Skip to main content

Authentication Bypass

auth CRITICAL

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.

How It Works

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.

The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.

More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.

Impact

  • Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
  • Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
  • System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
  • Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
  • Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties

Real-World Examples

CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.

Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.

SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.

Mitigation

  • Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
  • Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
  • Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
  • Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
  • Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
  • Regular security testing — conduct penetration testing specifically targeting authentication logic and flows

Recent CVEs (31286)

EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from one tenant to read, update, or delete feature-flag and assist-stats data belonging to another tenant. The vulnerability exists because ProjectAuthorizer skips its tenant-scoped authorization check when the route parameter does not exactly match the camelCase string 'projectId', and EE feature-flag queries filter only on project_id without enforcing tenant_id isolation. Affecting all EE multi-tenant deployments prior to 1.26.0, no public exploit code has been identified at time of analysis, though the sequential integer ID scheme makes enumeration trivially feasible for any authenticated attacker.

Authentication Bypass Openreplay
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept and manipulate initial setup data, enabling potential unauthorized device control during onboarding. The flaw stems from missing encryption on the Bluetooth pairing channel used only during initialization, and TP-Link has released patched firmware versions for all affected models. No public exploit identified at time of analysis, but the low complexity and absence of authentication make this a meaningful risk for users provisioning devices in dense urban or office environments.

TP-Link Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity Provider to forge or replay SAML responses to /api/acs and obtain a valid session without an originating AuthnRequest. Because the SAML callback handler also processes responses using the IdP snapshot loaded at request start, a session can be issued even after an administrator has disabled or deleted the malicious IdP. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.01%, but the vulnerability was reported through CERT/CC and tagged as an Authentication Bypass.

Authentication Bypass Casdoor
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.

Authentication Bypass Espocrm
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

{id}/pin endpoint, where the server returns a 403 Forbidden response but the targeted record is already persistently modified. A publicly available exploit exists; this vulnerability is not confirmed actively exploited per CISA KEV, and impact is constrained to unauthorized data integrity modification without confidentiality or availability consequences.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

MFA enforcement in Casdoor 2.362.0 and earlier is completely bypassable via the social-login binding flow, where controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, granting fully authenticated sessions to users who should face a second factor. Remote unauthenticated attackers with access to a linked social identity provider account can exploit this to authenticate as any MFA-protected Casdoor user, nullifying MFA as a compensating control. No public exploit has been identified at time of analysis and EPSS probability is 0.02%, though SSVC classifies the attack as automatable, indicating scripted mass exploitation is technically feasible once targeting criteria are met.

Authentication Bypass Casdoor
NVD
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated remote root access on SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 is achievable by submitting a hardcoded credential to recovery endpoints (mgmt.php, npcmd.php) in the web management interface. Attackers can then enable filtered SSH/Telnet services to obtain persistent root-level shell access. CVSS is 9.8 with publicly available exploit code, though no public exploit identified at time of analysis in CISA KEV.

PHP Authentication Bypass
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Hono's jwt and jwk middleware components fail to enforce the Bearer scheme in the Authorization header, allowing any two-part header value - such as 'Basic <token>' or 'Token <token>' - to pass JWT verification identically to a correctly formed Bearer request. All Hono releases prior to 4.12.21 on any supported JavaScript runtime are affected when these middlewares protect routes. No public exploit identified at time of analysis, and this is not listed in CISA KEV; real-world exploitation requires the attacker to already possess a valid, properly signed JWT.

Authentication Bypass Hono
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Jwt Attack Python +1
NVD GitHub
EPSS 0% CVSS 7.4
HIGH POC PATCH This Week

Authentication bypass in PyJWT versions prior to 2.13.0 allows remote attackers to forge valid JSON Web Tokens by exploiting an algorithm confusion flaw where the library fails to validate that a JSON Web Key intended for asymmetric verification is not reused as an HMAC shared secret. An attacker who knows the issuer's public key (typically distributed openly via JWKS endpoints) can sign HMAC-algorithm tokens with that public key and have them accepted as legitimate. No public exploit identified at time of analysis, though the underlying algorithm-confusion class is a well-documented JWT attack pattern.

Python Authentication Bypass Pyjwt
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authentication bypass in the Kidsview mobile application allows a person with physical access to a smartphone to gain full, unauthorized access to the device owner's account by interacting with the app's push notifications, entirely circumventing the normal login flow. Affected versions are those prior to 4.4.3, as confirmed by the vendor fix. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing, but the attack requires no credentials and no user assistance - only physical device possession.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated password reset in Mennekes Amtron EV charging stations running firmware 5.22.3 and earlier allows remote attackers to seize the operator account by sending a crafted POST to /operator/operator. CVSS 4.0 of 9.3 with PR:N/UI:N and CWE-287 reflects a complete authentication bypass, and the CVSS exploit maturity flag (E:P) plus the cyberdanube research disclosure indicate publicly available exploit code exists, though the vulnerability is not currently listed in CISA KEV.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authentication bypass in phpMyFAQ before 4.1.3 lets any unauthenticated remote attacker reset arbitrary user passwords - including SuperAdmin - by sending a PUT request to /api/user/password/update with only a valid username/email pair, with no token, rate limit, or out-of-band confirmation. The vendor-issued GHSA-w9xh-5f39-vq89 advisory and VulnCheck disclosure document the flaw, and publicly available exploit code exists in the form of a PoC curl invocation; no CISA KEV listing or EPSS score is provided in the input.

