Authentication Bypass

Authenticated Mattermost users can read private channel threads and direct messages they lack access to by exploiting the AI post rewrite endpoint. Versions 11.5.0 and 11.5.1 fail to verify channel membership before processing AI-assisted message rewrites, enabling privilege escalation from low-privileged authenticated users to access confidential communications. CVSS 6.5 reflects network-accessible attack with low complexity requiring only basic authentication. EPSS data not available; no public exploit or KEV listing identified at time of analysis.

{option}` or `/gitlab webhook {option}`, resulting in availability impact (A:H) to the Gitlab plugin infrastructure. CVSS 6.5 reflects moderate risk, with EPSS data and active exploitation status not available at time of analysis.

Authorization bypass in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated users with 'Manage Playbook Configurations' permission to reassign playbooks to arbitrary teams via PUT API, circumventing team membership restrictions. This access control flaw enables lateral privilege escalation across team boundaries without proper authorization checks. EPSS exploitation probability data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Mattermost Plugins through version 11.5 allow authenticated users to bypass group-level access controls and create issues or attach comments to locked groups they should not access. Attackers holding membership in multiple groups can exploit missing API-level authorization checks via direct API requests to write data into restricted groups, violating intended access boundaries. EPSS risk data not available; CVSS 4.3 reflects low-privilege authenticated network attack with low complexity. No active exploitation confirmed by CISA KEV at time of analysis, though vendor advisory (MMSA-2026-00602) confirms the vulnerability.

Authorization bypass in Mattermost Plugins allows authenticated users to subscribe to unauthorized notification groups by exploiting prefix-matching namespace validation. Affected versions (≤11.5, 11.1.5, 10.13.11, 11.3.4.0) fail to enforce group whitelisting, enabling low-privileged plugin users to create groups sharing prefixes with authorized groups and thereby receive notifications or access information from out-of-scope channels. EPSS data unavailable; not listed in CISA KEV; CVSS 4.3 reflects low-privilege network exploitation with limited integrity impact but no confidentiality or availability compromise.

Authenticated attackers can bypass token rotation in Mattermost's remote cluster invite confirmation process by reusing original invite tokens. The flaw affects Mattermost Server versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13, allowing token reuse despite intended security controls. While rated low severity (CVSS 3.7), this represents an authentication bypass vulnerability (CWE-863) that undermines session management security. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Privilege escalation in Mattermost Server allows authenticated users with revoked channel posting permissions to continue modifying their existing posts. Affected versions include 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3. Attackers bypass authorization controls by sending direct API requests to post update and patch endpoints, circumventing permission checks that should prevent post edits after privileges are revoked. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis. CVSS 4.3 (Medium) reflects low integrity impact limited to existing content modification.

Authorization bypass in Mattermost shared channel synchronization allows authenticated remote cluster administrators to remove arbitrary users from any channel, including private channels outside the attacker's authorization scope. Affects versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3. CVSS 4.3 reflects the low-privilege requirement (authenticated remote cluster) and limited impact scope (integrity only, no data exposure), though cross-tenant authorization violations in collaboration platforms warrant attention. EPSS data unavailable; no public exploit identified at time of analysis; not listed in CISA KEV.

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.

Authorization bypass in Tencent WeKnora's Config API endpoint allows authenticated attackers to access unauthorized knowledge bases by manipulating the kbId parameter in getKnowledgeBaseForInitialization function. Affects all versions up to 0.3.6. Publicly available exploit code exists via GitHub Gist, enabling low-complexity attacks with network access. CVSS 6.3 reflects moderate impact across confidentiality, integrity, and availability. EPSS data not available, but public POC increases exploitation likelihood. Vendor unresponsive to disclosure, indicating no official patch timeline.

Improper access controls in H2O-3's Rapids setproperty primitive allow remote unauthenticated attackers to modify system properties via the AstSetProperty.java exec function. The vulnerability permits low-impact integrity violations through manipulation of configuration settings accessible via the Rapids API. Public exploit code is available (VulDB 364379), increasing exploitation risk, though no active exploitation confirmed by CISA KEV at time of analysis. EPSS data not provided. Vendor unresponsive to disclosure attempts.

Improper authorization in Z-BlogPHP 1.7.4.3430 allows authenticated attackers to bypass comment approval controls via the CheckComment function in c_system_event.php. Remote exploitation requires low-complexity attacks with low-privilege credentials and no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). Public exploit code is available (VulDB 364334), enabling attackers to read, modify, or disrupt comment moderation workflows with low confidentiality, integrity, and availability impact. No vendor patch information identified at time of analysis; EPSS and KEV data not provided.

Improper authorization in Open5GS AMF/MME component (versions up to 2.7.6) allows authenticated network attackers to manipulate NGAP user context lookups, potentially accessing or interfering with other users' 5G/LTE sessions. The vulnerability stems from insufficient validation of AMF_UE_NGAP_ID and RAN_UE_NGAP_ID pairs in the ran_ue_find_by_amf_ue_ngap_id function, enabling attackers with low-level network privileges to bypass session-to-base-station association controls. Publicly available exploit code exists (GitHub issue #4498), and a vendor-released patch (commit 5746b857) is available. CVSS 6.3 (Medium) reflects network vector with low attack complexity but requires authentication.

Authentication bypass in Sanluan PublicCMS 5.202506.d allows remote unauthenticated attackers to access arbitrary user trade address data via manipulation of userId/id parameters in the TradeAddressListDirective component. Public exploit code exists (CVSS E:P), enabling unauthorized disclosure of confidential address information including names, phone numbers, and shipping details. EPSS data unavailable; not listed in CISA KEV. Vendor non-responsive to disclosure.

Das U-Boot bootloader versions before 2026.04 contain a cryptographic signature bypass vulnerability in FIT (Flat Image Tree) image verification. Local attackers with high privileges can bypass digital signature checks because the 'hashed-nodes' property is omitted from cryptographic hash calculations, allowing modification of signed boot images. This undermines the secure boot chain on embedded systems using U-Boot.

Authorization bypass in Multicollab WordPress plugin allows authenticated attackers with Subscriber-level privileges to inject comments into arbitrary editorial collaborations. This affects all versions up to and including 5.2. While CVSS rates this 4.3 (Low), the ability for low-privileged users to pollute editorial workflows could enable social engineering, misinformation injection into content review processes, or disruption of collaborative editing. EPSS data not provided. No active exploitation confirmed (not in CISA KEV). Patch available in version 3519252 per WordPress plugin repository changeset.

Authorization bypass in Essential Chat Support plugin for WordPress versions ≤1.0.1 allows unauthenticated remote attackers to reset all plugin configuration settings to defaults via a single POST request. The vulnerability stems from missing authorization checks in the settings reset function, enabling tampering with general settings, display rules, custom CSS, and WooCommerce integration without credentials. CVSS 5.3 indicates medium severity with network-accessible exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the attack is trivial given the simple POST parameter requirement.

Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The checkout endpoint fails to verify cart ownership when processing a user-supplied cart_id parameter, enabling attackers to access and potentially complete purchases using another user's cart contents. This vulnerability has been patched in version 1.0.8.3.

Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators through the admin/auth-token endpoint by manipulating the admin_id parameter. This authorization bypass allows lateral privilege escalation between admin accounts, potentially compromising all administrative API operations. The vulnerability requires low-privileged authenticated access and has been patched in version 1.0.8.3.

{id}.html endpoint, leaking titles, internal IDs, languages, and category bindings via 301 redirect Location headers. The flaw stems from a missing permission filter in the getIdFromSolutionId() method, and a publicly available exploit code path is documented in the GitHub Security Advisory (GHSA-99qv-g4x9-mgc3) with SSVC marking exploitation as PoC and automatable. EPSS is low (0.06%, 19th percentile) and the issue is not in CISA KEV, indicating no confirmed active exploitation despite the high CVSS 4.0 score of 8.7.

{tagId} endpoint. The vulnerability affects versions before 4.1.2 and stems from missing authorization checks that allow any logged-in user, including regular frontend users, to permanently delete arbitrary tags using only a valid session cookie. While CVSS rates this 5.4 (Medium), the permanent data loss and FAQ organization disruption represent material operational impact. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists per VulnCheck advisory and GitHub security advisory GHSA-7cx3-2qx2-3g6w, lowering exploitation barriers for authenticated attackers.

Authorization bypass in phpMyFAQ versions prior to 4.1.2 allows any authenticated administrative user to access all permission-protected admin pages, regardless of their assigned privileges. The flaw resides in AbstractAdministrationController::userHasPermission() which sends a forbidden response but fails to terminate execution, leaking admin logs, user data, system information, and configuration. Publicly available exploit details exist via the GHSA advisory, though EPSS exploitation probability remains very low at 0.04%.

Authorization bypass in phpMyFAQ versions before 4.1.2 allows authenticated frontend users to access admin-only API endpoints and retrieve sensitive backend configuration data. The vulnerability stems from admin-api routes checking only login status (isLoggedIn) without verifying administrative privileges, enabling any valid user account to query dashboard versions, LDAP configuration details, Elasticsearch statistics, and health-check data. While this is an information disclosure issue rather than direct write access, it exposes internal infrastructure details useful for reconnaissance. The low CVSS score (4.3) reflects limited confidentiality impact, but defenders should prioritize remediation in environments where backend configuration exposure aids broader attack campaigns. Vendor patch available in version 4.1.2.

