected by missing authentication for critical function (CVSS 5.3).

Horilla HRMS 1.4.0 contains insufficient server-side authorization checks that permit low-privileged employees to self-approve documents they have submitted, bypassing intended administrative-only controls. Public exploit code exists for this vulnerability, enabling standard users to alter HR application state and potentially submit unvetted credentials or certifications. The integrity of HR document workflows is compromised as employees can modify approval statuses reserved for administrators.

Horilla HRMS versions prior to 1.5.0 allow authenticated attackers to bypass two-factor authentication due to improper OTP validation that treats missing OTP fields as valid when the OTP has expired. Public exploit code exists for this vulnerability, enabling attackers with user credentials to gain unauthorized access to accounts, particularly administrative accounts with access to sensitive HR data and employee records. An attacker exploiting this flaw could manipulate employee information and compromise system-wide operations.

Horilla HRMS versions 1.4.0 and above allow unauthenticated access to unpublished job postings through the /recruitment/recruitment-details/ endpoint, exposing draft job titles, descriptions, and application workflows. An attacker can leverage public exploit code to view sensitive internal hiring information and access recruitment processes for unpublished positions. The vulnerability affects all users with network access to affected Horilla instances and has been patched in version 1.5.0.

Horilla is a free and open source Human Resource Management System (HRMS). [CVSS 4.3 MEDIUM]

The sm-crypto JavaScript library has a private key recovery vulnerability in its SM2 implementation, allowing attackers to extract secret keys from signatures.

Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 6.5 MEDIUM]

Suspended remote users in Mastodon can bypass suspension restrictions and have their posts appear in timelines through boosting and post processing logic errors. This affects all Mastodon versions for older posts, with additional bypass capabilities in versions 4.5.0-4.5.4, 4.4.5-4.4.11, 4.3.13-4.3.17, and 4.2.26-4.2.29, allowing suspended users to inject new content into the system. No patch is currently available for this integrity issue.

DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack credentials and gain unauthorized access.

Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. [CVSS 5.3 MEDIUM]

Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.

EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. [CVSS 4.3 MEDIUM]

Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. [CVSS 8.2 HIGH]

Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. [CVSS 8.2 HIGH]

D151 Firmware versions up to - is affected by missing authentication for critical function (CVSS 7.5).

Authentication Bypass by Primary Weakness vulnerability in Jamf Jamf Pro allows unspecified impact.This issue affects Jamf Pro: from 11.20 through 11.24.

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. [CVSS 2.7 LOW]

GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain root access by setting the USER environment variable to '-f root' during TELNET negotiation. With EPSS 75% and KEV listing, this trivially exploitable vulnerability (CVE-2026-24061) has been widely weaponized. Public PoC is available and patches exist.

A flaw was found in the keycloak-services component of Keycloak. [CVSS 6.5 MEDIUM]

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. [CVSS 3.1 LOW]

Imagedirector Capture versions up to 7.6.3.25808. is affected by insufficiently protected credentials (CVSS 7.5).

Open5gs WebUI authentication can be bypassed by attackers who exploit the default hardcoded JWT signing key ("change-me") that is used when the JWT_SECRET_KEY environment variable is not configured. An attacker can forge valid JWT tokens to gain unauthorized access to the WebUI with limited confidentiality and integrity impacts. A patch is available to remediate this vulnerability by enforcing proper key configuration or using secure defaults.

BROWAN COMMUNICATIONS PrismX MX100 AP controller stores SMTP credentials in plaintext accessible via the web interface, enabling authenticated administrators to retrieve sensitive password data. The vulnerability requires high-level privileges to exploit but poses a significant risk to email service credentials used by the device. No patch is currently available to remediate this exposure.

PrismX MX100 AP controller by BROWAN has hard-coded credentials that allow remote attackers to gain full administrative access to the wireless network controller.

MineAdmin 1.x and 2.x contains insufficient JWT token verification in the /system/refresh endpoint, allowing authenticated remote attackers to tamper with token data and potentially escalate privileges or bypass security controls. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires authenticated access and specific conditions, resulting in a medium severity rating with limited immediate impact.

Improper permission validation in CrawlChat versions prior to 0.0.8 allows unauthenticated Discord guild members to inject malicious content into the bot's knowledge base through the jigsaw emoji feature, enabling attackers to manipulate chatbot responses across all integrations and redirect users to malicious sites. The vulnerability affects the AI/ML platform's ability to maintain knowledge base integrity, as normal users can bypass intended admin-only controls. Public exploit code exists for this issue, though a patch is available.

Aion versions up to 2.0 contains a vulnerability that allows attackers to the use of easily guessable passwords, potentially resulting in unauthorized acc (CVSS 3.1).

OpenProject versions prior to 17.0.1 and 16.6.5 fail to properly validate permissions when displaying group membership information, allowing authenticated users with View Members permission in any project to enumerate all groups and identify their members across the entire system. This breaks the intended access control where group membership visibility should be restricted to users with appropriate permissions in projects where the group is active. The vulnerability requires authenticated access and has no available patch or workaround at this time.

OpenStack keystonemiddleware 10.5 through 10.9 has an authentication spoofing vulnerability (CVSS 9.9) allowing attackers to bypass Keystone token validation and access any OpenStack service as any user.

HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. [CVSS 2.4 LOW]

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID...

Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protected endpoints by using URL-encoded characters in requests, as the middleware engine fails to decode paths while the underlying router does. An attacker with valid credentials can exploit this inconsistency to circumvent middleware security controls and access restricted functionality. This vulnerability requires low privileges and network access, with no patch currently available.

Devolutions Server versions 2025.3.1 through 2025.3.12 contain an authorization bypass in the virtual gateway component that allows authenticated attackers with high privileges to circumvent IP-based deny rules. This vulnerability could enable attackers to access restricted resources or bypass network-level security controls. No patch is currently available.

Altium 365 workspace endpoints had overly permissive CORS policies that allow unauthorized cross-origin access to workspace data, potentially exposing proprietary PCB designs and engineering data.

Mpay versions up to 1.2.4 contain an unrestricted file upload vulnerability in the QR Code Image Handler component via the codeimg parameter, allowing remote attackers with high privileges to upload arbitrary files. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires administrative credentials but carries moderate risk with potential impacts to confidentiality, integrity, and availability.

Stored XSS in 1Panel's App Store allows attackers to inject malicious scripts into application details that execute in users' browsers when viewed, potentially enabling session hijacking or unauthorized system access. Versions up to v1.10.33-lts and v2.0.16 are vulnerable, with no patch currently available. An attacker could publish a compromised application to steal credentials, modify system functions, or compromise system availability.

The WooCommerce mobile phone registration plugin has an authentication bypass vulnerability allowing unauthenticated attackers to log in as any user, including administrators, with EPSS 0.42%.

Authenticated attackers with Subscriber-level privileges can upload malicious signatures to arbitrary orders in the RepairBuddy WordPress plugin (versions up to 4.1116) due to missing capability checks, allowing them to modify order metadata and trigger unauthorized status changes. The vulnerability stems from insufficient access controls on the signature upload handler and requires only basic user authentication to exploit. Patch availability is not currently provided for this integrity-impacting vulnerability.

MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication in the MCP server debugging platform, with EPSS 17.2% indicating active scanning.

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state.

In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator. [CVSS 4.2 MEDIUM]

A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. [CVSS 3.3 LOW]

In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. [CVSS 6.7 MEDIUM]

The Rede Itaú for WooCommerce plugin versions up to 5.1.2 lack proper authentication controls on the clearOrderLogs() function, allowing unauthenticated attackers to remotely delete order log metadata from WooCommerce installations. This missing capability check enables data tampering on affected WordPress sites without requiring user credentials. No patch is currently available for this vulnerability.

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files. [CVSS 8.1 HIGH]

Mitel MiVoice MX-ONE 7.3-7.8 SP1 has authentication bypass in the Provisioning Manager. Unauthenticated attackers can access user or admin accounts in the VoIP management system.

Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. [CVSS 5.4 MEDIUM]

Pimcore Admin Classic Bundle versions prior to 2.2.3 and 1.7.16 fail to enforce proper authorization on the Predefined Properties API endpoint, allowing authenticated backend users without explicit permissions to enumerate all property configurations. Public exploit code exists for this vulnerability. The flaw impacts any Pimcore deployment where backend user access controls rely on role-based restrictions for sensitive metadata definitions.

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). [CVSS 7.5 HIGH]

Incoming Goods Suite contains a vulnerability that allows attackers to hijack the user's session and gain unauthorized access (CVSS 5.3).

TDC X401GL firmware updates contain hardcoded password hashes for system accounts that are accessible to unauthenticated remote attackers over the network. An attacker could extract these hashes and potentially recover credentials to gain unauthorized access to the device. No patch is currently available for this vulnerability.

TDC X401GL firmware contains hardcoded default credentials for privileged user accounts, enabling unauthenticated attackers to gain unauthorized administrative access over the network. This vulnerability affects all deployments using default configurations and could allow attackers to compromise system integrity and perform unauthorized operations. No patch is currently available.

TDC X401gl devices with unpatched firmware lack proper authorization controls for critical system functions, enabling unauthenticated remote attackers to arbitrarily start, stop, or delete applications and cause denial of service. This network-accessible vulnerability requires no user interaction and affects all default configurations. No patch is currently available.

Container management vulnerability allows authenticated users to escape to the host filesystem with read/write access. CVSS 9.9 with scope change.

A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled. [CVSS 3.2 LOW]

Thinkplus Fu100 Firmware versions up to - is affected by authentication bypass by spoofing (CVSS 7.8).

Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabling unauthenticated attackers to retrieve sensitive screenshots by predicting their filenames. This improper access control flaw affects all users whose screenshot content should be restricted. A patch is available in version 5.15.2 and later.

An Orchestrator service allows unauthenticated attackers to bypass MFA and create admin accounts without multi-factor authentication. This undermines the security of the entire authentication system.

BLUVOYIX admin APIs allow unauthenticated creation of admin users, enabling complete platform takeover.

BLUVOYIX platform has unauthenticated API access allowing full customer data extraction and platform compromise.

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon ..

A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon’s log settings.This issue affects TLP: from 1.9 before 1.9.1.

Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005.

Chainlit versions up to 2.8.5 is affected by authorization bypass through user-controlled key (CVSS 4.2).

The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. [CVSS 5.3 MEDIUM]

The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. [CVSS 5.3 MEDIUM]

PayHere Payment Gateway Plugin for WooCommerce (WordPress plugin) versions up to 2.3.9. is affected by missing authorization (CVSS 5.3).

Netcash WooCommerce Payment Gateway (WordPress plugin) versions up to 4.1.3. is affected by missing authorization (CVSS 5.3).

WP-CRM System (WordPress plugin) versions up to 3.4.5. is affected by missing authorization (CVSS 5.4).

eXtplorer 2.1.14 has an authentication bypass that allows passwordless login. Combined with the file manager's upload capability, this achieves unauthenticated RCE. PoC available.

VIAVIWEB Wallpaper Admin 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating login credentials. Attackers can exploit the login page by injecting 'admin' or 1=1-- - payload to gain unauthorized access to the administrative interface. [CVSS 8.2 HIGH]

Arbitrary code execution in Adobe Dreamweaver 21.6 and earlier stems from an incorrect authorization flaw that allows attackers to bypass security controls when a user opens a malicious file. An attacker can execute code with the privileges of the current user, potentially compromising the system. No patch is currently available for this vulnerability.

Windows NTLM authentication is vulnerable to path manipulation attacks that enable network-based spoofing when users interact with malicious content, affecting Windows 10 22H2 and Windows Server editions 2008-2016. An unauthenticated attacker can exploit improper file name or path validation to impersonate legitimate systems or services, potentially redirecting authentication requests to attacker-controlled resources. No patch is currently available for this vulnerability.

Tongyu Ax1800 Firmware versions up to 1.0.0 contains a vulnerability that allows attackers to full compromise of the device (i (CVSS 8.8).

Unauthenticated administrative access in NETGEAR Orbi routers (CBR750, NBR750, RBE370, RBE371) allows local network attackers to bypass authentication and gain full admin control of the web interface. This high-severity vulnerability (CVSS 7.8) impacts all users on networks connected to affected devices, enabling attackers to modify router settings, potentially compromising network security and connected devices. A patch is available.

In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions.

An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. [CVSS 8.6 HIGH]

Eclipse Che che-machine-exec exposes an unauthenticated JSON-RPC/WebSocket API on port 3333 that allows remote command execution and secret exfiltration from other users' developer workspace containers.

DOM spoofing in Mozilla Firefox and Thunderbird's copy, paste, and drag-and-drop functionality allows unauthenticated attackers to deceive users into performing unintended actions through crafted content. The vulnerability affects Firefox versions below 147 and ESR versions below 140.7, as well as Thunderbird versions below 147 and 140.7, requiring user interaction to exploit. No patch is currently available.

Firefox Messaging System component has a sandbox escape vulnerability. Maximum CVSS 10.0 with scope change. Affects Firefox < 147 and Thunderbird < 147.

DOM security bypass in Firefox and Thunderbird allows remote attackers to circumvent protective mitigations through user interaction, affecting multiple versions across both products. An attacker can exploit this to achieve high-impact compromise of confidentiality and integrity without requiring authentication. Currently no patch is available for affected users.

Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. [CVSS 8.1 HIGH]

ManageEngine ADSelfService Plus before 6519 has an authentication bypass due to improper filter configurations. As a self-service password management tool for Active Directory, compromise enables mass password resets across the enterprise. Patch available.

An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with scope change. Requires knowledge of a legitimate user's identity.