Authentication Bypass Phpmyfaq
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. No public exploit identified at time of analysis, but the GHSA advisory includes a detailed proof-of-concept walkthrough.

Authentication Bypass Phpmyfaq
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

SNS signature verification bypass in the Elixir ex_aws_sns library (versions 2.0.1 through 2.3.4) allows remote unauthenticated attackers to forge messages that pass ExAws.SNS.verify_message/1 checks. The verify_message/1 routine fetched the signing certificate from the attacker-supplied SigningCertURL field without restricting the scheme to HTTPS or the host to an AWS SNS certificate domain, so an attacker can host their own certificate, sign a forged payload, and have verification return :ok. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the upstream fix is published on GitHub (commit 1853d28) and shipped in 2.3.5.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized memory use in the Linux kernel HFS+ filesystem driver (hfsplus) can crash the kernel when a local user mounts a crafted, corrupted HFS+ image. The flaw in hfs_brec_read() allows a partial catalog record read - as few as 26 bytes into a 520-byte structure - leaving the nodeName field uninitialized; this data then propagates through hfsplus_cat_build_key_uni() into hfsplus_strcasecmp(), where it is used as array indices in case_fold(), triggering a kernel denial of service. No public exploit is identified at time of analysis and EPSS is very low at 0.02% (5th percentile); this is not listed in CISA KEV.

Linux Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Permission check bypass in the Linux kernel's fanotify subsystem allows local low-privileged users to circumvent access control decisions enforced by fanotify-based security tools. The flaw stems from fsnotify_get_mark_safe() incorrectly returning false for marks on unrelated groups, causing the permission event evaluation to be skipped entirely. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the impact on systems relying on fanotify for access control (antivirus, EDR, HSM) is significant.

Linux Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization on the bulk appointments REST API endpoint in Simply Schedule Appointments WordPress plugin (all versions up to and including 1.6.11.8) permits unauthenticated mass modification and disclosure of customer appointment data. The flaw is compounded by a static, user-independent nonce embedded in the HTML source of any page rendering the [ssa_booking] shortcode, meaning a single anonymous page visit yields a credential sufficient to target every appointment in the system. An attacker can overwrite customer PII, alter payment status, and hijack meeting URLs across all bookings, or enumerate full customer records via the bulk endpoint response - no account or session required. No public exploit code and no CISA KEV listing are identified at time of analysis.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization on three AJAX handlers in the Visualizer: Tables and Charts Manager plugin for WordPress (by Themeisle) allows authenticated attackers with Subscriber-level access to create arbitrary chart posts and read or overwrite chart data owned by any site user, including administrators. The wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data actions invoke renderChartPages() and uploadData() without any current_user_can() capability check; the nonce validation in uploadData() is further trivialized by the absence of an action argument, making it bypassable with any valid WordPress nonce. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 4.0.1.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Equalize Digital Accessibility Checker WordPress plugin (all versions through 1.42.0) allows low-privileged authenticated users to corrupt accessibility audit integrity site-wide. Authenticated attackers holding subscriber-level accounts or higher can invoke AJAX endpoints in class-ajax.php to modify the ignore state, ignore reason, and ignore comment of any accessibility issue across the entire site, effectively hiding or dismissing audit findings they are not authorized to manage. The vulnerability is amplified by a mass-modification code path triggered when the largeBatch=true parameter is supplied, enabling bulk suppression of all findings sharing a common object identifier in a single request. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private project resources despite administrative revocation. Affected are all GitLab CE/EE instances running versions 18.9 through 18.10.6, 18.11 through 18.11.3, and 19.0.0 - patched versions 18.10.7, 18.11.4, and 19.0.1 were released 2026-05-27. A publicly available exploit exists via HackerOne report #3554993, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Gitlab Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the WordPress '3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On' plugin (all versions through 2.0.1) permits any subscriber-level authenticated user to overwrite the plugin's entire settings store via an exposed REST API endpoint with no privilege validation. The flaw stems from CWE-862 (Missing Authorization) in the REST route handler at /wp-json/ar_try_on/v1/settings, allowing arbitrary data to be written directly to the ar_try_on_settings database option. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the low authentication bar (subscriber account) makes it accessible to a broad attacker pool on sites with open user registration.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized access in the SMTP2GO for WordPress plugin (all versions through 1.16.0) allows authenticated attackers holding only subscriber-level accounts to either wipe all SMTP delivery log records from the WordPress database or export a full CSV of those logs - exposing recipient addresses, sender addresses, message subjects, and API response data. The flaw stems from missing authorization checks on administrative actions within the plugin's WordPress admin class (WordpressPluginAdmin.php), meaning low-privileged users can invoke privileged log-management operations without restriction. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege bar makes this accessible to any registered WordPress user.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration data to unauthenticated remote attackers, including Google Maps API keys and GeoNames service credentials. The flaw (CWE-862 Missing Authorization) exists at specific request-handling code paths in geo-mashup.php (lines 515, 528, and 1525), where the plugin returns configuration data without verifying requester authorization. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable with no authentication, no complexity, and no user interaction required against any affected installation.