Insufficient authorization in phpMyFAQ 4.1.1 and earlier allows any authenticated user to enumerate sensitive system configuration metadata through 12 admin API endpoints. The ConfigurationTabController improperly uses userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT), enabling low-privilege users to query /admin/api/configuration endpoints and discover the permission model, active template, cache backend, mail provider, translation settings, and other deployment details that should require administrative access. This information disclosure violates least privilege principles and aids reconnaissance for subsequent attacks. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in version 4.1.2.

Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.

Authenticated users in Mathesar 0.2.0 through 0.9.x can access metadata for PostgreSQL databases where they lack collaborator privileges, due to missing authorization checks in four API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list). Exposed data includes table schemas, saved explorations, form configurations, and critically, public form submission tokens that grant unauthorized database write access under the form's PostgreSQL role. Fixed in version 0.10.0. CVSS 5.3 (Medium) reflects network-accessible, low-complexity exploitation requiring only basic authentication. No public exploit code or active exploitation detected (EPSS data unavailable, not in CISA KEV).

Broken access control in Mathesar 0.2.0 through 0.9.x allows authenticated users to read, modify, or delete saved explorations (database query definitions) in databases where they lack collaborator privileges. Exploitation requires only a valid user account and knowledge of an exploration ID - easily guessed or enumerated. Fixed in version 0.10.0. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.

Authenticated users in Sharp (a Laravel admin framework) can bypass authorization to download arbitrary files from any configured Laravel Storage disk through the generic download endpoint. The vulnerability allows authenticated users with view access to any single Sharp entity to download unrelated files including backups, invoices, internal documents, and tenant-specific data by manipulating the disk and path parameters. Sharp v9.22.0 fixes this by implementing signed URLs that prevent parameter tampering.

Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.

Rate limiter bypass in better-auth versions < 1.4.17 allows attackers to defeat authentication attempt limits by rotating through IPv6 addresses within their allocated /64 prefix or using different textual representations of the same address. The vulnerability affects authentication endpoints including sign-in, sign-up, and password reset when serving IPv6 clients, which includes most cloud providers by default. No public exploit identified at time of analysis.

Algorithm confusion in LibJWT 3.0.0 through 3.3.2 allows authentication bypass when RSA JWKs lack the 'alg' parameter. The OpenSSL backend incorrectly processes HMAC verification with a zero-length key when an RSA key without 'alg' is used to verify HS256/HS384/HS512 tokens, enabling attackers to forge valid JWTs without knowing any secret. Public exploit code exists (SSVC), making this a critical authentication bypass affecting applications using JWKS-based key lookup.

Remote code execution in Google Cloud Application Integration allows unauthenticated attackers to access exposed internal API endpoints and execute arbitrary code. The vulnerability stems from improper access controls on internal APIs that were inadvertently exposed to external networks. With a CVSS 4.0 score of 10.0, this represents a critical risk allowing both information disclosure and full system compromise without authentication.

Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable to Insecure Permissions, which allows arbitrary user password reset.

Authenticated attackers with subscriber-level access can add arbitrary notes to any order in the Classified Listing - AI-Powered Classified ads & Business Directory Plugin (all versions up to 5.3.10) due to missing authorization checks, triggering unsolicited notification and moderation emails to listing owners. The plugin fails to verify user permissions before allowing note creation, enabling privilege escalation within WordPress installations where subscriber accounts exist. No public exploit code or active exploitation has been identified at the time of analysis.

Unauthenticated attackers can modify Smartcat API credentials in the Smartcat Translator for WPML plugin through a missing capability check on the 'routeData' REST endpoint, allowing hijacking of translation services or denial of service. All versions through 3.1.77 are affected. The vulnerability requires only network access and no user interaction, making it remotely exploitable by any unauthenticated actor against default WordPress configurations running the vulnerable plugin.

Authentication bypass in Form Notify WordPress plugin versions ≤1.1.10 allows remote unauthenticated attackers to gain administrator access through LINE OAuth flow manipulation. Attackers exploit the plugin's trust of the 'form_notify_line_email' cookie when LINE OAuth doesn't return an email address, authenticating as any site user by injecting a cookie containing the victim's email while completing OAuth with their own LINE account. Wordfence reported this vulnerability with proof-of-concept code available via GitHub commit diffs. EPSS data not available, but the CVSS 9.8 score and network vector with no authentication requirement indicate critical severity. No CISA KEV listing at time of analysis.

Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window.

Authenticated attackers with Contributor-level access can delete entire multi-currency configurations in FOX Currency Switcher Professional for WooCommerce by visiting any wp-admin page with a specific parameter, and the lack of nonce verification allows CSRF-based exploitation against administrators. Confirmed actively exploited (CISA KEV). CVSS 8.1 reflects high integrity and availability impact, with EPSS data unavailable. WordPress plugin affects versions ≤1.4.5, with patch released in version 1.4.6 per Wordfence advisory. The dual attack vectors (direct authenticated abuse and CSRF) significantly increase real-world risk for WooCommerce installations using this currency management plugin.

Unrestricted IP address binding in the AMD Device Metrics Exporter (ROCm ecosystem) could allow a remote attacker to perform unauthorized changes to the GPU configuration, potentially resulting in loss of availability

Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.

Improper access control between JTAG and AXI interfaces in AMD Ryzen 7040, 8000, 8040 mobile, and Embedded 8000 series processors allows attackers with physical access to read or modify cross-chip debug (XCD) registers, potentially compromising data integrity and confidentiality. The vulnerability requires physical proximity and specialized hardware capability but can bypass authentication mechanisms protecting debug interfaces. No public exploit code or active exploitation has been identified at the time of analysis.

Hedera Guardian through version 3.5.1 allows unauthenticated attackers to retrieve sensitive user information via the GET /api/v1/demo/registered-users endpoint, which lacks proper authentication controls. Attackers can access this endpoint without credentials to obtain usernames, Hedera DIDs, parent registry DIDs, system roles, and policy role assignments for all registered users. The vulnerability affects confidentiality with a CVSS score of 5.3 and has been fixed in the upstream repository via GitHub PR #6076.

Unauthorized deletion of preview resources in Tuist API allows authenticated attackers to delete arbitrary project previews regardless of ownership. An attacker with valid credentials can manipulate the DELETE endpoint's URL path to pass authorization checks against a project they control, while supplying any preview UUID to delete resources belonging to other users' projects. No public exploit code identified at time of analysis, but exploitation requires only low-complexity API manipulation with standard HTTP tools.

Open WebUI versions through 0.8.11 allow authenticated users to execute arbitrary Python code in the Jupyter container by bypassing the ENABLE_CODE_EXECUTION=false configuration flag. The /api/v1/utils/code/execute endpoint fails to enforce the admin-configured feature gate (CWE-863: Incorrect Authorization), enabling any verified user to run code even when administrators believe execution is disabled. The vulnerability is confirmed by vendor POC (verified 2026-03-25) demonstrating successful code execution, file access, and SSRF to internal Docker services despite explicit admin configuration disabling the feature. Vendor-released patch available in v0.8.12 (commit 6d736d3c5) enforces the configuration check before dispatching code to Jupyter.

{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.

Unauthenticated attackers can invoke the GET `/api/v1/memories/ef` endpoint in Open WebUI versions ≤0.7.2 to trigger arbitrary embedding generation without authentication, enabling cost-based attacks against paid embedding providers (OpenAI, Azure) and denial-of-service via resource exhaustion. The endpoint executes `request.app.state.EMBEDDING_FUNCTION()` without any authentication check, allowing unlimited free API calls to downstream embedding services. Vendor-released patch available in v0.8.0 (February 2026) that removes the vulnerable endpoint entirely.

{note_id} endpoint, enabling unauthorized disclosure of potentially sensitive private data. The vulnerability is exploitable both when the notes feature is enabled in the UI and when disabled but re-enabled via /api/config endpoint manipulation, requiring only valid user authentication and UUID enumeration or guessing.

Authenticated attackers can exfiltrate and overwrite any user's private files in Open WebUI ≤0.9.4 by injecting victim file UUIDs into attacker-controlled folders or knowledge bases. Two distinct attack paths bypass authorization checks: folder-knowledge ingestion (Path 1) leaks file content via RAG responses, while knowledge-base attachment (Path 2) grants persistent read/write access through standard file endpoints. File UUIDs leak through normal usage (chat citations, shared chats, URLs, browser history). Vendor-released patch version 0.9.5 available. No public exploit identified at time of analysis, but proof-of-concept code published in GitHub advisory GHSA-r472-mw7m-967f demonstrates both attack vectors with working curl commands.

{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.

Insecure Direct Object Reference (IDOR) in Open WebUI's retrieval API allows authenticated users to bypass knowledge base access controls and directly access, modify, or delete other users' private knowledge bases by supplying the target UUID as a collection name. The authorization gap affects seven endpoints: two read endpoints (/query/doc, /query/collection) permit exfiltration of private knowledge base content, while five write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube) enable content injection, poisoning, or complete data destruction via overwrite. Affects Open WebUI <= 0.9.4; fixed in v0.9.5 via PR #22109. EPSS data not available; no confirmed active exploitation (CVSS 7.5 reflects AC:H due to UUID prerequisite, but UUIDs leak through multiple channels per researcher analysis).

Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.

Open WebUI versions 0.9.4 and earlier allow read-only users to pin and unpin messages in standard channels due to insufficient permission checks in the pin_channel_message API endpoint. The endpoint verifies only read access when it should enforce write access, enabling authenticated users with read-only permission to modify message pin status (is_pinned, pinned_by, pinned_at fields) without authorization. This permission bypass undermines channel information hierarchy and access control models. Vendor-released patch: version 0.9.5.

Modify messages from any channel member in Open WebUI v0.8.12 through v0.9.4 via Insecure Direct Object Reference (IDOR) in the message update API endpoint. Any authenticated user with group or direct message channel membership can tamper with messages sent by other members, including administrators, by bypassing message ownership verification. Publicly available exploit code exists demonstrating the vulnerability; patch available in v0.9.5.

Open WebUI versions 0.8.10 and earlier allow authenticated users to bypass model access control by appending ?bypass_filter=true to POST requests to /openai/chat/completions or /ollama/api/chat endpoints. The vulnerability exposes an internal-only FastAPI function parameter to external HTTP clients via query string binding, permitting any authenticated user to invoke admin-restricted models regardless of their assigned access grants. Vendor-released patch: v0.8.11 (March 2026). No public exploit code identified beyond the PoC in the advisory, but exploitation is trivial for any authenticated user.

Low-privileged authenticated users in Open WebUI <=0.8.5 can invoke admin-restricted external tools (MCP servers, GitHub integrations, etc.) via the chat completion API by supplying arbitrary tool_ids or tool_servers parameters. Exploited tools execute with server-stored credentials, enabling unauthorized data access or actions through third-party integrations. Publicly available exploit code exists (PoC in GitHub advisory GHSA-4pcg-253r-rf9w). EPSS data not provided; CVSS 7.1 indicates network-accessible authenticated exploitation with high confidentiality impact. Vendor-released patches: v0.7.0 (partial, local tools) and v0.8.6 (complete fix for MCP servers). Users on >=0.8.6 are not affected.

Broken access control in Open WebUI's `/api/chat/completions` endpoint allows any authenticated user to read and continue other users' private conversations by supplying a known Chat ID. The API fails to verify chat ownership before granting access, exposing sensitive conversation data across multi-user deployments with shared AI models. Fixed in v0.9.0 via commit cf4218e68, which enforces ownership validation through `Chats.is_chat_owner()` checks. Exploitation requires low-privilege authentication (PR:L) and network access (AV:N), but no user interaction (UI:N) or special configuration-any default multi-user instance with shared pipelines is vulnerable. CVSS 7.1 (High) reflects network-accessible confidentiality breach (C:H) with limited integrity impact (I:L). No public exploit identified at time of analysis, but proof-of-concept published in GitHub advisory GHSA-gfm2-xm6c-37qc demonstrates trivial exploitation via legitimate API key usage.

Open WebUI fails to authorize model update requests, allowing authenticated users to modify private models belonging to other users and alter their access controls. Tested on version 0.5.4, this broken access control vulnerability affects all versions up to 0.5.6 and is exploitable via a direct POST request to the /api/v1/models/model/update endpoint without requiring special privileges beyond basic authentication.

Open WebUI before version 0.9.0 allows authenticated users to bypass API key endpoint restrictions by submitting requests via the `x-api-key` header instead of the `Authorization` header, enabling full access to protected endpoints including message processing and potentially admin functionality. The vulnerability affects deployments where admins have configured API key restrictions to limit which endpoints specific keys can access. A proof-of-concept demonstrates that the same API key correctly rejected via `Authorization` header (403 Forbidden) is fully processed via `x-api-key` header (200 OK with LLM response), completely undermining the intended access control model. No active public exploitation is reported, but the vulnerability is straightforward to exploit and has been verified against Open WebUI v0.8.11.

{id}/pin endpoint, which incorrectly checks for read permission instead of write permission. This privilege escalation enables read-only users to perform a write operation (toggling is_pinned state) that should be restricted to users with explicit write access. The vulnerability is limited to the pin operation and does not permit modification of note content, title, or access grants. Publicly available proof-of-concept demonstrates the bypass across all shared notes with read access.

Authenticated admin users in pyLoad-ng can bypass the CVE-2026-33509 fix by setting the storage_folder to the Flask session directory (/tmp/pyLoad/flask), then downloading and reusing session files of other users via the /files/get/ endpoint to achieve account takeover. The original patch failed to block access to the session cache directory, leaving it accessible through the directory traversal protection bypass. Publicly available proof-of-concept code confirms the bypass is functional.

Horizontal privilege escalation in Open WebUI versions through 0.3.15 allows any authenticated user to enumerate, read, and delete all files uploaded by all other users via missing authorization checks in the files API endpoints. The vulnerability requires only low-privilege authenticated access to the web interface and has publicly available exploit code with a detailed proof-of-concept demonstrating how attackers can list all uploaded files regardless of owner, retrieve file contents, and delete arbitrary user files. Organizations running multi-user Open WebUI deployments face immediate risk of data breach and integrity loss, as file upload features in conversational AI platforms commonly handle sensitive documents and internal communications.

Discretionary access control bypass in Chrome Remote Desktop (Chromoting) allows adjacent network attackers to achieve limited confidentiality, integrity, and availability impact through a malicious file requiring user interaction. Google released Chrome 148.0.7778.168 to address this medium-severity flaw. EPSS score of 0.01% (1st percentile) and CISA SSVC assessment indicate low real-world exploitation probability with no observed exploitation activity. The adjacent network attack vector (AV:A) significantly constrains attacker positioning compared to typical remote vulnerabilities.

Site Isolation bypass in Google Chrome prior to 148.0.7778.168 allows remote attackers who have already compromised the renderer process to access cross-site data via crafted HTML pages. The vulnerability affects Chrome's AI policy enforcement, enabling a second-stage attack after initial renderer compromise. Attack complexity is high, requiring both initial renderer compromise and user interaction. EPSS score of 0.02% indicates very low exploitation probability, and no active exploitation or public POC has been identified. Vendor patch is available in Chrome 148.0.7778.168.

Insufficient policy enforcement in Google Chrome's Android payment implementation allows remote attackers to bypass access control restrictions through specially crafted HTML pages, affecting Chrome versions prior to 148.0.7778.168 on Android. The vulnerability requires user interaction (visiting a malicious page) but can be exploited remotely without authentication. EPSS exploitation probability is low (0.02%, 4th percentile), and a vendor-released patch is available. While tagged as an authentication bypass, the CVSS impact indicates only low integrity compromise with no confidentiality or availability impact.

Navigation restrictions can be bypassed in Google Chrome for Windows versions prior to 148.0.7778.168 when attackers craft malicious HTML pages that exploit insufficient sandbox policy enforcement in iframe elements. User interaction (opening/visiting the crafted page) is required for exploitation. Google released a patched version addressing this medium-severity flaw. With EPSS exploitation probability at 0.02% (4th percentile) and no KEV listing, this represents a moderate-priority issue primarily affecting organizations running outdated Chrome versions on Windows systems.

Cross-origin data leakage in Google Chrome on Windows via ANGLE graphics library allows renderer-compromised attackers to steal sensitive data from other origins through specially crafted web pages. Affects Chrome versions prior to 148.0.7778.168 on Windows platforms. EPSS probability of 0.03% (10th percentile) indicates low observed exploitation likelihood, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patch released in Chrome 148.0.7778.168 stable channel update. Attack requires successful renderer process compromise as prerequisite, combined with user interaction, creating a chained exploitation scenario rather than standalone vulnerability.

Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.168 occurs when an attacker who has already compromised the renderer process exploits an object corruption flaw in the Compositing component. The vulnerability requires user interaction with a malicious HTML page and high attack complexity to leak sensitive cross-origin data. Google has released a patch in Chrome 148.0.7778.168, and with EPSS at 0.03% (10th percentile) and no evidence of active exploitation (SSVC: none), this represents a medium-priority targeted threat rather than widespread exploitation risk.

Site Isolation bypass in Google Chrome on macOS allows attackers who have already compromised the renderer process to leak limited cross-origin data via malicious HTML in ReadingMode. Affects Chrome versions prior to 148.0.7778.168 on Mac only. EPSS score of 0.02% (6th percentile) indicates very low predicted exploitation probability. No active exploitation detected (not in CISA KEV), no public POC identified. CVSS 3.1 assigns Low severity despite High vendor severity rating due to requiring both renderer compromise and user interaction, with impact limited to confidentiality only.

Site Isolation bypass in Google Chrome versions prior to 148.0.7778.168 enables attackers who have already compromised the renderer process to break out of security sandboxes via specially crafted HTML pages. This represents an escalation path within Chrome's multi-process architecture, allowing cross-origin data access after initial renderer compromise. Vendor patch available as of May 2026 stable channel update. EPSS score of 0.02% (6th percentile) indicates minimal observed exploitation activity, and no CISA KEV listing or public POC exists at time of analysis, suggesting lower immediate priority despite the architectural significance of Site Isolation failures.

Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to escalate privileges and obtain code execution, remote desktop access, and data exfiltration capabilities. By directly invoking three unprotected ticket-generation endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket), attackers can obtain bridge-agent credentials and impersonate trusted lease-side bridges, bypassing intended read-only access restrictions. The vulnerability was patched in v0.12.0 (commit 95cb30dc) following VulnCheck disclosure. CVSS 8.6 (High) reflects network-accessible exploitation requiring only low-privilege authentication with low attack complexity. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack is straightforward for authenticated insiders.

Privilege escalation and cross-site scripting in Live Helper Chat 4.84v allows authenticated REST API users to manipulate chats outside their authorized departments and inject malicious JavaScript into operator sessions. Attackers with low-privilege lhchat/use access can modify arbitrary chat object fields including chat hash, status, and operation_admin properties, enabling unauthorized data access through visitor/widget paths and code execution in operator contexts. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Authentication bypass in Crabbox versions prior to v0.12.0 allows authenticated attackers with shared-token access to impersonate arbitrary owners or organizations. By injecting crafted X-Crabbox-Owner and X-Crabbox-Org headers in API requests, attackers can bypass authorization checks and gain full access to victim lease operations across organizational boundaries. VulnCheck reported this vulnerability, and a vendor-released patch is available in version v0.12.0. CVSS 8.7 (High) reflects network-accessible exploitation with low privileges required, high impact to confidentiality, integrity, and availability within the vulnerable component scope.

Unauthenticated remote attackers can register rogue workers in Gradient CI 1.1.0 when GRADIENT_DISCOVERABLE is enabled (default configuration), gaining access to all organizational jobs and the ability to inject malicious build artifacts into shared storage. The attacker sends a fresh worker UUID to /proto endpoint, obtaining PeerAuth::Open privileges that bypass organization isolation. Vendor-released patch: version 1.1.1. CVSS 9.4 Critical with network vector and no authentication required. No active exploitation confirmed (not in CISA KEV), but EPSS data unavailable for this 2026 CVE ID.

Remote attackers can bypass access controls in Yordam Library Automation System versions 19.5 through 22.0, achieving high confidentiality, integrity, and availability impact through incorrectly configured security levels. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling unauthorized access to library management functions. Reported by Turkey's national CERT (USOM), indicating regional awareness though not yet confirmed for active exploitation or CISA KEV listing.

{id}/file) exposes template file contents to any authenticated user due to a completely absent authorization check in the customTemplateFile handler - a check that every other custom template endpoint correctly implements. Authenticated users at any privilege level can enumerate sequential integer template IDs to read Docker Compose files belonging to templates they have no explicit access to, potentially harvesting embedded secrets such as database connection strings, API tokens, and registry credentials. No public exploit or CISA KEV listing has been identified at time of analysis; however, exploitation requires only a valid session and sequential ID guessing, making it trivially scriptable against any unpatched multi-tenant Portainer instance.

Authorization bypass in Portainer's Docker Swarm proxy allows authenticated non-admin users with endpoint access to circumvent EndpointSecuritySettings restrictions configured by administrators. Affected versions include 2.33.0-2.33.7, 2.39.0-2.39.1, and 2.40.x, with fixes in 2.33.8, 2.39.2, and 2.41.0 respectively. No public exploit identified at time of analysis, but the GHSA-5fxq-qcf3-244w advisory provides detailed payload examples that effectively serve as a proof-of-concept blueprint enabling escape to root-equivalent access on Swarm manager hosts.

Authorization bypass in Portainer 2.33.0 through 2.33.7 allows authenticated users to access Kubernetes cluster resources beyond their assigned permissions due to missing return statement in middleware error handling. Any user with a valid Portainer session can exploit this to read or modify Kubernetes secrets, pods, deployments, and other resources on endpoints they should not access. The flaw affects both Community Edition and Enterprise Edition. Fixed in version 2.33.8 and inherently absent from 2.39.0+. No public exploit code identified at time of analysis, though the single-line code fix and detailed GitHub advisory make reproduction straightforward for authenticated attackers.

Authenticated regular users with container-creation rights in Portainer can mount arbitrary host filesystem paths into their containers by bypassing the 'Disable bind mounts for non-administrators' security control via HostConfig.Mounts instead of HostConfig.Binds, enabling root-level access to sensitive host files, Docker socket takeover, and container escape on shared Docker environments. The vulnerability is confirmed actively exploited based on seven independent security researcher reports, with vendor-released patches available across all supported branches (2.33.8, 2.39.2, 2.41.0). CVSS 8.5 reflects network exploitation with low complexity and changed scope impact, though real-world risk depends heavily on whether multi-tenant environments rely on this control as their primary container isolation mechanism.

{name}/enable`) directly against the Docker daemon, installing malicious plugins that run as root with CAP_SYS_ADMIN and arbitrary host mounts. Vendor-confirmed exploitation requires only low-privilege authenticated access (CVSS:4.0 9.4, AV:N/AC:L/PR:L). Patches released across three supported branches (2.33.8-LTS, 2.39.2-LTS, 2.41.0). No public exploit code identified at time of analysis, but attack technique is straightforward given detailed vendor disclosure.

Missing authorization controls in Flowise's OpenAI Assistants Vector Store API allow any authenticated user to perform unrestricted CRUD operations on vector stores regardless of assigned permissions. Attackers with low-privilege user credentials can create, modify, or delete vector stores, upload malicious files, and exfiltrate stored documents across all workspaces. Vendor-released patch available in Flowise 3.1.2 addressing this and nine other related authorization vulnerabilities discovered in the same security audit.

Authorization bypass in n8n workflow automation allows authenticated users with read-only credential access to hijack shared OAuth integrations and exfiltrate data. Users possessing credential:read permissions can exploit insufficient authorization checks in OAuth reconnect endpoints to overwrite stored OAuth tokens with attacker-controlled credentials, causing workflows to execute under the attacker's identity and redirect sensitive data to external services. This affects multi-tenant deployments where credentials are shared across users or projects. Vendor-confirmed patches available in versions 1.123.43, 2.20.7, and 2.21.1. CVSS 3.1 rates this 8.5 High (AV:N/AC:L/PR:L/UI:N/S:C) with changed scope indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, though the attack path is clearly documented in the vendor advisory.

Remote code execution in n8n workflow automation platform allows authenticated users with workflow editing permissions to exploit a prototype pollution patch bypass in the XML node component. The vulnerability (CVE-2026-44791) affects n8n versions prior to 1.123.43, 2.20.7, and 2.22.1, building on a previous incomplete fix (GHSA-hqr4-h3xv-9m3r). Vendor-released patches are available across all affected version branches. CVSS 3.1 score of 9.9 (Critical) reflects network-accessible attack requiring low-privilege authentication with changed scope enabling full system compromise. No public exploit identified at time of analysis, though the existence of a prior related vulnerability (GHSA-hqr4-h3xv-9m3r) suggests attackers familiar with the original issue could adapt techniques.

{id}/logs/ and /api/v2/routine/{id}/stats/ endpoints. Detailed proof-of-concept with Python exploit confirms trivial exploitation against wger <= 2.5.0a2. CVSS 7.5 rates this High severity, but NOTE: vector PR:N appears inconsistent with authenticated-only access described - attackers need valid credentials, suggesting actual vector should be PR:L. EPSS data not available. No CVE KEV listing or public exploit repositories identified beyond GitHub advisory disclosure. Patch status unconfirmed - GitHub advisory references fix commit but no released version number provided in available data.

Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments.

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that could lead to account compromise or unauthorized access. The vulnerability requires adjacent network access and affects all versions of the product. No public exploit code has been identified, but the weak authentication controls represent a significant credential-stuffing and password-guessing risk in multi-tenant or shared-network environments.

HCL AION transmits backend service details over unencrypted HTTP channels under certain conditions, allowing authenticated local or adjacent-network attackers with limited privileges to intercept and read sensitive configuration data through man-in-the-middle attacks. The vulnerability requires user interaction and non-default network positioning, resulting in a CVSS score of 4.3 (low severity) with confirmed vendor awareness and advisory availability.

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive information to interception or unauthorized access. The vulnerability requires adjacent network access, high attack complexity, and user interaction, limiting real-world exploitation scope. No active exploitation has been confirmed at time of analysis.

Improper privilege management in AMD's KVM key download component allows authenticated local attackers to swap tokens and exfiltrate sensitive cryptographic keys due to insufficient access controls, potentially enabling unauthorized access to privileged resources and compromising system confidentiality. The vulnerability requires authenticated access (PR:L) but carries high confidentiality impact (VC:H), making it a significant risk in multi-tenant or shared-access environments.

Unauthenticated attackers with knowledge of the KVM key download endpoint URL can retrieve sensitive cryptographic keys without authentication, compromising confidentiality of encrypted communications and system secrets. This affects AMD KVM implementations and requires no special user interaction, though attackers must possess prior knowledge of the specific endpoint URL. No public exploit code or active exploitation has been identified at time of analysis.