Authentication Bypass
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.
How It Works
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.
The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.
More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.
Impact
- Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
- Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
- System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
- Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
- Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties
Real-World Examples
CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.
Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.
SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.
Mitigation
- Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
- Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
- Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
- Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
- Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
- Regular security testing — conduct penetration testing specifically targeting authentication logic and flows
Recent CVEs (31281)
Information disclosure in JetBrains YouTrack before version 2026.1.13162 allows authenticated low-privilege users to access sensitive user and group membership data they are not authorized to view. Rooted in CWE-863 (Incorrect Authorization), the flaw exists on the Users and Groups administrative pages, where authorization checks are insufficiently enforced for authenticated sessions. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low access complexity means any authenticated attacker can reliably reproduce the condition.
Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user account to run arbitrary commands on the host. The flaw, reported by JetBrains and tagged as an authentication bypass affecting the IDE's collaborative/guest-access functionality, carries a CVSS 8.0 (High) rating with network attack vector but requires low-privilege access and user interaction. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Authorization bypass in Shopperlabs Shopper headless e-commerce admin panel prior to 2.8.0 allows authenticated low-privilege users with read-only order permissions to mutate every order in the panel and trigger real Payment Service Provider captures via Filament admin actions. The flaw spans multiple Livewire components beyond orders - including product sub-forms, team settings, and RBAC management - enabling privilege escalation up to role creation and user deletion. No public exploit identified at time of analysis, but a detailed GitHub Security Advisory and patch diff are public.
Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of assigned role - to mutate pricing, inventory, SEO metadata, shipping dimensions, and attached media for any product by exploiting missing authorization on Livewire sub-form component store() methods. Because the product ID was accepted as an unlocked public Livewire property, attackers could additionally target arbitrary products by tampering with the wire payload from the client side, not just products they otherwise interact with. No active exploitation confirmed (not in CISA KEV), and no standalone POC code has been published, though the remediation PR diff is publicly available.
Missing authorization enforcement in the Shopper headless e-commerce admin panel (all versions prior to 2.8.0) allows any authenticated low-privilege panel user to disable payment methods, alter the default currency, or disable carriers - actions that should be restricted by per-action permissions. The business impact is severe: a malicious or compromised low-privilege account can cause a complete denial of checkout and undermine pricing integrity across the store. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Authentication bypass via hard-coded credentials in Danelec MacGregor Voyage Data Recorder (VDR) G4e allows attackers with adjacent-network access to log in using undocumented default accounts and gain high-impact access to confidentiality and integrity of recorded voyage data. The flaw was disclosed via CISA ICS-CERT advisory ICSA-26-148-01 and carries a CVSS v4.0 score of 8.7, with no public exploit identified at time of analysis and no CISA KEV listing.
Sandbox escape in vm2 versions 3.11.2 and earlier (through 3.11.3) allows sandboxed JavaScript to obtain real Node.js cross-realm symbols and write them onto host objects, hijacking host-side control flow such as util.promisify, stream duck-typing, and WebStream internals. The flaw stems from an incomplete Symbol.for override that blocks only 2 of 9 dangerous nodejs.* symbols and from bridge write traps that lack the dangerous-symbol guard present on read traps. A working proof-of-concept hijacking util.promisify is published in the GHSA advisory, and a vendor patch (3.11.4) is available; no entry in CISA KEV at time of analysis.
{ middleware })` auth checks. Affected are Nuxt 3.11.0-3.21.5 and Nuxt 4.0.0-alpha.1-4.4.5 when `experimental.componentIslands` is enabled and pages rely solely on route middleware for authorization - a pattern common in Nuxt 4 where componentIslands is on by default. A working proof-of-concept using a single curl command is published in the vendor advisory; no public exploit identified at time of analysis beyond the POC, and no CISA KEV listing exists. Vendor-released patches are available as nuxt@3.21.6 and nuxt@4.4.6.
Hardcoded administrative credentials in Jinan USR IOT (PUSR) USR-W610 RS232/485-to-Wi-Fi/Ethernet serial converter firmware allow remote unauthenticated attackers to gain full administrative control of affected industrial gateway devices. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against an OT/ICS device class typically deployed in serial-to-IP bridging roles, and no public exploit identified at time of analysis, though credential recovery via firmware extraction is straightforward for any researcher.
Unauthenticated BLE access to the Fourth Frontier X2 wearable cardiac monitor allows attackers within radio range to read and write critical GATT characteristics without pairing, enabling control of device functions and injection of fabricated health telemetry. The companion Frontier X Android and iOS applications additionally fail to authenticate paired devices, letting an attacker impersonate a legitimate X2 and feed falsified heart rate, breathing rate, and strain data into a victim's mobile app. No public exploit identified at time of analysis, and the issue is tracked under CISA ICS-MA-26-148-01.
Missing organization-level authorization in Dokploy 0.19.0 and earlier allows authenticated users from one organization to access, modify, and delete resources belonging to other organizations on the same instance. The shared `protectedProcedure` middleware confirms session authentication but never validates that the requested resource belongs to the caller's active organization, exposing 22 endpoints spanning deployments, backups, volume operations, cluster management, and mounts to cross-organization abuse. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.
Scope bypass in OpenClaw versions prior to 2026.5.18 allows authenticated clients holding only the operator.write scope to invoke privileged Gateway commands via the chat.send route, escalating from limited operator access to full administrative control. Exploitation lets remote attackers mutate plugins, configuration, MCP settings, allowlists, and ACP rules that should require operator.approvals or operator.admin scopes. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.7 (high) and low attack complexity make this a serious privilege-escalation issue for any multi-tenant or delegated OpenClaw deployment.
SSRF policy bypass in OpenClaw before 2026.4.29 enables authenticated low-privileged attackers to circumvent private-network SSRF protections via browser debug and export routes. The flaw (CWE-863, Incorrect Authorization) allows an attacker who already holds valid credentials to reuse previously blocked browser tabs, causing the application to export or inspect content from protected internal resources that the SSRF policy was intended to restrict. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the high confidentiality impact on the vulnerable component (VC:H in CVSS 4.0) warrants prompt patching for internet-exposed instances.
Authorization bypass in OpenClaw QQBot before 2026.5.18 allows non-approver users to resolve pending exec and plugin approval requests by clicking native approval buttons, because the configured approver identity is not enforced server-side. The flaw collapses a core access-control gate around command and plugin execution workflows, and no public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-mgq6-vr84-7m2j and VulnCheck advisory provide enough detail to reproduce.
Policy bypass in OpenClaw's QQBot admin command handling allows authenticated low-privilege network users to circumvent DM-only and allowFrom authorization checks, routing restricted admin commands from unauthorized senders or contexts. Affected versions are all OpenClaw releases prior to 2026.4.29. The CVSS 4.0 score of 2.3 reflects limited confidentiality and integrity impact with no availability impact, and no public exploit has been identified at time of analysis.
Privilege escalation in OpenClaw's Slack plugin approval workflow allows authenticated users holding limited exec permissions to bypass operator-configured approval splits by resolving plugin approvals through the exec approver gate - approving actions outside their intended authorization boundary. All OpenClaw versions before 2026.5.12 are affected when the Slack plugin is deployed with approval split configurations. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 2.3 accurately reflects its narrow real-world impact, constrained by prerequisites and a low impact ceiling.
Authorization bypass in OpenClaw versions before 2026.5.4 allows authenticated chat command users who are not device owners to issue device-pairing bootstrap codes through the bundled device-pair plugin. Exploitation enables an attacker with low-privilege chat access to enroll arbitrary devices with operator or node capabilities, establishing persistent credentials that survive until manual revocation. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Pull-secret credential exposure in Red Hat Advanced Cluster Management (ACM) and Multicluster Engine (MCE) assisted-service leaks the full contents of a referenced pull-secret - including username, password, email, and base64-encoded auth token - into the publicly-readable `InfraEnv.status.conditions[].message` field when pull-secret validation fails. A low-privileged namespace principal holding the stock Kubernetes `view` ClusterRole, which is explicitly denied direct `get`/`list` on Secret objects, can recover the entire `.dockerconfigjson` credential payload by reading InfraEnv status. This constitutes a confirmed RBAC bypass (CWE-201) demonstrated via a reproduced proof-of-concept; no active exploitation via CISA KEV has been recorded at time of analysis.
HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper authorization (CWE-285) in macrozheng mall up to version 1.0.3 allows a network-reachable, high-privileged authenticated attacker to perform unauthorized operations via the /admin/update/ Super Admin Password Handler endpoint. The intelligence tags this as an authentication bypass, suggesting a higher-privileged admin role boundary can be crossed - potentially allowing one admin to manipulate super admin credentials beyond their authorized scope. No public exploit identified at time of analysis; however, vendor behavior (deleting the GitHub disclosure issue without explanation and ignoring email contact) creates significant uncertainty around patch availability and actual vulnerability scope.
Remote code execution in Dokploy 0.27.0 through 0.29.2 allows unauthenticated attackers to forge email-verification JWTs using a hardcoded BETTER_AUTH_SECRET fallback ('better-auth-secret-123456789'), auto-sign-in as admin, and run arbitrary commands on the host through the built-in SSH terminal. The flaw carries a CVSS 10.0 score with network attack vector and no required privileges, and while no public exploit is identified at time of analysis, the trivially guessable secret makes weaponization straightforward.
{} instances that inherit from Object.prototype - and setProxy() in lib/adapters/http.js reads proxy.username and proxy.auth without hasOwnProperty guards, allowing prototype-polluted values to forge a Proxy-Authorization header injected into every proxied request. A working proof of concept has been publicly disclosed by the reporter; no active exploitation has been confirmed (not in CISA KEV).
DNS zone file injection in Froxlor (versions before 2.3.7) allows authenticated users with DNS management permissions to inject arbitrary records into bind9 zone files through incomplete validation of LOC, RP, SSHFP, and TLSA record types. This is the second attempt at fixing the issue (originally tracked as CVE-2026-30932) - the LOC regex still matches newlines via \s+, TLSA matchingType=0 accepts unbounded hex payloads, and validators return raw input without zone-file escaping. Publicly available exploit code exists demonstrating both pre-fix injection and post-fix bypasses, though no public exploit identified in active campaigns at time of analysis.
Authorization bypass in Froxlor 2.3.6 allows an authenticated low-privileged customer with shell delegation enabled to assign an arbitrary login shell (e.g., /bin/bash) to an FTP account, escaping the administrator-defined system.available_shells whitelist. On default Debian-based deployments using nssextrausers, a root-owned cron job propagates the attacker-chosen shell into /var/lib/extrausers/passwd, converting the FTP-only account into an interactive host shell account. Publicly available exploit code exists (POC published in the GHSA advisory); no public exploit identified at time of analysis as being actively used in the wild.
Token leakage in GitHub CLI versions through 2.92.0 causes authentication tokens to be transmitted to unintended hosts when users run gh attestation, gh release verify, or gh release verify-asset commands. The flawed host normalization collapses *.github.com subdomains to github.com, leaking github.com tokens to tuf-repo.github.com (a GitHub Pages domain), while GH_ENTERPRISE_TOKEN values leak to external hosts tuf-repo-cdn.sigstore.dev and tmaproduction.blob.core.windows.net. No public exploit identified at time of analysis, and the vendor (GitHub) reports no evidence that tokens were captured or misused.
Unauthenticated arbitrary user deletion in the WP Travel Pro WordPress plugin (versions through 10.6.0) allows remote attackers to delete any WordPress account, including administrators, via an exposed REST API endpoint. The flaw stems from a broken permission callback combined with missing role validation, producing a CVSS 9.1 integrity/availability impact. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward for any actor reading the advisory.
PIN screen authentication bypass in the 2025 Indian Motorcycle Scout Bobber + Tech Infotainment / Digital Round display allows a physically proximate attacker to reach the fully unlocked user interface without entering a PIN. The system's boot-sequence logic (CWE-696) uses the mere presence of Wireless Control Module (WCM) CAN bus traffic as a proxy for immobilizer-fitment, and silently drops the PIN gate when no WCM messages appear - a condition an attacker can manufacture by suppressing the WCM via a CAN bus-off technique during the boot window. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.
PIN entry bypass in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an attacker with physical proximity to the vehicle to access the fully unlocked infotainment interface without entering the correct PIN. The root cause (CWE-696, Incorrect Behavior Order) is that the system treats the presence of Wireless Control Module (WCM) CAN bus traffic during its startup boot window as a proxy for immobilizer detection, and skips PIN enforcement entirely when no WCM messages are observed - a condition an attacker can manufacture by silencing the WCM. Reported by ASRG with no public exploit code and no CISA KEV listing; specific timing and protocol details have been withheld pending vendor remediation.
Authentication bypass in FreePBX User Control Panel (UCP) versions 15.0.42 through 16.0.44 and 17.0.0 through 17.0.6 allows remote unauthenticated attackers to access UCP accounts using hard-coded initial template credentials when administrators fail to rotate them after enabling the feature. With a CVSS 4.0 score of 9.3 and CWE-798 (Use of Hard-coded Credentials), the flaw exposes high-confidentiality and high-integrity impact to the affected component, though no public exploit identified at time of analysis.
CAN bus error-frame injection on the 2025 Indian Motorcycle Scout Bobber + Tech defeats the Wireless Control Module (WCM)-enforced immobilizer, enabling vehicle operation without legitimate anti-theft deactivation. An attacker within physical or adjacent proximity drives the WCM's CAN controller into bus-off state by incrementing its transmit error counter past the threshold, permanently silencing the WCM's periodic shutdown command. Because peer ECUs treat WCM silence as benign rather than a security event - a fail-open design - the motorcycle becomes fully operable as though the immobilizer were properly unlocked. No public exploit code has been identified at time of analysis; ASRG is withholding full protocol details pending vendor remediation, reported under CVE-2026-49316.
Anti-theft bypass in the 2025 Indian Motorcycle Scout Bobber + Tech allows a physical attacker who can access the Wireless Control Module wiring harness to leave the motorcycle fully operable without ever supplying a valid rider PIN. The root flaw is a fail-open ECU design: the peer ECU cannot distinguish an authenticated WCM shutdown pulse from a simple open-circuit condition caused by disconnecting the relevant wire pair, so wire interruption silently suppresses the immobilizer. Reported by ASRG under coordinated disclosure with connector details withheld; no public exploit has been identified and the vulnerability is not confirmed actively exploited (CISA KEV).
Unauthenticated backup file disclosure in Suprema BioStar 2 server (versions 2.9.3 through 2.9.11) allows remote attackers to download sensitive backup ZIP archives directly via predictable '/download/' URLs when the administrator places the backup path inside the NGINX webroot. The exposed archives can contain database credentials and cryptographic material enabling server impersonation, database compromise, and lateral movement. No public exploit identified at time of analysis, but SSVC rates the flaw as automatable with total technical impact and CVSS 4.0 scores it 10.0.
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to perform privileged actions through the Console WebUI via an alternate path or channel. Discovered by Nozomi Networks Labs, the flaw scores CVSS 9.3 (Critical) under v4.0 with network attack vector and no privileges required, though EPSS is low at 0.14% (34th percentile) and no public exploit identified at time of analysis. Given Waterfall's role in OT/ICS unidirectional gateway deployments, successful exploitation of the management console could enable adversaries to manipulate security-critical configurations.
Authorization bypass in Mautic 7 API v2 endpoints allows authenticated low-privilege users to read or modify records owned by other users, undermining role-based ownership scopes such as viewown and editown. The flaw was reported by Mautic and disclosed via GHSA-2jrw-c95w-h43g; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authentication bypass in Red Hat OpenShift Container Platform 4 Router allows remote unauthenticated attackers to impersonate TLS client certificate identities by injecting X-SSL-Client-* headers over plain HTTP. The flaw affects Routes configured with insecureEdgeTerminationPolicy set to Allow, where the HTTP frontend fails to strip these trusted headers from inbound requests. No public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC marks exploitation status as none with total technical impact.
Unauthenticated modification of SEO metadata settings is possible in the Rank Math SEO WordPress plugin through version 1.0.271, stemming from a missing authorization check on the REST API function `update_site_editor_homepage`. Remote, unauthenticated attackers can overwrite homepage title, meta descriptions, breadcrumb labels, and social media metadata, enabling SEO poisoning campaigns and injection of malicious content into breadcrumb components rendered sitewide. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity and requires no authentication.
Hardcoded AES encryption key in the upload.cgi binary of the Acer Wave 7 router (firmware T7c_GBL_1.01.000055 and earlier) allows remote unauthenticated attackers to decrypt, tamper with, and re-encrypt device backup files, enabling persistent backdoor injection on affected devices. The CVSS 4.0 score of 10.0 reflects full compromise of confidentiality, integrity, and availability across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and CISA SSVC reports exploitation status as 'none', though the issue is flagged as automatable with total technical impact.
Credential disclosure in the Acer Wave 7 router (firmware T7c_GBL_1.01.000055 and earlier) exposes the acer_cgi.log file over the web interface without authentication, leaking cleartext web and Telnet login credentials to any network-reachable attacker. With CVSS 4.0 of 10.0 and a vector indicating no privileges or user interaction, exploitation enables full device takeover; no public exploit identified at time of analysis, but the trivial nature of fetching a log file makes weaponization straightforward.
Information disclosure in the Acer Predator Connect W6x router's MQTT broker allows authenticated low-privileged actors to subscribe to wildcard topics and observe all MQTT traffic traversing the device. The flaw stems from improper access control (CWE-284) on broker subscriptions, enabling cross-tenant data exposure with high confidentiality impact and scope change to other subscribed services. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Payment bypass in the Contact Form 7 - PayPal & Stripe Add-on for WordPress (all versions up to and including 2.4.9) permits unauthenticated attackers to complete arbitrary pending orders without tendering the required payment amount. The IPN handler correctly authenticates PayPal callbacks via the `cmd=_notify-validate` round-trip, but then blindly trusts the attacker-controlled `invoice` field and passes it to `cf7pp_complete_payment()` without verifying that `mc_gross`, `mc_currency`, or `receiver_email` in the IPN match the stored order values - resulting in full order completion triggered by a minimal real payment. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the direct financial incentive and low attack complexity elevate real-world priority beyond what the medium CVSS score alone implies.
Authentication bypass in Acer Predator Connect W6x routers (firmware W6x_GBL_2.00.000005 and earlier) allows remote unauthenticated attackers to reach app-facing web endpoints by sending an HTTP Authorization header whose Base64 payload is intentionally malformed, because the endpoint treats a decoding failure as a pass rather than a rejection. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high confidentiality, integrity, availability impact on both vulnerable and subsequent systems) reflects full takeover potential against an internet-reachable consumer/SOHO router, though no public exploit identified at time of analysis.
Unauthenticated command execution on Acer Predator Connect W6x routers exposes the /sbin/mtk_dut debug binary on TCP port 9000, allowing any device on the LAN to issue arbitrary UCC (Unified Configuration Command) instructions without credentials. The flaw affects Predator Connect W6x firmware W6x_GBL_2.00.000005 and earlier, and at the time of analysis there is no public exploit identified, though the trivial protocol (raw TCP, no auth) makes weaponization straightforward once discovered.
Authentication bypass in the OTP Login With Phone Number, OTP Verification WordPress plugin versions 1.8.50 through 1.8.60 allows unauthenticated remote attackers to log in as any user - including administrators - whose phone number is stored in user meta. The flaw stems from the Firebase OTP verification flow failing to bind the verified Firebase session to the phone number supplied in the request, so attackers can verify their own phone via Firebase and then submit a victim's number to be authenticated as that victim. No public exploit identified at time of analysis, but the trivial logic flaw and CVSS 9.8 score make this a critical priority.
Authorization bypass in BankPro E-Service Technology's Service Center application allows authenticated remote attackers to read other users' electronic commerce order details by tampering with an object identifier parameter in a query function. The CVSS 4.0 vector (AV:N/PR:L/VC:H) reflects a high-confidentiality impact over the network with low privileges and no user interaction, and there is no public exploit identified at time of analysis. The flaw is an Insecure Direct Object Reference (IDOR) reported by TWCERT, affecting financial/EC order data that is typically subject to privacy and PCI-DSS scrutiny.
Remote unauthenticated privilege escalation in the WP Maps Pro WordPress plugin (all versions through 6.1.0) allows attackers to create a new administrator account and authenticate as that user, resulting in complete site takeover. The flaw stems from an AJAX handler exposed to unauthenticated users and protected only by a publicly-embedded nonce, making the access check ineffective. No public exploit identified at time of analysis, but the trivial nature of the bug (default-enabled handler, no authentication, magic login URL returned to the caller) makes weaponization straightforward once details circulate.
HTTP request smuggling in libsoup allows remote unauthenticated attackers to exploit an unsigned-to-signed integer conversion error in the `soup_body_input_stream_read_chunked()` function via a crafted HTTP request. The vulnerability is confined to specific proxy topologies where libsoup operates either behind or in front of a non-libsoup HTTP intermediary, and successful exploitation can result in authentication bypass, web cache poisoning, or unauthorized access. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the integrity and confidentiality impacts warrant urgent attention in any affected mixed-proxy deployment.
Local privilege escalation in ASUS Armoury Crate allows an authenticated low-privileged user to bypass driver validation and gain unauthorized read/write access to physical memory. The flaw stems from incorrect permission assignment (CWE-732) on a critical resource exposed by the application's kernel driver, enabling memory tampering that can be leveraged for full system compromise. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Access bypass in Drupal TFA Basic Plugins 7.x-1.0 through 7.x-1.2 allows authenticated site administrators holding the 'administer users' permission to view or generate two-factor authentication recovery codes belonging to other user accounts. This undermines the integrity of TFA enrollment by granting a permission scope - user administration - unintended access to sensitive authentication secrets. No public exploit code exists and no active exploitation has been confirmed; however, the risk is meaningful in multi-admin deployments where role separation is relied upon to enforce least-privilege access to authentication credentials.
Site isolation bypass in Google Chrome for Android (prior to 148.0.7778.216) enables a remote attacker who has already achieved renderer process compromise to cross Chrome's site isolation boundary via a specially crafted HTML page. The flaw resides in the Input handling component (CWE-346: Origin Validation Error), where improper implementation fails to enforce origin boundaries adequately within the renderer context on Android. No public exploit code exists and no active exploitation has been identified at time of analysis; EPSS is 0.02% (4th percentile) and SSVC rates exploitation as none - consistent with the high-complexity, chained-attack prerequisites.
Same-origin policy bypass in Google Chrome's Media component allows remote attackers to read or manipulate cross-origin data via a crafted video file. Affected are all Chrome versions prior to 148.0.7778.216 on desktop platforms, confirmed via ENISA EUVD-2026-33131 and the Chrome stable channel advisory. The CVSS vector (PR:N/UI:R) indicates no authentication is required but victim interaction is necessary; EPSS sits at 0.02% (4th percentile), and no active exploitation is confirmed in the CISA KEV catalog, making this a medium-priority issue despite the network-accessible attack vector.
Site isolation bypass in Google Chrome's Printing component (versions prior to 148.0.7778.216) enables an attacker who has already compromised the renderer process to escape cross-origin data boundaries via a crafted HTML page. The root cause is insufficient input validation (CWE-20) in the printing subsystem, which fails to properly sanitize renderer-supplied data before acting on it in a security-sensitive context. With an EPSS of 0.02% (6th percentile), no CISA KEV listing, and no public exploit identified at time of analysis, this functions primarily as a post-exploitation escalation primitive rather than an initial access vector.
Site isolation bypass in Google Chrome prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to escape cross-origin boundaries via a crafted HTML page. The attack is constrained by a two-stage prerequisite: an existing renderer compromise plus user interaction with the malicious page, reflected in a CVSS score of 5.0 (AC:H/UI:R). No public exploit identified at time of analysis and an EPSS of 0.02% (6th percentile) indicate very low probability of widespread exploitation, though the technique is meaningful as a post-exploitation escalation primitive.
Same-origin policy bypass in Google Chrome for iOS (all versions prior to 148.0.7778.216) allows an attacker who has already achieved renderer process compromise to cross browser origin boundaries via a crafted HTML page, potentially exposing restricted cross-origin content. The root cause is insufficient validation of untrusted input (CWE-20) in iOS-specific Chrome code, a platform-divergent codepath not present in desktop Chrome. No public exploit has been identified and no CISA KEV listing exists; however, Chromium's internal 'High' severity rating contrasts with the NVD CVSS score of 3.1, reflecting that the renderer pre-compromise prerequisite substantially constrains standalone exploitability while the SOP bypass itself carries serious chaining potential.
Uninitialized memory use in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome versions prior to 148.0.7778.216 enables a remote attacker - who has already achieved renderer process compromise - to bypass site isolation via a specially crafted HTML page. This is a chained exploitation scenario: the vulnerability is not standalone, but serves as a second-stage primitive to break Chrome's cross-origin security boundary once an initial renderer foothold exists. No public exploit code has been identified at time of analysis, and the EPSS score of 0.01% (3rd percentile) reflects minimal observed exploitation activity.
Site Isolation bypass in Google Chrome prior to 148.0.7778.216 enables a remote attacker - who has already compromised the renderer process - to escape cross-origin protections by delivering a crafted MHTML page. Rooted in CWE-20 (Improper Input Validation) within Chrome's Site Isolation subsystem, successful exploitation yields limited confidentiality, integrity, and availability impact across cross-origin content boundaries. No public exploit code has been identified and no CISA KEV listing exists; EPSS sits at 0.02% (6th percentile), consistent with a constrained, multi-prerequisite attack chain rather than widespread opportunistic exploitation.
Incorrect authorization in OpenStack Neutron 26.0.0 through pre-28.0.1 allows authenticated project readers to write (create and update) tags on same-project resources, exceeding their intended read-only scope. The root cause is a naming mismatch in the tagging controller: single-tag write operations are enforced using plural policy action names (e.g., 'add_tags'), while the configured policy rules use singular names (e.g., 'add_tag'). Because the plural names do not match any defined rule, OpenStack's default policy behavior evaluates the action as permitted. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
Timing-based user account enumeration in TREK collaborative travel planner (prior to 3.0.18) leaks the existence of registered email addresses through measurable login response latency. When an email exists in the database, the backend performs a bcrypt password comparison before returning HTTP 401, adding approximately 370 ms of latency; when the email does not exist, the backend returns immediately in approximately 10 ms - a ~14× discrepancy that is reliably detectable despite identical HTTP status codes and response bodies. CVSS AV:N/AC:L/PR:N/UI:N confirms remote unauthenticated exploitation with no special configuration required; no public exploit identified at time of analysis and this CVE is not listed in CISA KEV.
Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing a pre-migration token holder to bypass per-user data filtering and access other users' workspace content. Affected are all AnythingLLM installations (cpe:2.3:a:mintplex-labs:anything-llm) prior to version 1.13.0 that have undergone a single-user to multi-user migration while mobile device tokens existed. An attacker retaining a previously approved mobile token can enumerate workspaces and retrieve thread metadata and chat history belonging to other users. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.
Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes belonging to other users whenever those resources have non-private visibility. The flaw exists in both the web UI and the REST API because the update() policy checks validate visibility instead of ownership, while delete() correctly enforces ownership. No public exploit identified at time of analysis, but the bug is trivially exploitable by any registered account on a vulnerable instance.
Authentication bypass in FUXA 1.3.0-2773 renders the `secureEnabled=true` configuration ineffective, exposing project topology, alarm configurations, and scheduler data to unauthenticated or invalid-token HTTP requests. The flaw originates in `server/api/jwt-helper.js`, where `verifyToken()` silently converts missing or malformed JWT tokens into a guest context rather than rejecting the request - and downstream route handlers accept that guest context without further authorization checks. Publicly available exploit code exists (documented reproduction steps in GitHub advisory GHSA-r9g5-7q8j-958c), and a vendor-confirmed fix was released in v1.3.1.
Unauthenticated network-based data integrity compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows remote attackers to perform unauthorized insert, update, or delete operations against accessible ORDS data via HTTPS. The vulnerability resides in the Core component and is classified as an Authentication Bypass, meaning the access control enforcement in ORDS's request pipeline can be circumvented without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the exploit path is straightforward for any network-adjacent attacker.
Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data.
Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker over HTTPS to fully compromise the service and pivot into adjacent products via a CVSS scope change. CVSS 3.1 base score is 9.9 with attack complexity rated low, and no public exploit identified at time of analysis. The scope-change designation is the key differentiator - successful exploitation extends beyond ORDS itself into systems it fronts, most notably the backing Oracle Database.
Unauthorized data access and modification in Oracle Payroll (a module of Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker with HTTP network access to read, create, delete, or modify any data accessible to the Oracle Payroll application. The flaw carries a CVSS 8.1 due to high confidentiality and integrity impact with low attack complexity, but no public exploit identified at time of analysis and it is not listed in CISA KEV. The advisory was published as part of Oracle's Critical Patch Update cycle (CPU May 2026).
Account takeover in Oracle Payroll (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker with HTTPS network access to fully compromise the Payroll application. The CVSS 8.8 vector indicates low complexity and no user interaction, meaning any authenticated EBS user can pivot to full confidentiality, integrity, and availability impact on Payroll. No public exploit identified at time of analysis, but the issue was disclosed in Oracle's Critical Patch Update advisory and warrants prompt patching given the sensitivity of payroll data.
Unauthorized data access in Oracle Public Sector Financials (International), a module of Oracle E-Business Suite versions 12.2.6 through 12.2.15, allows low-privileged remote attackers to read sensitive data across module boundaries due to a flaw in the Authorization component. The scope-changed CVSS 7.7 vector indicates exploitation can affect resources beyond the vulnerable component itself, expanding the blast radius to other EBS data. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the iAssets component and pivot into adjacent products via a scope change. The 9.9 CVSS score reflects high impact on confidentiality, integrity, and availability combined with low attack complexity; no public exploit identified at time of analysis, but Oracle's inclusion in the May 2026 Critical Patch Update warrants immediate attention.
Unauthorized data access in Oracle E-Business Suite's Financials Common Modules (versions 12.2.3 through 12.2.15) allows low-privileged remote attackers to read sensitive data via HTTP, with a scope change that extends impact beyond the vulnerable component to other Oracle products. The flaw carries a CVSS 3.1 base score of 7.7 reflecting high confidentiality impact, but no public exploit has been identified at time of analysis and the issue is not currently listed in CISA KEV.
Cross-product data exposure in Oracle Financials Common Modules (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker to access or modify sensitive financial data over HTTP. The scope-changed nature of the flaw means exploitation impacts additional Oracle products beyond Financials Common Modules itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote unauthenticated compromise of Oracle Internet Procurement Connector (a component of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows attackers to read, modify, create, or delete all data accessible to the component over HTTP. The CVSS 9.1 score reflects high confidentiality and integrity impact with low attack complexity and no privileges or user interaction required. No public exploit identified at time of analysis, but the trivial exploitability profile combined with EBS's history of being targeted (e.g., CVE-2025 Cl0p campaigns) makes this a priority patch for any internet-exposed deployment.
Unauthorized data modification and disclosure in Oracle E-Business Suite (Oracle Payments component, File Transmission) versions 12.2.3 through 12.2.15 allows unauthenticated remote attackers over HTTPS to read, alter, create, or delete all Oracle Payments-accessible data. The flaw carries a CVSS 3.1 base score of 7.4 with high confidentiality and integrity impact but no availability impact, and is rated high attack complexity. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote attacker over HTTPS, with scope-changed impact extending to additional Oracle products beyond ORDS itself. Oracle rates this 9.9 CVSS due to the combination of low attack complexity, minimal privilege requirement, and full confidentiality/integrity/availability compromise; no public exploit identified at time of analysis, but the easy exploitability noted in Oracle's advisory makes this a high-priority patch target.
Unauthorized data access and modification in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows low-privileged remote attackers to read, create, modify, or delete any data accessible via the service. The flaw is network-reachable over HTTPS with low attack complexity (CVSS 8.1) and was disclosed by Oracle in the May 2026 Critical Patch Update. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Cross-product compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker who can lure an authenticated user into interacting with a crafted request to gain high-impact read and write access to ORDS-accessible data and cause partial denial of service. Because the CVSS scope is Changed (S:C), successful exploitation may also impact downstream Oracle components beyond ORDS itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the 7.9 base score combined with scope change warrants prompt patching.
Sandbox escape in nono-cli allows a sandboxed process to fully break out of Landlock/seccomp confinement by communicating over the unmediated per-user systemd D-Bus Unix domain socket. Versions prior to 0.55.0 of the Rust CLI crate are affected, specifically when using bundled profiles such as 'claude-code' that permit bash execution. An attacker - or a prompt-injected AI coding agent - can invoke systemd-run --user from within the sandbox to spawn an unsandboxed sibling process capable of writing anywhere the launching user can write, executing arbitrary commands, and establishing network connections. A working proof-of-concept reproducer is publicly available in the GitHub Security Advisory GHSA-27vp-2mmc-vmh3; no CISA KEV listing exists at time of analysis.
Unauthorized firmware installation in the XCharge C6 charging controller stems from missing cryptographic signature verification in its management-channel update mechanism, enabling remote attackers who can interpose on or impersonate the management interface to push malicious firmware. Successful exploitation yields high-privilege code execution on the EV charging device, and the issue is tracked in CISA ICS advisory ICSA-26-148-08 with no public exploit identified at time of analysis.
CORS origin reflection in RustFS's S3 listener exposes stored object data to cross-origin theft via browser-credentialed requests against all versions prior to 1.0.0-beta.2. When the RUSTFS_CORS_ALLOWED_ORIGINS environment variable is unset - the default state - the ConditionalCorsLayer middleware reflects any incoming Origin header verbatim as Access-Control-Allow-Origin while simultaneously asserting Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: *, including on preflight and error responses, nullifying the browser's same-origin policy protections. An unauthenticated attacker (PR:N) who lures a victim with ambient RustFS credentials to a malicious web page can exfiltrate object storage contents; no confirmed active exploitation (CISA KEV) and no public exploit identified at time of analysis. The fix is vendor-released in 1.0.0-beta.2.
Authentication bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) allows unauthenticated remote attackers to forge valid internode RPC requests by exploiting a hardcoded fallback secret 'rustfsadmin' used when neither RUSTFS_RPC_SECRET nor the global S3 secret key is configured. With a CVSS of 9.8 and full CIA impact, this represents a critical pre-auth compromise vector against the storage cluster's internal trust boundary. No public exploit identified at time of analysis, though the fallback secret is publicly visible in the source tree, making weaponization trivial.
Improper authorization in RustFS prior to 1.0.0-beta.2 allows authenticated users to perform unauthorized cross-bucket object copies via the S3-compatible UploadPartCopy operation, bypassing destination-bucket policy constraints on permitted copy sources. The Rust-based distributed object storage system validates GetObject on the source and PutObject on the destination independently but never checks whether the destination bucket actually permits the specified source, enabling lateral data movement between buckets. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Unauthenticated webhook event injection in Symfony's Mailtrap Mailer bridge (symfony/mailtrap-mailer) allows any remote attacker who knows the webhook endpoint URL to POST arbitrary forged event payloads - delivery, bounce, open, click, or spam - regardless of whether a signing secret is configured. The root cause is that `MailtrapRequestParser::doParse()` accepts the configured secret as a parameter but never reads it, leaving the `X-Mt-Signature` HMAC header completely unchecked. Successful exploitation enables suppression-list poisoning, delivery-metrics fraud, and manipulation of application logic that reacts to email events. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vendor patch is available in versions 7.4.12 and 8.0.12.
Unauthenticated webhook event injection in Symfony's Mailjet Mailer and LOX24 SMS Notifier bridges allows remote attackers to POST arbitrary forged payloads to an application's webhook endpoint, even when a webhook secret is configured. The root cause is that both `MailjetRequestParser::doParse()` and `Lox24RequestParser::doParse()` accept a secret parameter but silently discard it, returning the payload unconditionally. Attackers who can discover the webhook URL can fabricate bounce, spam, open, click, or delivery events, leading to suppression-list corruption and delivery-metrics fraud. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
CPU and log amplification in opentelemetry-go's baggage parser allows remote unauthenticated attackers to trigger denial-of-service by submitting oversized or malformed W3C baggage headers to any instrumented Go service. PR #7880 inadvertently removed the upfront raw-length check and per-member size guard from `baggage.Parse`, meaning the parser now fully tokenizes and percent-decodes every member of an arbitrarily large input rather than rejecting it early. A publicly available proof-of-concept exists (GHSA-5wrp-cwcj-q835); the vulnerability is not yet listed in CISA KEV, and impact is bounded to availability with no confirmed confidentiality or integrity consequence.
Cross-tenant data exposure in OpenReplay self-hosted session replay suite (versions prior to 1.26.0) allows an attacker holding any valid API key for their own tenant to enumerate sessions and retrieve sensitive session event data belonging to other tenants. The flaw stems from app_apikey routes in the Python API that validate the API key and the existence of a projectKey independently, but never confirm the two belong to the same tenant. No public exploit identified at time of analysis, though the trivial nature of the abuse (substituting a browser-visible projectKey) makes weaponization straightforward.
Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from one tenant to read, update, or delete feature-flag and assist-stats data belonging to another tenant. The vulnerability exists because ProjectAuthorizer skips its tenant-scoped authorization check when the route parameter does not exactly match the camelCase string 'projectId', and EE feature-flag queries filter only on project_id without enforcing tenant_id isolation. Affecting all EE multi-tenant deployments prior to 1.26.0, no public exploit code has been identified at time of analysis, though the sequential integer ID scheme makes enumeration trivially feasible for any authenticated attacker.
Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept and manipulate initial setup data, enabling potential unauthorized device control during onboarding. The flaw stems from missing encryption on the Bluetooth pairing channel used only during initialization, and TP-Link has released patched firmware versions for all affected models. No public exploit identified at time of analysis, but the low complexity and absence of authentication make this a meaningful risk for users provisioning devices in dense urban or office environments.
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity Provider to forge or replay SAML responses to /api/acs and obtain a valid session without an originating AuthnRequest. Because the SAML callback handler also processes responses using the IdP snapshot loaded at request start, a session can be issued even after an administrator has disabled or deleted the malicious IdP. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.01%, but the vulnerability was reported through CERT/CC and tagged as an Authentication Bypass.
EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.
{id}/pin endpoint, where the server returns a 403 Forbidden response but the targeted record is already persistently modified. A publicly available exploit exists; this vulnerability is not confirmed actively exploited per CISA KEV, and impact is constrained to unauthorized data integrity modification without confidentiality or availability consequences.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- auth
- Total CVEs
- 31281