Google WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in WPEverest's User Registration & Membership WordPress plugin (all versions through 5.1.5) allows deletion of arbitrary media attachments by exploiting missing ownership validation on user-controlled attachment IDs. Authenticated users at subscriber level or above can permanently destroy any media file uploaded by any other user, including administrators, by submitting a crafted attachment ID to the plugin's frontend handler. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the low barrier to exploitation - any registered site user qualifies - elevates practical risk on membership-driven WordPress sites.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.

Authentication Bypass Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CSV Injection protection bypass in json-2-csv (npm) allows formula injection to survive the preventCsvInjection sanitization option when injection characters are preceded by leading spaces. Versions 3.15.0 through 5.5.10 are affected. An attacker who can supply JSON input values with space-prefixed formula strings (e.g., ' =SUM(A1:A10)') causes the resulting CSV to carry live spreadsheet formulas, which execute when a recipient opens the file in Excel, Google Sheets, or LibreOffice. Publicly available exploit code exists (Snyk/Gist POC); no confirmed active exploitation (not in CISA KEV).

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Insecure Direct Object Reference in the Meta Field Block WordPress plugin (all versions through 1.5.1) allows authenticated attackers with Contributor-level access to read arbitrary user meta, post meta, and term meta data from any object in the database by supplying unchecked object IDs and types via block attributes. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms this is remotely exploitable with low privilege and no user interaction, with a full confidentiality impact on metadata. Risk is materially elevated on sites running WooCommerce or similar plugins that persist PII - names, billing addresses, phone numbers, emails - in meta fields. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Information Disclosure WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV.

WordPress Authentication Bypass
NVD WPScan
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-room message disclosure in Rocket.Chat allows any authenticated DDP user to read arbitrary messages - including those in private channels, direct messages, and E2EE rooms - by invoking the autoTranslate.translateMessage Meteor method with a target message ID. The flaw stems from missing access control and identity checks in the server-side method handler, with an upstream fix merged in PR #40528. No public exploit identified at time of analysis, though the trivial DDP call pattern makes weaponization straightforward.

Authentication Bypass Rocket Chat
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit `reject-ropc-grant` executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Signature policy bypass in Red Hat Build of Keycloak's JWE request object handling allows unauthenticated remote attackers to inject unauthorized claims into the OpenID Connect authorization flow. When a JWE-encrypted request object is submitted and its decrypted content is raw JSON, Keycloak improperly skips signature verification, violating both OIDC Core and Financial-grade API (FAPI) signing requirements. No public exploit code exists at time of analysis, but the integrity-only impact (CVSS I:H) is directly relevant to authorization trust boundaries, making this high-priority for FAPI-compliant or financial-sector Keycloak deployments.

Jwt Attack Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows authenticated subscriber-level users to overwrite arbitrary user profile fields - including administrator passwords and email addresses - by supplying a chosen user_id parameter to a vulnerable Edit-User form. This authorization-bypass flaw (CWE-862) enables full administrator account takeover through direct password replacement or email-redirect password reset, and no public exploit identified at time of analysis. The vulnerability requires a specific misconfiguration where the form's Roles setting is left empty, which limits exploitable installs but is a common default state.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Timetable and Event Schedule by MotoPress WordPress plugin (all versions through 2.4.16) allows authenticated contributors to bypass object-level authorization and read non-public content belonging to other users. The vulnerability exists in the action_get_event_data AJAX action, which accepts a user-controlled timeslot key with no ownership or visibility validation, exposing full WP_Post data - including post_content, post_excerpt, post_status, and post_author - for draft, pending, and private mp-event posts. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in FOX - Currency Switcher Professional for WooCommerce (all versions through 1.4.6) allows authenticated attackers with Subscriber-level access to impersonate higher-privileged roles - such as wholesale customers or administrators - to obtain discounted or otherwise role-restricted product pricing. The flaw stems from the plugin's fixed user-role pricing engine blindly trusting a client-supplied HTTP request parameter over the server-side session object when resolving a user's role for price calculation. No public exploit is identified at time of analysis, and real-world impact is bounded by a non-default configuration requirement, keeping the CVSS base score at 4.3.

PHP WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization enforcement in Red Hat Build of Keycloak allows an authenticated user with existing organization membership to retrieve organization metadata through the account API or via OIDC token requests using the 'organization' scope, even when an administrator has explicitly disabled the Organizations feature. The flaw (CWE-863) means the feature-disabled state is not enforced at the data-access layer, so tokens and API responses continue to carry organization claims. This can cause downstream resource servers that consume those tokens to make incorrect authorization decisions - for example, granting access based on organizational membership that should no longer be recognized. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized email sending in the Everest Forms WordPress plugin (all versions up to and including 3.4.7) permits any authenticated attacker with Subscriber-level access or higher to dispatch test emails to arbitrary external addresses from the hosting server. The root cause is a missing capability check on the AJAX-exposed send_test_email() function (CWE-862), enabling low-privilege users to invoke a privileged server action without authorization. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the low barrier of entry (any registered user) elevates practical risk on sites with open registration.

WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in OpenStack Keystone before 29.0.2 lets a user holding only the member role on a project chain unrestricted application credentials with Keystone trusts to obtain admin. Because Keystone validates delegated roles against the victim's actual database role assignments rather than the roles on the requesting token, an attacker who can impersonate a victim's token can mint a trust delegating the victim's admin role to themselves, with all activity logged under the victim's identity. Exploitation is only practical when paired with a separate application-credential impersonation flaw; EPSS is very low (0.03%) and there is no public exploit identified at time of analysis.

Authentication Bypass Keystone
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

User impersonation in OpenStack Keystone before 29.0.2 allows an authenticated attacker to obtain a valid Keystone token attributed to an arbitrary victim user by exploiting a missing ownership check in the application credential authentication plugin. The attacker supplies their own application credential ID and secret while embedding a different user's name and domain in the request body, and Keystone issues a project-scoped token carrying the intersection of the attacker's application credential roles and the victim's project roles. This enables audit log evasion, exposure of the victim's credentials, and unauthorized action within shared OpenStack projects. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Red Hat
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authorization bypass in OpenStack Keystone before 29.0.2 lets any authenticated user override trusted RBAC policy targets by injecting attributes like user_id or project_id into the JSON request body. The enforce_call routine unconditionally merges the raw request body over database-derived target data, so low-privileged users can perform operations on resources owned by other users or projects. No public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.03%), but the flaw is trivially exploitable by any account and a vendor patch is available.

Python Authentication Bypass Keystone
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenStack Keystone's federated token rescoping mechanism allows authenticated federated users to indefinitely extend their session beyond operator-configured token lifetime policies by repeatedly calling POST /v3/auth/tokens before each token expires. The root cause is that handle_scoped_token() in the mapped authentication plugin omits the expires_at field from its response, causing the token provider to silently issue a fresh default-TTL token instead of inheriting the original token's expiry. This effectively renders token lifetime enforcement inoperative for all SAML2 and OpenID Connect-backed federated deployments running Keystone versions prior to 29.0.2. No public exploit code exists and this is not listed in CISA KEV, but the technique is trivially repeatable by any valid federated user.

Authentication Bypass Red Hat
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken access control in Pimcore's CustomReports bundle lets an authenticated low-privileged backend user holding only the generic 'reports' permission read report configurations they were never granted access to. The listing endpoint filters reports by sharing rules while the detail endpoint (getAction) checks only generic permissions and then loads the report directly by name, so a report hidden from a user's visible list is still retrievable by name. A working PoC in the vendor advisory confirms the bypass; it is not in CISA KEV, EPSS is very low (0.03%), and vendor patches are available.

Docker PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

WordExportBundle in Pimcore CMS enforces only feature-level permission (`word_export`) at export initiation but performs no object-level authorization check against the target document element, constituting a broken object-level authorization (BOLA) flaw. Authenticated low-privileged backend users holding the `word_export` permission can supply arbitrary `type/id` parameters to `wordExportAction()` to export full content - including titles, descriptions, and body - from pages, snippets, emails, or objects they are explicitly denied `view` access to. A publicly available proof-of-concept script is included in the GitHub security advisory GHSA-332x-r494-54fq confirming practical exploitability; the vulnerability is not currently listed in CISA KEV.

Docker PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Cross-connection response leakage in Microsoft UFO's WebSocket layer allows an authenticated low-privileged user to receive protocol responses intended for a different authenticated session. The flaw stems from a singleton UFOWebSocketHandler design where per-connection state is stored in shared mutable instance fields, causing each new connection to overwrite the previous connection's protocol object reference. No public exploit or CISA KEV listing exists at time of analysis, but the attack complexity is low and exploitation requires only standard authenticated access to the same UFO instance.

Microsoft Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated role spoofing in Microsoft UFO's WebSocket control plane (version 3.0.1-4-ge2626659) lets any client holding the shared server token impersonate the higher-privilege "constellation" role and hijack tasks belonging to other connected devices. The server trusts the client_type and target_id values carried in each TASK message instead of binding them to the role established when the WebSocket connection registered, and it also permits duplicate client_id registration that overwrites a live peer's stored socket and role. Rated CVSS 8.8 (high) with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis.

Microsoft Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated cross-client stale result replay in Microsoft UFO's WebSocket task handling allows a low-privileged attacker to retrieve another user's completed automation session output. The framework accepts client-supplied session_id values without verifying ownership, so a requester who knows or can predict a prior session's identifier can hijack its stored result via the normal send_task_end() callback path. No public exploit has been identified at time of analysis, and KEV listing is absent, but the High confidentiality impact (C:H) is significant given UFO orchestrates device automation tasks that may capture sensitive screen content, documents, or credentials.

Microsoft Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH while the module's deny_remote protection wrongly classifies the connection as a local terminal session. The root cause is an incomplete check of the utmpx ut_addr_v6 field that misreads IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) as having no remote address, which is the normal way Debian and Ubuntu record incoming IPv4 SSH connections when sshd listens on the IPv6 wildcard. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the operation needed to trigger it is trivial once the operator possesses a registered token.

Debian Authentication Bypass Ubuntu
NVD GitHub
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Symlink-based authentication bypass and file corruption in pam_usb before 0.8.7 lets a local, low-privileged user defeat USB hardware authentication and overwrite root-owned files. By planting symlinks in the pad directory or on individual pad files, an attacker abuses CWE-59 link-following during the one-time-pad rotation that pam_usb performs on login, redirecting privileged file operations. No public exploit code has been identified at time of analysis, the issue is not listed in CISA KEV, and no EPSS score is available; exploitation requires local access plus a triggering authentication event.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Authorization bypass in Symfony 7.4.x (before 7.4.12) and 8.0.x (before 8.0.12) lets remote attackers reach controllers protected by #[IsGranted], #[IsSignatureValid], or #[IsCsrfTokenValid] attributes configured with methods: ['GET'] by sending an HTTP HEAD request, which the router dispatches to the GET handler while the security check is silently skipped. Affected controllers still execute - leaking response headers (Content-Length, Location, custom headers) and performing side effects such as database writes - despite the missing authorization, signature, or CSRF validation. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.05%), but the flaw is a genuine access-control gap fixed in 7.4.12 and 8.0.12.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Authentication bypass in Symfony's Security-Http CAS2 integration (Cas2Handler) lets an attacker impersonate a victim by spoofing the HTTP Host header. Affected versions 7.1.0-7.4.11 and 8.0.0-8.0.11 derive the CAS 'service' parameter from the client-controlled Host header when framework.trusted_hosts is unset (the default), so an attacker who controls another application registered with the same CAS server can replay a victim's service ticket against the Symfony app and log in as that victim. There is no public exploit identified at time of analysis, and EPSS is very low (0.06%), but the fix (7.4.12 / 8.0.12) is vendor-released.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Incorrect authorization in DFIR-IRIS before version 2.4.28 allows authenticated low-privileged users to falsely attribute security alerts to arbitrary customers, corrupting case integrity in digital forensics and incident response workflows. Discovered by SBA Research and disclosed via oss-security on 2026-05-19, this flaw enables manipulation of alert-to-customer linkage without proper authorization checks. No active exploitation has been identified at time of analysis, and a patched release (2.4.28) is available.

CSRF Authentication Bypass Apache
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing-type settings without sufficient privilege checks. Affects Artemis versions through 2.44.0 and 2.53.0 respectively, the flaw (CWE-863) permits low-privileged network users to alter broker address routing configuration, impacting message routing integrity. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in a monitor-and-patch priority tier rather than emergency response.

Apache Command Injection Jenkins +4
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Three distinct URL allowlist bypasses in Symfony's symfony/html-sanitizer component allow content authors to smuggle off-allowlist URLs past host and scheme restriction controls configured via allowLinkHosts(), allowLinkSchemes(), allowMediaHosts(), and allowMediaSchemes(). The root cause is a combination of parser-differential attacks exploiting divergence between RFC-3986 (used server-side) and the WHATWG URL Standard (used by browsers), plus misclassification of <area> elements as media rather than navigable links. Affected applications processing untrusted HTML with host/scheme allowlists in symfony/html-sanitizer 6.1.0-6.4.39, 7.0.0-7.4.11, and 8.0.0-8.0.11 are at risk; no public exploit identified at time of analysis and this CVE does not appear in CISA KEV.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by deleting their own ~/.pamusb/device.pad file. The flawed pusb_pad_compare() check in src/pad.c only confirmed the user-side pad was readable and treated its absence as a non-fatal failure in certain code paths, so authentication succeeded without the physical USB device ever being verified. There is no public exploit identified at time of analysis, but the technique is trivial - a single file deletion by the account owner.

Authentication Bypass Pam Usb
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in pam_usb before 0.9.1 allows remote unauthenticated attackers to reach the USB hardware-authentication step over XDMCP when an administrator has set deny_remote=false - a common tweak for display managers like gdm-password or lightdm. Because the PAM_RHOST remote-client check is gated inside the same deny_remote conditional, disabling deny_remote inadvertently disables the safeguard that rejects remote connections, so a genuine remote XDMCP session is treated like a local one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (8.1) reflects full compromise of confidentiality, integrity, and availability if the attacker satisfies the configuration prerequisites.

Authentication Bypass Pam Usb
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Web application firewall body-inspection bypass in CrowdSec (the AppSec component, versions 1.5.0 through 1.7.7) lets unauthenticated remote attackers slip malicious payloads past every body-scanning WAF rule. When a request uses HTTP/1.1 'Transfer-Encoding: chunked' or HTTP/2 without a content-length, the parser treats the body as empty, so rules matching REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML silently fail and the request is forwarded as 'allow' with no WAF log entry. There is no public exploit identified at time of analysis and no KEV listing, but the trigger is trivial - flipping a single framing header - making this a high-confidence protection-mechanism failure rather than a memory-safety bug.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Cleartext transmission of TLS-protected data in Deno's Node.js compatibility layer (node:tls / node:https) affects versions >= 2.0.0 and < 2.7.8: when autoSelectFamily (the Node-compat default) triggers an address-family fallback after the first connection attempt fails, the retry reuses a stale TLS upgrade hook bound to the dead handle, so the replacement TCP socket is never upgraded to TLS. Any data the application writes before the secureConnect event — request bodies, Authorization headers, tokens — leaves the host in plaintext. Publicly available exploit code exists (a working PoC in the GHSA advisory), but EPSS is only 0.02% and the issue is not in CISA KEV, so no public active exploitation is identified at time of analysis.

Node.js Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Missing authentication in Gladinet Triofox's Cloud Server Agent Access Service (GladServerAgentService.exe) lets remote, unauthenticated attackers reach privileged HTTP endpoints exposed on TCP port 7878. The service processes requests to paths such as /resources, /status, /sysinfo, /woshome, /Settings, /schedule, and /DavCache without an authentication check (CWE-306), and the CVSS vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H) rates the impact as full confidentiality, integrity, and availability compromise. There is no public exploit identified at time of analysis and no EPSS score was provided, but the 9.8 base score and unauthenticated network reachability make this a critical-priority issue for any internet-exposed Triofox deployment.

Authentication Bypass Triofox
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated network attackers due to incorrect authorization checks (CWE-863). All GitLab installations running versions from 18.2 through the patched releases are affected - both Community and Enterprise editions. While the direct impact is limited to information disclosure (project enumeration rather than content access), exposed project names and IDs can facilitate targeted follow-on attacks against otherwise hidden repositories. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Gitlab Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authorization bypass in GitLab Enterprise Edition allows authenticated users holding only developer-role permissions to circumvent flow restrictions when foundational flows are enabled at the group level. Affecting all EE versions from 18.7 through 19.0 (prior to the respective patch releases), this flaw stems from missing authorization checks (CWE-862) and results in a low-integrity-impact, network-accessible exploitation path. No active exploitation has been identified (SSVC: Exploitation none), and GitLab has released patches across all affected branches as of 2026-05-27.

Gitlab Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo AI workflows to execute under another user's identity, crossing the trust boundary between accounts (CVSS scope: changed). The flaw stems from improper user identity resolution and affects GitLab Enterprise Edition 18.8 through 18.10.6, 18.11 through 18.11.3, and 19.0, with High confidentiality and integrity impact but no availability impact. No public exploit has been identified, CISA's SSVC marks exploitation as 'none,' and the High attack complexity (AC:H) combined with the 'under certain conditions' caveat indicates exploitation is non-trivial rather than push-button.

Gitlab Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

GitLab Enterprise Edition exposes sensitive deployment data to authenticated users holding only developer-role permissions due to missing authorization checks on deployment-related project resources (CWE-862). Affected versions span a wide range - all EE releases from 11.5 through 18.10.6, 18.11.0 through 18.11.3, and 19.0.0 - making this broadly applicable across unpatched GitLab EE deployments. No public exploit identified at time of analysis per CISA KEV, though SSVC intelligence indicates proof-of-concept code exists, and a HackerOne report (3556381) corroborates researcher discovery.

Gitlab Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Authorization bypass in Himmelblau (the open-source Entra ID/Intune interoperability suite) versions 2.0.0 through 3.1.4 and the 2.3.x branch before 2.3.11 lets any authenticated user in the same Entra ID domain obtain a local Unix login session as a different user by presenting only their own valid credentials. The flaw lives in the token_validate function of the Device Authorization Grant flow, which matched only the domain portion of the User Principal Name and ignored the username (local part), so a low-privileged domain member can impersonate higher-value accounts on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the issue is a confirmed identity-spoofing defect fixed by the vendor.

Microsoft Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Disclosure of builder-configured REST Authorization secrets in Budibase before 3.39.0 allows a low-privileged 'Basic' app user to exfiltrate stored credentials to an attacker-controlled server. Because the single-datasource GET/PUT routes enforce only a generic TABLE READ permission (which the Basic role inherits via the WRITE set) instead of a Builder/Admin or ownership check, an authenticated user can repoint a REST datasource's base URL and trigger a saved query that leaks the resolved auth headers. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is rated CVSS 8.1 (high).

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Missing authorization in Budibase's webhook schema-building endpoint allows unauthenticated remote attackers to alter the body schema of a known webhook and, in turn, mutate the output schema of its associated automation trigger in any instance prior to 3.39.0. The CVSS 7.5 score is driven entirely by an integrity impact (I:H) with no confidentiality or availability effect, reflecting that an attacker can tamper with automation logic but not directly read data or crash the service. There is no public exploit identified at time of analysis, the issue is not listed in CISA KEV, and no EPSS score was provided in the source data.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation via missing authorization in Budibase before 3.38.2 lets any authenticated user — including low-privilege BASIC accounts and workspace-scoped builders — reach the worker's SCIM API and perform full CRUD on every user and group in the tenant. The SCIM router only enforced an Enterprise feature flag and SCIM context, never a role/admin check, so identity-management operations meant for administrators were exposed to all sessions. Fixed in 3.38.2; no public exploit identified at time of analysis, but the trivial nature of the flaw (a single missing middleware) makes it easy to weaponize once known.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper authorization in Frappe HR (HRMS) prior to version 16.5.0 allows any authenticated employee to read the leave records of other employees without permission. The root cause is CWE-863 (Incorrect Authorization) - the application authenticates the user but fails to enforce that the requesting employee is authorized to view the target employee's data. With a CVSS score of 6.5 (Medium) and a High confidentiality impact, this is a horizontal privilege escalation issue; no public exploit has been identified at time of analysis and it does not appear in the CISA KEV catalog.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in kvf-admin v1.0.0 allows authenticated remote attackers to elevate their privileges by abusing insecure permission checks within the UserController.java component. The flaw maps to CWE-639 (Authorization Bypass Through User-Controlled Key), and while publicly available exploit code exists per the referenced GitHub issue, EPSS is very low (0.04%, 13th percentile), indicating limited observed exploitation activity. No CISA KEV listing exists, so this is not confirmed actively exploited.

Java Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Cryptographic signature verification bypass in Northern.tech Mender Client 5 (before 5.0.4) allows unauthenticated remote attackers to circumvent JWT-based authentication controls. Tagged as both an Authentication Bypass and a JWT Attack, this CWE-347 flaw means the client fails to properly validate cryptographic signatures on tokens, potentially enabling unauthorized access to protected functionality or data. No public exploit code has been identified at time of analysis, and the low EPSS score of 0.02% (5th percentile) suggests exploitation is not currently widespread.

Jwt Attack Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Kirby CMS's content-locking feature leaks authenticated users' email addresses and internal identifiers to low-privilege Panel users who are explicitly prohibited from seeing those users under role-based `users.access` or `users.list` permission restrictions. Any low-privilege authenticated Panel user on an affected site can harvest admin email addresses and user IDs during active content lock windows (default 10 minutes) simply by triggering an edit conflict or inspecting Panel view payloads. No public exploit has been identified at time of analysis, and exploitation is bounded to sites with non-default user-visibility restrictions, but the harvested data directly enables downstream phishing, credential stuffing, and admin account enumeration.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{path}` endpoint. The WebDAV controller never attaches an authentication plugin, and `Tree::move()` deletes the source asset before resolving the current user or checking any per-asset permission, so even an unauthenticated request that errors out later still destroys the source file. A working proof-of-concept request is published in the GitHub Security Advisory (GHSA-wc7j-g8wx-m2qx); there is no CISA KEV listing and no EPSS score in the provided data, so this is not confirmed as actively exploited.

PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in The Post Grid WordPress plugin (versions through 7.9.2) allows authenticated low-privileged users to bypass access control checks and read data restricted to higher-privileged roles. The flaw stems from inadequate capability enforcement within the plugin's request handling, enabling privilege escalation of access scope without elevated credentials. No public exploit identified at time of analysis, and CISA has not listed this in the KEV catalog; SSVC signals confirm no known active exploitation.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

TLS server impersonation in Erlang/OTP's public_key library lets a name-constrained subordinate CA forge a trusted identity for hostnames outside its permitted DNS subtree. By chaining a nameConstraints enforcement gap with a legacy CommonName fallback in pkix_verify_hostname/3, an attacker holding a DNS-restricted intermediate (e.g. permitted;DNS:allowed.example.com) can issue a SAN-less leaf whose CN is an out-of-scope host (e.g. victim.example.com) and have a stock ssl:connect client with verify_peer accept it. It affects OTP 19.3 through the fixed releases (public_key 1.4 onward) and is rated CVSS 4.0 7.6; there is no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Canonical Erlang Otp
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Authentication bypass via SQL injection in OpenRapid RapidCMS v1.3.1 allows unauthenticated remote attackers to manipulate the application's authentication logic by injecting crafted SQL payloads into the `name` cookie parameter processed by the `/template/default/menu.php` component. The CVSS 6.5 (AV:N/AC:L/PR:N/UI:N) score reflects trivial remote exploitability with no prior authentication required, though the confidentiality and integrity impacts are rated Low and availability is unaffected. A public researcher writeup is linked in references, suggesting exploit techniques are documented, but no confirmed active exploitation (CISA KEV) has been recorded and EPSS sits at 0.03% (11th percentile), indicating low observed exploitation activity at time of analysis.

PHP SQLi Authentication Bypass
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.

Google Information Disclosure Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization vulnerability in Bizswoop Account Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.1.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Identity spoofing in Symfony's Security-Http component (the X509Authenticator) lets a certificate-based (mTLS) client authenticate as an arbitrary victim user. The extractUsername() routine used an unanchored regex that matched emailAddress= anywhere in the client certificate's Subject DN, so an attacker holding any certificate from a trusted CA with an attacker-controlled free-text CN can smuggle emailAddress=victim@target inside the CN and be logged in as that victim. Rated CVSS 4.0 9.1 (CWE-290) with a low EPSS of 0.05% (17th percentile); no public exploit identified at time of analysis and it is not in CISA KEV, but a vendor patch and regression tests are published.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 3.8
LOW PATCH Monitor

Unauthorized file download in pretix's export API allows an authenticated attacker to retrieve export files belonging to other users by supplying a UUID not associated with their own account. Affected versions span a wide range from pretix 2024.10.0 through the 2026.4.x series prior to the 2026.4.2 patch. Exploitation is significantly constrained by the CVSS 4.0 AT:P (Attack Target: Prerequisite) condition - the attacker must independently obtain a valid UUID for a target file, making opportunistic exploitation unlikely absent a secondary information-disclosure weakness. No public exploit code exists and no active exploitation has been identified at time of analysis.

Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in ElementsKit Elementor addons Lite (WordPress plugin by Wpmet) through version 3.9.6 allows unauthenticated remote attackers to exploit incorrectly configured access control, resulting in limited unauthorized read access to protected data or functionality. The CVSS vector confirms network-based, zero-interaction exploitation with no authentication required, and SSVC classifies it as automatable - meaning attackers can scan and exploit at scale without manual intervention. No public exploit or CISA KEV listing exists at time of analysis, but the unauthenticated, low-complexity nature of the flaw makes it a realistic target for automated WordPress scanning campaigns.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in Wpmet's ElementsKit Elementor addons Lite plugin for WordPress (versions through 3.9.6) permits authenticated low-privilege users to invoke privileged plugin functionality without proper access control verification. The CVSS vector (PR:L, I:L) confirms the attack requires a valid low-privilege WordPress account - such as a Subscriber - but grants unintended write-level access to restricted plugin operations. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk moderate; however, the network-accessible, low-complexity nature of the flaw means any authenticated user on an affected installation is a potential threat actor.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the WP Meta and Date Remover WordPress plugin (versions through 2.3.6) allows low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in unauthorized read access to restricted information. The CVSS vector (PR:L, C:L) confirms that exploitation requires a valid WordPress account and yields only partial confidentiality exposure with no integrity or availability impact. No public exploit code has been identified and CISA SSVC rates exploitation as none, making this a lower-urgency but real access control gap in WordPress environments running the affected plugin.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the DearFlip WordPress flipbook plugin (versions through 2.4.27) allows authenticated low-privileged users to bypass access control checks and read restricted data. The flaw, classified under CWE-862, permits exploitation of incorrectly configured access control security levels within the plugin's functionality. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates technical impact as partial.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the Adminimize WordPress plugin (versions through 1.11.11) allows authenticated low-privileged users to exploit incorrectly configured access control security levels, resulting in unauthorized read access to restricted information. The flaw, classified under CWE-862, was discovered by Patchstack's audit team and affects the plugin's role-based admin interface customization logic. No public exploit or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with only partial technical impact.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in the SVG Support WordPress plugin (versions through 2.5.14) allows low-privileged authenticated users to perform unauthorized actions due to missing authorization checks on one or more plugin functions. The vulnerability (CWE-862) enables an attacker with a basic WordPress account to circumvent access control restrictions and make unauthorized modifications, impacting integrity without exposing sensitive data or causing service disruption. No public exploit code or active exploitation has been identified at time of analysis, and SSVC assessment rates exploitation as none with partial technical impact.

Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

{client_id}-sensors$', the unsanitized client_id value is embedded directly into the server-side regex, letting a crafted client_id (e.g., '.*' or 'legit|(admin)') alter the pattern's matching logic and grant access to topics the user should not reach. No public exploit has been identified at time of analysis, and the attack requires both valid MQTT credentials and a specifically configured authorization policy, but the high subsequent system impact (SC:H/SI:H per CVSS 4.0) elevates this beyond a simple medium-severity finding for affected deployments.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in Nocturne Memory before 2.4.1 lets any network-adjacent client gain unauthenticated read/write/delete access to the full Knowledge-Graph API when operators deploy the default Docker configuration without setting API_TOKEN. Because the server binds to 0.0.0.0 with CORS allow_origins=["*"] and the BearerTokenAuthMiddleware silently disables auth on an empty token, an attacker on the same LAN can tamper with memory entries such as system://boot and core://* that auto-load into downstream MCP agent sessions, enabling persistent prompt-injection. There is no public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the source data.

Docker Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC This Week

Unauthorized invocation of the database migration endpoint (/actions/app/migrate) in Craft CMS 5.9.5 and earlier lets remote, unauthenticated attackers reach functionality that should be gated behind administrative authorization. The flaw stems from a missing authorization check (CWE-862) rather than a credential bypass on the login flow, and publicly available exploit code exists, though it is not listed in CISA KEV. CVSS is 7.3 with Low impact across confidentiality, integrity, and availability, reflecting partial rather than total compromise.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Transfer Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) through a heap-based buffer overflow in the asperahttpd component. An unauthenticated network attacker can corrupt memory to crash the service (denial of service) and, in the worst case, hijack execution flow to run arbitrary code or bypass authentication. There is no public exploit identified at time of analysis and SSVC lists exploitation as none, but the CVSS 9.8 rating and 'Automatable: yes' assessment mark this as a high-priority patching target.

RCE Denial Of Service Buffer Overflow +3
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 through 1.5.19 allows remote attackers to access and modify protected resources without valid credentials, scoring CVSS 9.1 critical. The flaw exposes confidential file transfer data and permits unauthorized modification of integrity-protected assets across all affected releases. No public exploit identified at time of analysis, and EPSS predicts only a 0.02% near-term exploitation probability despite the high severity rating.

IBM Authentication Bypass
NVD VulDB
Prev Page 32 of 348 Next

Quick Facts

Typical Severity
CRITICAL
Category
auth
Total CVEs
31286

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy