Skip to main content

Authentication Bypass

auth CRITICAL

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.

How It Works

Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.

The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.

More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.

Impact

  • Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
  • Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
  • System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
  • Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
  • Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties

Real-World Examples

CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.

Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.

SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.

Mitigation

  • Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
  • Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
  • Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
  • Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
  • Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
  • Regular security testing — conduct penetration testing specifically targeting authentication logic and flows

Recent CVEs (31259)

EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized GravityWrite disconnection in the GW AI Website Builder WordPress plugin (versions ≤ 1.0.1) is achievable by any authenticated subscriber-level user due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() AJAX function. The flaw allows low-privilege WordPress accounts to sever the plugin's integration with the GravityWrite AI service, degrading AI-powered site-building functionality for all users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; impact is confined to service integrity disruption rather than data exfiltration or code execution.

Authentication Bypass WordPress Gw Ai Website Builder
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access last-value time-series data they are not authorized to view. Affected versions span the 1.3.x branch (1.3.5 through 1.3.7) and the 2.0.x branch (2.0.5 through 2.0.9). No public exploit code or active exploitation has been identified at time of analysis, but the REST interface nature of the flaw means any valid credential holder can attempt unauthorized data retrieval without elevated privilege.

Authentication Bypass Apache Apache Iotdb
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the DataNode process when the AirGap pipe receiver is enabled. The receiver's readLength method reads an attacker-controlled 32-bit length field from a raw TCP connection on port 9780 and passes it directly to new byte[length], letting a single connection trigger a heap allocation of up to ~2 GB and exhaust JVM memory. No public exploit has been identified at time of analysis, but exploitation is trivial once the feature is enabled, and Apache has released a fixed version (2.0.10).

Authentication Bypass Apache Apache Iotdb
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials against the REST interface because Basic Authentication continues to accept cached credentials that should have been invalidated. An attacker who has captured or previously held valid credentials can keep authenticating after those credentials should have expired or been revoked, gaining full read/write control of the time-series database. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), so no active exploitation is indicated despite the 9.8 CVSS.

Authentication Bypass Apache Apache Iotdb
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

Improper authorization in Samsung's KnoxGuardManager component allows local low-privileged attackers to bypass the application's persistence configuration, potentially undermining enterprise device management and carrier lock enforcement on affected Samsung Mobile Devices. Devices running Android 14, 15, and 16 prior to SMR Jul-2026 Release 1 are affected, making this a notable concern for enterprise MDM deployments and carrier-managed device fleets relying on Knox Guard controls. No public exploit has been identified and no active exploitation is confirmed; Samsung has shipped a patch in the July 2026 Security Maintenance Release.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Missing authorization in zhayujie CowAgent up to version 2.1.0 allows remote attackers with low-privilege accounts to bypass access controls at the Message Endpoint defined in channel/channel.py, potentially enabling unauthorized access to or manipulation of messaging data. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low privileges, with low-level confidentiality, integrity, and availability impacts on the vulnerable system. A public proof-of-concept exploit has been released per VulDB, and the project maintainer has not yet responded to the coordinated disclosure filed via GitHub issue #2874.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.

Authentication Bypass WordPress Privilege Escalation
NVD
EPSS 0% CVSS 7.5
HIGH This Week

{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized post publication in Kadence Blocks (Gutenberg Blocks with AI by Kadence WP) versions up to and including 3.5.32 allows authenticated WordPress contributors to immediately publish posts, pages, and custom post types - entirely bypassing the platform's standard contributor review workflow. The flaw stems from a misconfigured capability check in the `get_items_permission_check` permission callback on the `process_pattern` REST API endpoint (CWE-863: Incorrect Authorization). No active exploitation is confirmed via CISA KEV, no public POC has been identified, and the CVSS score of 4.3 reflects a limited integrity-only impact with no confidentiality or availability consequences.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. No public exploit or active exploitation has been identified at time of analysis, though the low exploitation complexity makes this a realistic risk on sites with open user registration.

Authentication Bypass WordPress Wpcafe Restaurant Menu Online Food Ordering Table Booking System
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Missing authorization in Sipeed PicoClaw up to version 0.2.9 permits remote low-privileged attackers to invoke the rt.ReloadConfig function in pkg/channels/pico/pico.go by manipulating the message.send argument without proper authorization checks. The integrity and availability of the affected system are both at limited risk, as the CVSS 4.0 vector confirms no confidentiality exposure but allows unauthorized configuration reload or disruption. A public exploit exists (E:P), though the GitHub issue tracking the report was closed automatically due to inactivity, indicating no vendor remediation has been issued.

Authentication Bypass Picoclaw
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Improper access control in Sipeed PicoClaw up to version 0.2.9 allows remote unauthenticated attackers to bypass the IP allowlist enforced by the Launcher's web backend middleware. The flaw resides in the IPAllowlist function within web/backend/middleware/access_control.go, which fails to correctly enforce source-address restrictions, permitting unauthorized network access to protected endpoints. A public proof-of-concept exploit exists (GitHub issue #3069), and an upstream patch (PR #3126) has been submitted but a formally released patched version has not been independently confirmed.

Authentication Bypass Picoclaw
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Incorrect authorization in Sipeed PicoClaw's MQTT Channel Handler (pkg/channels/mqtt/mqtt.go) through version 0.2.9 allows remote low-privileged attackers to bypass access controls by manipulating the `client_id` argument, enabling unauthorized access to MQTT channels belonging to other clients. A public proof-of-concept exploit exists via the referenced GitHub issue, elevating practical risk beyond the moderate CVSS 4.0 score of 5.3. No vendor patch has been released - the upstream GitHub issue was closed automatically due to inactivity - leaving affected deployments without an official remediation path.

Authentication Bypass Picoclaw
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers log in as any existing user - including Administrators - when the Spotify Social Login addon is enabled. The flaw stems from the plugin trusting the unverified email returned by Spotify's /v1/me endpoint to match and authenticate a WordPress account, so an attacker who registers a Spotify account with a victim's email gains that victim's session. No public exploit has been identified at time of analysis; CVSS is 8.1 with attack complexity rated High due to the required addon configuration.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions up to and including 6.2.3) lets unauthenticated attackers hijack any existing account, including administrators, by abusing the GitHub OAuth social-login callback. The loginpress_on_github_login() function binds the login session to profile[0]['email'] from GitHub's /user/emails endpoint without checking the verified flag, so an attacker who adds an unverified email matching a victim's account and triggers the callback can be logged in as that user. This maps to CWE-287 and carries a CVSS 8.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers hijack any existing account - administrators included - by exploiting the Discord OAuth login handler, which trusts the email returned by Discord without checking Discord's verified flag. An attacker who knows a target's WordPress email registers a Discord account with that same (unverified) email and completes the normal OAuth flow to receive an authenticated session as the victim. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw was reported by Wordfence and is a full account-takeover primitive.

Authentication Bypass WordPress
NVD VulDB
EPSS 0%
NONE Awaiting Data

System principal privilege escalation in Zen Browser prior to 1.21.5b allows a malicious webpage to bypass Firefox's content-to-file security boundary by exploiting the browser's custom glance and split-view context-menu features. The 'Open link in glance' and 'Split link in new tab' actions navigate attacker-supplied file:// URLs using the System principal rather than the originating page's content principal, granting access to local filesystem contents that would be blocked by an ordinary click. A vendor-released patch exists in version 1.21.5b; no public exploit has been identified at time of analysis.

Authentication Bypass Mozilla Desktop
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization on the `/api/storage/getCriteria` endpoint in SiYuan personal knowledge management software exposes saved search criteria - including private document paths, notebook and block IDs, and search/replace keyword history - to any publish-mode Reader, bypassing the access controls applied by all sibling storage endpoints. All SiYuan releases prior to 3.7.1 are affected per the vendor security advisory GHSA-px3c-cf92-9g83. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the low attack complexity and readily available fix commit make this straightforward to weaponize against exposed instances.

Authentication Bypass Siyuan
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthorized write access to the admin backup store in Discourse allows any authenticated regular user to route S3 multipart uploads into a storage area that should be restricted to administrators. The flaw exists in ExternalUploadManager, which fails to enforce authorization checks (CWE-862) when accepting direct S3 multipart upload requests, meaning a low-privilege account holder can target the admin backup destination path without restriction. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the low attack complexity and network accessibility make this a credible threat on any Discourse deployment using S3 direct uploads.

Authentication Bypass Discourse
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints that are supposed to be restricted to loopback traffic by spoofing an X-Forwarded-For header with a 127.0.0.1 value. Once past the origin check, an attacker can pivot to server-side request forgery against internal services and cloud metadata endpoints, overwrite LLM provider configuration and API keys, or start an OAuth device-code flow to mint persistent tokens saved in auth.json. A vendor patch exists; the flaw carries a CVSS 4.0 score of 9.3, but no public exploit code has been identified at time of analysis.

Authentication Bypass SSRF Hermes Webui
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in Pimcore's Studio API lets a standard editor-level user create class definitions without administrative rights, because the POST /pimcore-studio/api/class/definition/configuration-view/detail/create endpoint checks the 'objects' permission rather than the 'classes' permission. Because class-definition creation writes new database tables and PHP class files to the server, this permission gap grants low-privileged users significant control over the application's data model and codebase, and absent API-layer UID validation malformed UIDs reach model-layer validation and surface internal exceptions. No public exploit identified at time of analysis; the flaw is fixed in 2025.4.6 and 2026.1.6.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Full admin account takeover in Pimcore (Studio backend) before 2025.4.6 and 2026.1.6 lets an unauthenticated attacker who knows a valid admin username hijack that account by submitting a password-reset request with an attacker-controlled resetPasswordUrl; the server appends a genuine recovery token to that URL and emails it to the victim, so a single victim click leaks the token to the attacker, who authenticates via POST /pimcore-studio/api/login/token with full admin rights and bypasses 2FA. GitHub advisory GHSA-h854-c3m3-mh5v classifies this as an authentication bypass (CWE-640). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file disclosure in docuForm GmbH Client v11.11c allows a remote, low-privileged attacker to read sensitive server files through the dfm-menu_report.php component by supplying attacker-controlled path input. The NVD description asserts arbitrary code execution and the vendor gist tags it 'RCE'/'Authentication Bypass', but the concrete described capability is reading configuration files, source code, and system files, with code execution unsubstantiated in the available data. No public exploit is confirmed via a flag, though a third-party gist reference (ZeroBreach-GmbH) is published and likely carries proof-of-concept detail; EPSS is low at 0.35% (27th percentile) and the CVE is not on CISA KEV.

Authentication Bypass RCE PHP
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.

Authentication Bypass File Upload RCE +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Broken object-level authorization in docuForm GmbH Client v11.11c lets an authenticated remote user manipulate the user settings component to read and modify other users' account data, with the reporter additionally claiming this can escalate to arbitrary code execution. The flaw stems from user-controlled object references (CWE-639) that the application fails to authorize against the requesting session. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile).

Authentication Bypass Information Disclosure RCE
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Improper access control in the Proximus b-box v8c.725A ISP gateway lets an already-authenticated low-privilege user override authorization checks and freely add, alter, or delete port forwarding (NAT) rules. Publicly available exploit code exists (GitHub PoC by Cedrico03), though it is not listed in CISA KEV and carries a low EPSS score (0.22%, 12th percentile), indicating no evidence of widespread active exploitation. The flaw effectively grants any logged-in account router-administrator control over inbound traffic routing.

Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network attackers by allowing a specially formatted URL to evade the URL filtering plugin. The flaw stems from incorrect name or reference resolution (CWE-706), causing the router to forward traffic that security policy mandates be dropped. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 6.9 carries an Automatable:Yes modifier, indicating the bypass is scriptable at scale against any qualifying deployment.

Authentication Bypass Juniper Junos Os
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell commands by reaching the product's embedded terminal API without any credentials. Because of a missing authentication check (CWE-306), an attacker chains four sequential unauthenticated HTTP requests to create a session, attach a PTY shell, and inject commands, executing code as the server process user. Reported by VulnCheck with a CVSS 4.0 base score of 9.3; a vendor patch is available and no public exploit code has been identified at time of analysis.

Authentication Bypass RCE Hermes Webui
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Ingress firewall filter bypass in Juniper Networks Junos OS on MX Series hardware (MPC10/11, LC4800/9600/4802, MX304) allows adjacent subscribers on static interfaces to evade configured protocol-level access controls and upstream bandwidth limitations. The Packet Forwarding Engine (PFE) fails to enforce ingress filters for these subscriber configurations, meaning neither protocol restrictions nor rate-limiting policies take effect. No public exploit code has been identified and the vulnerability is absent from CISA KEV, though the CVSS 4.0 AU:Y (Automatable) supplemental metric indicates exploitation could be scripted at scale against affected broadband aggregation deployments.

Authentication Bypass Juniper Junos Os
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Session context hijacking in the arikusi DeepSeek MCP Server (versions 1.4.2 through 1.6.x) lets remote attackers read and continue another user's DeepSeek V4 conversations. The process-global SessionStore trusts any caller-supplied session_id without tying it to an authenticated principal or transport session, so an attacker can enumerate live sessions via the deepseek_sessions tool and then replay a victim's session_id through deepseek_chat. No public exploit identified at time of analysis and it is not on CISA KEV, but the mechanics are trivial and fully described in the vendor advisory (GHSA-fh3r-g96v-f578); version 1.7.0 fixes it.

Authentication Bypass Deepseek Mcp Server
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated access to the self-hosted HTTP transport of DeepSeek MCP Server (versions 1.4.2-1.7.x) allows any network-reachable client to initialize a valid MCP session, enumerate server tools, and invoke them without credentials - including `deepseek_chat`, which silently consumes the server operator's `DEEPSEEK_API_KEY`. Default Docker deployments expose port 3000 in HTTP mode out of the box, maximizing the attack surface for any container running on a network-accessible host. No public exploit has been identified at time of analysis, though the GitHub advisory references reproduced testing confirming the full bypass against commit `5e1302171e99`.

Authentication Bypass Docker Deepseek Mcp Server
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

License exhaustion in Juniper Networks Junos OS Evolved lets an unauthenticated, network-based attacker reach the device's license-management process, which was intended to be internal-only but is exposed on an open network port due to incorrect initialization. All Junos OS Evolved releases before 23.2R2-EVO are affected. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible network-facing denial-of-service risk to affected routing/switching platforms.

Authentication Bypass Juniper Junos Os Evolved
NVD VulDB
MEDIUM PATCH This Month

Missing ownership enforcement on Sylius Shop API payment request endpoints allows any caller who possesses a valid payment request UUID hash to read sensitive order data - including customer email, shipping addresses, and order totals - or manipulate post-payment redirect URLs to an attacker-controlled domain. Affected versions span the 2.0.x, 2.1.x, and 2.2.x release lines, with fixes available in 2.0.18, 2.1.15, and 2.2.6 per the vendor advisory GHSA-mr9r-h354-966r. No public exploit code or CISA KEV listing has been identified at time of analysis; real-world exploitability is gated on acquiring the UUID hash out-of-band.

Authentication Bypass PHP
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally authenticated user, regardless of privilege class or assigned permissions, to execute a specific privileged 'request' command and cause complete traffic disruption on the affected switch. Affected platforms span EX2300, EX4000, EX4100, EX4300-MP, and EX4400 across six active Junos OS release trains from 23.2 through 25.4. No public exploit has been identified at time of analysis and the system recovers automatically, but the low barrier to exploitation - any authenticated local user qualifies - makes this a meaningful insider threat in shared-access or multi-tenant switch environments.

Authentication Bypass Juniper Junos Os
NVD
CVSS 4.3
MEDIUM PATCH This Month

{tokenValue}/payments/{paymentId}` silently accepts and returns HTTP 200 for payment methods the store operator has explicitly excluded from the order's sales channel, while the equivalent checkout endpoint correctly rejects them with HTTP 422. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass PHP
NVD GitHub
CVSS 6.5
MEDIUM POC PATCH This Month

{FIELD_ID}? or update? policy checks - even when both explicitly return false for the requesting user. Primarily impacts Avo Pro/Advanced multi-role deployments where non-administrator operators are expected to be constrained by per-field authorization policies. A PoC request spec confirms exploitation on Avo 3.31.2; no CISA KEV listing, so no confirmed active exploitation at time of analysis.

Authentication Bypass File Upload
NVD GitHub
MEDIUM PATCH This Month

Certificate revocation in nebula-mgmt (forgekeep/nebula-mesh ≤ v0.3.6) is non-durable due to two distinct authorization gaps at certificate issuance time. Blocked hosts bypass blocklist enforcement entirely by re-enrolling with a new token because `enroll.go:128` calls `caMgr.Sign()` without consulting the blocklist - a fingerprint-keyed structure that treats any fresh certificate as unknown. Separately, hosts enrolled under a subsequently-disabled operator auto-renew certificates indefinitely because `signHostCert` never re-validates operator or CA lifecycle status, meaning operator offboarding does not terminate provisioned host access. No public exploit is identified at time of analysis; both issues were discovered during an internal offensive security audit (tracking issue #178).

Authentication Bypass
NVD GitHub
EPSS 1% CVSS 4.5
MEDIUM PATCH This Month

Authentication bypass in the Large Scale VPN (LSVPN) feature of Palo Alto Networks PAN-OS enables unauthenticated network-adjacent attackers to establish unauthorized site-to-site VPN connections without valid credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), where the LSVPN peer negotiation process fails to enforce authentication before allowing VPN tunnel establishment. While the CVSS 4.0 base score is 4.5, the subsequent-system confidentiality impact is rated High (SC:H), reflecting that a successful bypass grants the attacker routing-level access into networks protected by the VPN - a materially greater risk than the headline score suggests. No public exploit code exists and no active exploitation has been confirmed (CISA KEV not listed, E:U).

Authentication Bypass Paloalto Pan Os
NVD VulDB
EPSS 0% CVSS 1.7
LOW PATCH Monitor

Security policy bypass in Palo Alto Networks PAN-OS exposes protected services behind the firewall to traffic that should be blocked, exploitable by unauthenticated remote attackers via crafted IPv6 packets targeting the dataplane. The CVSS 4.0 score of 1.7 reflects that direct impact on the firewall itself is nil (VC:N/VI:N/VA:N), with only low-severity downstream effect on subsequent systems (SC:L/SI:L), and specific attack conditions must be present (AT:P). No public exploit code exists and no active exploitation has been reported (E:U), though the automatable flag (AU:Y) indicates the attack could in principle be scripted once conditions are met.

Authentication Bypass Paloalto Pan Os
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Multiple protection mechanism failures in the Data Loss Prevention (DLP) component of Palo Alto Networks Prisma Access Agent for Windows enable a local authenticated user to bypass DLP policy enforcement controls. Only the Windows platform is affected; the Prisma Access Agent for macOS is explicitly excluded per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 supplemental urgency rating of Amber and high confidentiality/integrity impact on the vulnerable system make this a meaningful insider threat risk.

Authentication Bypass Apple Microsoft +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Missing authentication on Mockoon's admin API (commons-server admin-api.ts) prior to 9.7.0 lets any unauthenticated party who can reach the mock server port fully control the runtime. Because the admin routes are mounted on the same Express listener as user mock routes, enabled by default, serve Access-Control-Allow-Origin: * with write methods, and require no credentials, an attacker can read MOCKOON_* environment variables, write arbitrary process env vars, rewrite mock route bodies/statuses/headers, read transaction logs and SSE streams, and purge state. No public exploit identified at time of analysis; not listed in CISA KEV.

Authentication Bypass Mockoon
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated API exposure in the Superior Court of California's Hearing Reminder Service (hrs.courts.ca.gov) permits any internet-accessible party to retrieve court reminder records containing potentially sensitive information with no credentials or preconditions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote access, making bulk data harvesting trivial for any motivated actor. No public exploit code has been identified at time of analysis, and the service is not listed in the CISA KEV catalog, but the low technical barrier means exploitation requires nothing more than a standard HTTP request.

Authentication Bypass
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Open WebUI versions 0.8.12 through 0.9.x expose a missing authorization flaw that permits authenticated non-admin users to reach restricted underlying AI models by exploiting a code-path divergence in task endpoints. The standard chat route (/api/v1/chat/completions) correctly re-validates submodel access after arena wrapper resolution, but task endpoints such as /api/v1/tasks/moa/completions call utils.chat.generate_chat_completion() directly, triggering arena fallback resolution after the wrapper check passes and recursing with bypass_filter=True - effectively nullifying the submodel access control. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack requires only low-privilege authentication (PR:L), making it directly relevant to any multi-tenant or enterprise Open WebUI deployment with model access tiering.

Authentication Bypass Open Webui
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Identity spoofing in Open WebUI before 0.10.0 lets an authenticated low-privileged user impersonate another account by injecting query parameters into the terminal WebSocket URL. Because backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter - while the HTTP proxy path trusted an integrity-unbound X-User-Id header - an attacker can make the terminal backend resolve a different user identity, gaining that victim's terminal session context. No public exploit has been identified at time of analysis, but the fix is confirmed in v0.10.0 and the flaw is scored CVSS 8.0.

Authentication Bypass Open Webui
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Open WebUI's WEB_FETCH_FILTER_LIST blocklist enforcement fails to parse hostnames at label boundaries in versions prior to 0.10.0, enabling authenticated users to bypass administrator-configured host restrictions and trigger server-side fetches to internally restricted resources. Two bypass classes exist: embedding a blocked hostname in the URL path component (e.g., https://attacker.com/internal.corp/data) rather than the authority, and using a sibling domain sharing the blocked entry's suffix (e.g., evilinternalhost.example.com matching a blocklist entry for internalhost.example.com). No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Open Webui
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

File upload authorization bypass in Open WebUI before 0.10.0 allows authenticated users with read-only knowledge base access to inject arbitrary files into restricted knowledge bases by supplying a crafted metadata.knowledge_id parameter. The upload endpoint omits the write-access check enforced by the dedicated /api/v1/knowledge/<id>/file/add route (CWE-862), creating a privilege escalation path for any authenticated platform user. No public exploit code or CISA KEV listing exists at time of analysis, but the impact extends beyond the low CVSS integrity score - injected content directly influences LLM responses for all users of the affected knowledge base, enabling indirect prompt injection.

Authentication Bypass File Upload Open Webui
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Cross-channel thread context disclosure in Open WebUI prior to 0.10.0 allows authenticated low-privilege users to reference messages from private or DM channels they do not have access to, leaking thread content across channel boundaries. The root cause is a missing channel-binding validation on the parent_id parameter in thread reply handling - the server does not verify that the referenced parent message belongs to the channel specified in the URL. No public exploit or active exploitation has been identified; this is a low-severity, high-complexity authorization bypass with confirmed vendor fix in v0.10.0.

Authentication Bypass Open Webui
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Incorrect authorization in Open WebUI versions 0.9.6 through 0.9.x allows authenticated users with read-only knowledge file access to escalate their privileges to file write or delete operations. The root cause is that `_verify_knowledge_file_access` validated only read permissions, while write and delete routes independently trusted access derived from writable model `meta.knowledge` entries - creating a logical gap where the authorization check and the actual enforcement were misaligned. No public exploit or CISA KEV listing is identified at time of analysis; this is a medium-severity, authenticated-only issue fixed in v0.10.0.

Authentication Bypass Open Webui
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authentication bypass in the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an attacker on the same local network replay a captured RTSP Digest authentication exchange to view the live video feed without knowing the device credentials. The root cause is that the RTSP server never expires or invalidates authentication nonces, so a sniffed nonce/response pair remains valid on new connections indefinitely. No public exploit is identified at time of analysis and EPSS is low (0.19%), but the barrier to abuse is minimal for anyone already positioned on the LAN.

Authentication Bypass Microsoft
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM This Month

Missing authentication on APIv1 webhook endpoints in sendportal up to 3.0.1 permits remote unauthenticated actors to invoke webhook handlers for SendGrid, Postmark, Postal, and Mailjet without any credential verification. The flaw enables integrity and availability manipulation of email processing pipelines from any network location. A publicly disclosed exploit exists per VulDB submission 851624; no vendor patch has been released and the maintainer has not responded to the responsible disclosure report.

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Sensitive data exposure in the PayRange Android app (versions 7.0.7 and below) stems from improper TLS certificate validation in the app's embedded webviews, which accept invalid or attacker-controlled certificates. A network-positioned (man-in-the-middle) attacker can therefore decrypt and capture information users submit through those webviews, such as account or payment-related data. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CERT/CC advisory (VU#152953) is the primary reference.

Authentication Bypass Google
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

WebView sandbox escape in the PayRange 7.0.7 mobile payment app allows a network attacker to inject arbitrary JavaScript into the app's embedded WebView when chained with a separate SSL/TLS bypass, then invoke privileged JavaScript-to-native function calls to break out of the sandbox and perform dangerous actions on the victim's device. Affected users are those running PayRange 7.0.7 who can be induced to open attacker-influenced content while an attacker holds a man-in-the-middle position. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile), indicating no observed mass exploitation despite the 9.6 CVSS rating; the issue is documented in CERT/CC VU#152953.

Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthenticated manipulation of collaborative document state is possible in Open WebUI versions 0.6.16 through 0.9.x, where the Socket.IO server's always_connect=True configuration allows the ydoc:awareness:update and ydoc:document:leave event handlers to process requests from any connected client regardless of identity. An attacker with network access to the platform can inject false collaborative presence data or trigger spurious document-leave events, disrupting active collaboration sessions for legitimate users. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in the input.

Authentication Bypass Open Webui
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Improper authorization in Open WebUI 0.9.x allows deactivated or pending users to continue executing scheduled AI model automations after their accounts should have lost that capability. The `execute_automation` function rehydrated automation owners without re-verifying that the owner account was still active or still held the `features.automations` permission, and `check_model_access` enforced private-model grants only against the current user role at the time of check rather than re-validating eligibility at execution time. No public exploit has been identified at time of analysis, and the CVSS score of 3.1 reflects the low real-world severity: high attack complexity, limited availability impact, and no confidentiality or integrity impact per the official assessment.

Authentication Bypass Open Webui
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Authorization bypass in mettle Sendportal up to version 3.0.1 permits authenticated remote users to circumvent object-level access controls at the Campaign Creation Endpoint, potentially allowing cross-tenant campaign manipulation. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR flaw where the server trusts a user-supplied identifier to gate resource access without re-verifying ownership. A publicly available exploit exists via GitHub issue #339, and the vendor has not responded to responsible disclosure; no patch is available at time of analysis.

Authentication Bypass PHP Sendportal
NVD VulDB GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Open WebUI versions 0.8.11 through 0.10.0 expose a missing-authorization flaw (CWE-862) on the POST /api/v1/images/edit endpoint, allowing any verified non-admin account to invoke server-side image editing even when administrators have disabled the global image-edit switch or revoked per-user image-generation permissions. The bypass enables unprivileged users to consume admin-configured third-party image provider credentials - exhausting API quotas or generating unauthorized images - undermining deliberate access controls set by the platform operator. No public exploit has been identified at time of analysis; a vendor-confirmed fix is available in version 0.10.0.

Authentication Bypass Open Webui
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Authentication bypass in n8n's external identity resolution lets an attacker impersonate other users when the instance trusts more than one token-exchange issuer. Affecting n8n before 2.27.4 and version 2.28.0, the flaw stems from resolving federated identities using only the JWT sub claim while ignoring the iss claim, so a valid token from one trusted issuer whose sub matches a victim registered under a different issuer grants full access to that victim's account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the authentication-level impact (VC:H/VI:H) makes it a meaningful account-takeover risk for multi-issuer SSO deployments.

Authentication Bypass Microsoft N8n
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper access control in manjurulhoque's django-job-portal allows authenticated remote attackers to manipulate the `role` argument via the `EditEmployeeProfileAPIView` endpoint, enabling unauthorized privilege escalation within the Employee Dashboard. All commits up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f are affected under a rolling release model with no fixed version available. A publicly available proof-of-concept exploit exists via GitHub issue #91; the project maintainer has not responded to disclosure and no patch has been released.

Authentication Bypass Python Django Job Portal
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

MISP's attribute creation endpoint contains an authorization bypass allowing authenticated users with attribute-creation permissions to associate attributes with sharing groups they are not authorized to access. The flaw arises because the sharing group permission check was gated exclusively on the distribution field being set to 4 (sharing group mode), meaning a user could submit any non-empty sharing_group_id with a different distribution value and bypass the check entirely. No public exploit has been identified at time of analysis; a vendor patch is available via a confirmed GitHub commit.

Authentication Bypass Misp
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Privilege escalation in Siemens CPCI85 Central Processing/Communication and SICORE Base System (all versions before V26.20 / V26.20.0) lets an already-authenticated attacker abuse insufficient validation of authentication credentials when modifying administrative accounts through the web API. By exploiting this weak credential re-verification (CWE-620), an attacker with existing access can bypass security controls and obtain unauthorized elevated privileges over the device. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Cpci85 Central Processing Communication Sicore Base System
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Insecure default OPC UA configuration in Siemens CPCI85 Central Processing/Communication and SICORE Base System exposes industrial control system functions to unauthenticated network attackers. Both products ship with all OPC UA security mechanisms disabled, meaning any attacker who can reach the OPC UA endpoint over the network can interact with the system without authentication or encryption. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the affected products operate in OT/ICS environments where unauthorized control access carries disproportionate operational and safety risk relative to the moderate CVSS score.

Authentication Bypass Cpci85 Central Processing Communication Sicore Base System
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass leading to remote code execution in Xerte Online Tools (all versions below 3.14.6 and below 3.15.5) lets unauthenticated remote attackers reach the exposed /setup/ installer and re-run the installation, pointing the application at a database they control and thereby seizing full control of the toolkit. The flaw scores CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged Authentication Bypass and RCE; a vendor patch exists but there is no public exploit identified at time of analysis. CISA's SSVC framework rates it not-exploited but automatable with partial technical impact.

Authentication Bypass RCE Xerte Online Tools
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in the Qt Axivion Dashboard allows an authenticated low-privileged user to mint API tokens for other, higher-privileged accounts via the undocumented POST /api/users/~/{user}/tokens endpoint, which failed to enforce an authorization check on the target user. An attacker who knows a more-privileged user's login name and can log in through the Dashboard's OAuth/OIDC flow can forge and finalize a token for that account, potentially seizing Dashboard Administrator rights and — chained with a separate weakness — achieving code execution on the host. CVSS 4.0 is rated 8.7 (High); there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass RCE Axivion
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized data disclosure in the Blocks for ACF Fields WordPress plugin (versions up to and including 1.6.2) allows any authenticated user holding the Author role or above to read ACF field values from arbitrary WordPress objects - including private posts, drafts, and posts owned by other users - via an insecure REST API endpoint. The flaw stems from the REST handler accepting a user-supplied post ID and passing it directly to get_field_objects() without verifying whether the requester holds read permission on that specific object, a classic object-level authorization failure (CWE-862). Reported by Wordfence; no CISA KEV listing and no standalone public exploit code identified at time of analysis, though exploitation is operationally trivial for any attacker with a valid Author-level WordPress account.

Authentication Bypass WordPress Blocks For Acf Fields Display Custom Fields In The Block Editor
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote manipulation of published business quotes is possible in the Easy Invoice WordPress plugin (versions up to and including 2.1.19) due to missing authorization on AJAX endpoints. The plugin registers quote acceptance and decline actions via wp_ajax_nopriv_ hooks - making them reachable without credentials - while the only gate is a per-quote nonce that is embedded directly in the publicly viewable single-quote template. The ownership restriction that would prevent non-owners from acting on quotes is controlled by an off-by-default Pro feature flag, meaning the overwhelming majority of free-tier deployments are fully exposed to arbitrary quote status manipulation, including automatic invoice generation and client email dispatch. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress Easy Invoice Invoice Generator Pdf Quotes Payments
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Crew HRM WordPress plugin (all versions ≤ 1.2.2) allows any authenticated subscriber-level user to delete, archive, unarchive, and duplicate arbitrary job listings - including associated stages, metadata, addresses, and applications - by supplying an arbitrary integer job_id. The nonce that nominally gates these actions via Dispatcher::dispatch() is deliberately exposed to every authenticated frontend visitor through wp_head script localization, making the bypass trivially reproducible by any user with a WordPress account. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists; however, the nonce leak collapses the practical access barrier to subscriber level.

Authentication Bypass WordPress Employee Leave And Recruitment Management System Crew Hrm
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized shipping label manipulation in DHL eCommerce (Benelux) for WooCommerce versions up to 2.2.3 allows any authenticated WordPress user - down to Subscriber level - to create or delete DHL shipping labels for any WooCommerce order site-wide. The two vulnerable AJAX handlers lack both capability verification and nonce (CSRF token) checks, meaning the attacker-supplied order ID is acted upon without confirming the caller has order management rights. No public exploit is identified and this is not listed in CISA KEV, but the low authentication bar (any registered user) and operational impact on fulfillment make this a meaningful risk for Benelux e-commerce stores with open user registration.

Authentication Bypass WordPress Dhl Ecommerce Benelux For Woocommerce
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the DSGVO All in One for WP plugin (versions up to and including 4.9) allows any authenticated WordPress user with Subscriber-level access or higher to invoke the dsgvo_reset_policy_service_func() function and wipe all customized privacy policy content - cookie notices, Google Analytics policies, Facebook policies, and YouTube policies - back to plugin defaults. The root cause is a complete absence of both WordPress capability checks and nonce verification on a sensitive administrative function that accepts and acts on user-supplied parameters. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low authentication barrier makes this accessible to a wide pool of potential abusers on sites with open user registration.

Authentication Bypass WordPress Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated order cancellation in CorvusPay WooCommerce Payment Gateway (all versions up to and including 2.7.4) allows any remote attacker to cancel any WooCommerce order paid via CorvusPay by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST API endpoint. The plugin registers this cancel endpoint without implementing a WordPress permission callback, meaning no authorization is verified before processing cancellation requests (CWE-862). No public exploit code and no active exploitation via CISA KEV have been identified at time of analysis, though the attack requires no credentials and minimal technical skill.

Authentication Bypass WordPress Corvuspay Woocommerce Payment Gateway
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Payment bypass in the CorvusPay WooCommerce Payment Gateway plugin (all versions up to and including 2.7.4) enables unauthenticated remote attackers to fraudulently mark any pending WooCommerce order as fully paid, obtaining goods or services without actual payment. The `corvuspay_success_handler` function registers a publicly accessible REST endpoint where a cryptographic signature validation is performed but its boolean result is silently discarded - written only to a debug log - causing `$order->payment_complete()` to execute unconditionally regardless of signature validity. WooCommerce order IDs are sequential integers, making every pending order on an affected store trivially enumerable with no prior knowledge required. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress Jwt Attack Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized order modification in the Colissimo Officiel shipping plugin for WordPress (versions up to and including 2.9.0) allows any authenticated subscriber-level user to overwrite the shipping method, pickup-relay metadata, and shipping address of arbitrary WooCommerce orders - including orders belonging to other customers. The vulnerability stems from a completely unguarded AJAX handler: no capability check and no nonce verification are performed before acting on caller-supplied input. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog, though Wordfence has confirmed and disclosed it with specific source-line references.

Authentication Bypass WordPress Colissimo Shipping Methods For Woocommerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken object-level authorization in PAVO Pay (all builds through 09072026) lets remote attackers access other users' resources by substituting user-controlled identifiers (CWE-639, IDOR-class), exposing sensitive financial data with no integrity or availability impact. Reported by Turkey's national CSIRT (TR-CERT) and tracked in the ENISA EUVD, the flaw scores CVSS 7.5 driven entirely by high confidentiality impact over an unauthenticated network path. No public exploit is identified at time of analysis, but the vendor did not respond to coordinated disclosure and no fix has been released, leaving all deployments exposed.

Authentication Bypass Pavo Pay
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive authentication data is inserted into network-transmitted responses in OSOS, the energy management platform by Sayax Energy Technologies Inc., enabling authenticated low-privilege users to extract credentials or session tokens and bypass authentication controls. All versions through build 09072026 are affected with no vendor patch available - TR-CERT disclosed this vulnerability but received no response from the vendor. No public exploit code has been identified at time of analysis, though the network-accessible attack vector with low complexity raises practical risk in industrial energy environments where even low-privilege account access is common.

Authentication Bypass Osos
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

{id} enforces only the tfhb_manage_options capability check but never validates that the requested booking ID is owned by the requesting host, exposing attendee PII (names, emails, phone numbers, addresses), payment method and status, transaction history, and internal notes. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a fix commit is present in the WordPress plugin SVN repository.

Authentication Bypass WordPress Hydra Booking Appointment Scheduling Booking Calendar
NVD VulDB
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in the Popup Maker WordPress plugin (all versions through 1.22.0) allows authenticated attackers holding editor-level access or above to install and activate an arbitrary plugin from an attacker-controlled URL, resulting in full server-side code execution. The root cause is a missing authorization check (CWE-862) in the plugin's REST API Connect controller, whose install endpoint treats a bearer token - issued by the legacy v1/connect/info endpoint - as its only non-spoofable authorization gate. Reported by Wordfence; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass WordPress RCE +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Authentication bypass in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress (versions up to and including 5.5.1) lets unauthenticated attackers take over any Administrator account. Because um_reset_password_process_hook() never verifies server-side that the OTP step was completed and trusts a form_nonce that the plugin itself hands to anonymous visitors via the moumprvar JavaScript object, an attacker can supply an arbitrary username_b value to receive a fresh password-reset URL for any user in the 302 Location header. No public exploit identified at time of analysis, but the flaw is trivially scriptable and carries a critical 9.8 CVSS score.

Authentication Bypass WordPress Miniorange Otp Login Verification And Sms Notifications
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated content tampering in the WP User Frontend WordPress plugin (all versions through 4.3.7) allows any visitor to overwrite the title, body, and excerpt of any post on the site, including posts authored by administrators. The flaw stems from the wpuf_submit_post AJAX action accepting a user-controlled post reference key in the wpuf_files_data parameter without validating whether the requesting user is authorized to edit the target post - a textbook CWE-639 authorization-through-user-controlled-key failure. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no authentication and no special configuration beyond the plugin being installed with at least one public-facing submission form.

Authentication Bypass WordPress User Frontend
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized plugin installation affects the Memberships and User Profiles for WooCommerce - ProfileGrid WooCommerce Integration plugin (versions up to and including 3.4), allowing any authenticated WordPress user at Subscriber level or above to force-install and activate the ProfileGrid plugin without administrative approval. The flaw stems from a dual failure - absent capability check and absent nonce validation - on the `pg_install_profilegrid()` AJAX handler, registered via the `wp_ajax_pg_install_profilegrid` hook. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; however, the low barrier to exploitation (any authenticated user) makes this a meaningful integrity risk on multi-tenant or open-registration WooCommerce stores.

Authentication Bypass WordPress Memberships And User Profiles For Woocommerce Profilegrid Woocommerce Integration
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (all versions through 7.9.4) allows any site visitor to read private activity log entries belonging to arbitrary users, including badge earnings, points balance changes, WooCommerce purchase events, LearnDash course completions, and BuddyPress activity records. The IDOR flaw in the 'access' parameter is rendered trivially exploitable because the sole authentication gate - a gamipress nonce - is deliberately broadcast to every front-end visitor via wp_localize_script, meaning no credential or privilege is required beyond loading any page on the target site. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the near-zero exploitation complexity makes it a practical mass-exploitation candidate against any unpatched deployment.

Authentication Bypass WordPress Gamipress Gamification Plugin To Reward Points Achievements Badges Ranks In Wordpress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the WP User Frontend (WPUF) WordPress plugin through version 4.3.7 allows unauthenticated visitors to delete guest-uploaded media attachments via the wpuf_file_del AJAX action. The plugin's sole access control gate - a WordPress nonce - is self-defeated: when any WPUF shortcode is rendered on a public front-end page, the nonce value is localized into publicly readable JavaScript objects (wpuf_upload and wpuf_frontend), making it trivially extractable by any browser visitor. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified, but the zero-authentication, low-complexity attack path makes this trivially reproducible from plugin source code alone.

Authentication Bypass WordPress User Frontend
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated access to the SSH keys synchronization endpoint in Nozomi Networks Guardian and CMC exposes user enumeration data and SSH public keys to any network-reachable attacker. By sending a single unauthenticated request to this endpoint, an attacker can retrieve usernames, group memberships, and uploaded SSH public keys - providing meaningful reconnaissance into the OT security platform's user base. No public exploit has been identified at time of analysis, and no CISA KEV listing exists; the CVSS 4.0 score of 6.9 reflects low confidentiality impact with no integrity or availability risk.

Authentication Bypass Guardian Cmc
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive information exposure in the Backup and Staging by WP Time Capsule WordPress plugin (all versions through 1.22.26) allows authenticated attackers with subscriber-level access to download a previously admin-decrypted SQL database backup via the unprotected `download_recent_decrypted_file_wptc` endpoint. The downloaded backup typically contains WordPress password hashes, user credentials, and site configuration data stored in the `recent_decrypted_file` plugin option. No public exploit code exists at time of analysis, but the vulnerability is conditionally exploitable wherever subscriber-level user registration is enabled and an administrator has recently used the plugin's decrypt function.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated export of sensitive WooCommerce donation records is possible in the Token of Trust WordPress plugin through version 4.0.2 due to a missing capability check on a publicly accessible export function. Any unauthenticated visitor can retrieve a CSV file containing charitable donor order dates, order IDs, donation amounts, and admin-only order edit URLs by appending a single GET parameter to any page on the affected site. No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism - requiring only a browser and a known URL parameter - means low-skill attackers can exploit it at scale.

Authentication Bypass WordPress Age Verification Identity Verification By Token Of Trust
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Unauthenticated remote attackers can completely bypass access controls on Everest Forms REST API endpoints in all plugin versions before 3.5.0, enabling them to read onboarding status data, modify plugin settings, and send emails from the WordPress site to arbitrary addresses. The flaw arises because the capability check is conditioned on an attacker-controllable HTTP request header - omitting or altering that header disables the authorization gate entirely. A publicly available proof-of-concept exploit exists, and SSVC assessment confirms the attack is automatable; however, this vulnerability is not in CISA KEV, and EPSS sits at 0.14%, suggesting limited observed exploitation despite the low barrier to entry.

WordPress Authentication Bypass Everest Forms
NVD WPScan
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation to full account takeover in the Divi Form Builder WordPress plugin (versions up to and including 5.1.8) lets any authenticated user with subscriber-level access or higher change the email address and password of arbitrary accounts, including administrators. The flaw is an insecure direct object reference where a user ID supplied in a form submission is trusted without an authorization check. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Divi Form Builder
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient navigation policy enforcement in Google Chrome prior to 150.0.7871.115 enables site isolation bypass when a user visits a crafted HTML page. A remote, unauthenticated attacker (per CVSS PR:N) can exploit this to read limited cross-origin data, undermining Chrome's core renderer process separation architecture. No public exploit code or active exploitation has been identified; SSVC rates exploitation as none and technical impact as partial, consistent with the moderate CVSS 4.3 score.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome desktop before 150.0.7871.115 lets a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page, stemming from an inappropriate implementation in the Forms component (Chromium severity: High). No public exploit identified at time of analysis, and the flaw is not on CISA KEV; Google has shipped a fixed Stable channel build. The high CVSS (8.8) reflects full compromise of the affected renderer process, though code execution is stated to be confined to the sandbox rather than a full host takeover.

Authentication Bypass RCE Google
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's Passwords component (versions prior to 150.0.7871.115) enables a remote attacker to read limited cross-origin data by directing a victim to a crafted HTML page. Chromium's own security team rates this High despite a CVSS base score of 4.3 (Medium), a discrepancy that likely reflects the sensitivity of credential-adjacent subsystem involvement rather than raw exploitability metrics alone. No public exploit identified at time of analysis; vendor patch is available as of the July 2026 stable channel release.

Authentication Bypass Google
NVD VulDB
Prev Page 7 of 348 Next

Quick Facts

Typical Severity
CRITICAL
Category
auth
Total CVEs
31259

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy