Authentication Bypass
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications.
How It Works
Authentication bypass attacks exploit flaws in the verification mechanisms that control access to systems and applications. Instead of cracking passwords through brute force, attackers manipulate the authentication process itself to gain unauthorized entry. This typically occurs through one of several pathways: exploiting hardcoded credentials embedded in source code or configuration files, manipulating parameters in authentication requests to skip verification steps, or leveraging broken session management that fails to properly validate user identity.
The attack flow often begins with reconnaissance to identify authentication endpoints and their underlying logic. Attackers may probe for default administrative credentials that were never changed, test whether certain URL paths bypass login requirements entirely, or intercept and modify authentication tokens to escalate privileges. In multi-step authentication processes, flaws in state management can allow attackers to complete only partial verification steps while still gaining full access.
More sophisticated variants exploit single sign-on (SSO) or OAuth implementations where misconfigurations in trust relationships allow attackers to forge authentication assertions. Parameter tampering—such as changing a "role=user" field to "role=admin" in a request—can trick poorly designed systems into granting elevated access without proper verification.
Impact
- Complete account takeover — attackers gain full control of user accounts, including administrative accounts, without knowing legitimate credentials
- Unauthorized data access — ability to view, modify, or exfiltrate sensitive information including customer data, financial records, and intellectual property
- System-wide compromise — admin-level access enables installation of backdoors, modification of security controls, and complete infrastructure takeover
- Lateral movement — bypassed authentication provides a foothold for moving deeper into networks and accessing additional systems
- Compliance violations — unauthorized access triggers breach notification requirements and regulatory penalties
Real-World Examples
CrushFTP suffered a critical authentication bypass allowing attackers to access file-sharing functionality without any credentials. The vulnerability enabled direct server-side template injection, leading to remote code execution on affected systems. Attackers actively exploited this in the wild to establish persistent access to enterprise file servers.
Palo Alto's Expedition migration tool contained a flaw permitting attackers to reset administrative credentials without authentication. This allowed complete takeover of the migration environment, potentially exposing network configurations and security policies being transferred between systems.
SolarWinds Web Help Desk (CVE-2024-28987) shipped with hardcoded internal credentials that could not be changed through normal administrative functions. Attackers discovering these credentials gained full administrative access to helpdesk systems containing sensitive organizational information and user data.
Mitigation
- Implement multi-factor authentication (MFA) — requires attackers to compromise additional verification factors beyond bypassed primary authentication
- Eliminate hardcoded credentials — use secure credential management systems and rotate all default credentials during deployment
- Enforce authentication on all endpoints — verify every request requires valid authentication; no "hidden" administrative paths should exist
- Implement proper session management — use cryptographically secure session tokens, validate on server-side, enforce timeout policies
- Apply principle of least privilege — limit damage by ensuring even authenticated users only access necessary resources
- Regular security testing — conduct penetration testing specifically targeting authentication logic and flows
Recent CVEs (31263)
Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten-password recovery mechanism (CWE-640) that a remote, unauthenticated attacker can manipulate to assume ownership of another user's account. The flaw carries a CVSS 9.8 rating because it is network-reachable with no authentication or user interaction, yielding full compromise of confidentiality, integrity, and availability of the targeted account. There is no public exploit identified at time of analysis and EPSS is low (0.22%, 13th percentile), and CISA's SSVC framework records exploitation as none, indicating no observed in-the-wild activity despite the critical score.
GStreamer's webrtcbin component accepts remote SDP offers and answers that are missing the required a=fingerprint attribute due to an inverted boolean logic check in _check_sdp_crypto(), undermining the DTLS certificate fingerprint binding that protects WebRTC media streams from interception. An attacker already positioned as a man-in-the-middle on the WebRTC signaling channel can strip the a=fingerprint attribute from SDP messages, which the vulnerable code then incorrectly accepts, allowing the attacker to substitute their own DTLS certificate and intercept or tamper with encrypted media. No public exploit code exists and no CISA KEV listing has been issued; however, the flaw is architecturally significant because it silently voids a key WebRTC security guarantee rather than causing an obvious crash.
Authentication bypass in Digi International PortServer TS 1/2/4 and Digi One SP/SP IA/IA serial device servers permits remote unauthenticated attackers to circumvent authorization controls and access restricted device resources. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote, credential-free exploitation but places High Attack Complexity on the flaw, indicating specific preconditions must be met - limiting opportunistic or automated mass exploitation. Impact is strictly confidentiality (C:H/I:N/A:N), meaning successful exploitation exposes restricted data or configuration without enabling modification or service disruption; no public exploit and no CISA KEV listing have been identified at time of analysis.
Ghostfolio's portfolio sharing impersonation feature exposes a missing authorization check on the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, allowing holders of read-only share tokens to modify portfolio holding tags they should only be able to view. Any user granted read-only access to another user's portfolio can exploit this flaw to assign or remove tags on holdings, silently corrupting the victim's portfolio categorization, reporting, and analytics. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Path traversal leading to full system compromise affects Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0 through 8.7, plus the LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches. Per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N), an unauthenticated remote attacker can traverse outside the intended directory to gain unauthorized access and, according to Dell, take complete control of the system. Dell rates this critical (9.8) and its tags note an authentication-bypass characteristic; no public exploit identified at time of analysis and it is not currently in CISA KEV.
Improper authentication in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.7, plus the LTS2026, LTS2025, and LTS2024 branches) lets an unauthenticated, remote attacker bypass authentication and gain unauthorized access that Dell says can escalate to complete system control. Dell rates it critical (CVSS 9.8, CWE-287). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network-facing, no-privilege attack profile makes it a high-priority patch for backup/data-protection infrastructure.
Privilege escalation and unauthorized functionality access in HAVELSAN Liman MYS (Yönetim Sistemi) before release.Master.1107 allows an authenticated low-privileged user to invoke functions that should be gated by access-control lists. Because certain endpoints fail to enforce authorization (CWE-862), a limited user can reach administrative or restricted operations, enabling significant integrity and availability impact. No public exploit identified at time of analysis; the flaw was reported by Turkey's national CERT (TR-CERT / USOM).
{dag_id}` endpoint and its UI equivalent perform authorization only on the requested DAG identifier, not on the full file contents returned. No public exploit has been identified and the issue is not listed in CISA KEV, but it directly undermines per-DAG access control in multi-tenant or team-partitioned Airflow deployments.
Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4. Because ad_gpo_extract_smb_components() fails to sanitize '..' sequences in the gPCFileSysPath LDAP attribute (CWE-23), an actor holding AD GPO management rights can force an SSSD-enrolled host to write attacker-controlled files outside the GPO cache as root, injecting Kerberos configuration to bypass authentication. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Information disclosure in Armiya Information Technologies' Access Control System (GKS) before Version 2 allows remote unauthenticated attackers to collect sensitive data from common resource locations due to a missing authorization check. Because the affected endpoints do not verify that a requester is entitled to the data they return, an attacker who can reach the system over the network can harvest information without credentials. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV, but the CVSS 8.2 rating and CWE-862 root cause make it a meaningful exposure for any accessible deployment.
Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.
Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote unauthenticated attackers read confidential records belonging to other users by tampering with user-controlled resource identifiers. Because the application trusts client-supplied keys without verifying ownership, an attacker can enumerate or substitute IDs to exfiltrate data they should not access. There is no public exploit identified at time of analysis, but the flaw is trivial to exercise (AV:N/AC:L/PR:N) and was flagged by Turkey's national CERT (TR-CERT).
Broken object-level access control (BOLA) in MicroRealEstate's Template API through version 1.0.0-alpha3 permits authenticated users to retrieve document templates owned by other organizations on the same platform. Any low-privilege account holder can query template objects belonging to unrelated tenants by supplying arbitrary template identifiers, crossing multi-tenant isolation boundaries. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Unauthorized document disclosure in MicroRealEstate through version 1.0.0-alpha3 lets an authenticated low-privilege user retrieve documents uploaded by other landlords or tenants. The flaw combines a broken object-level authorization check (CWE-639) with document IDs that are generated using a predictable, deterministic pattern, so an attacker can guess or enumerate identifiers and pull files they should not see. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 7.1 reflects high confidentiality impact with no effect on integrity or availability.
Sensitive document disclosure in MicroRealEstate through 1.0.0-alpha3 lets an authenticated low-privilege user retrieve PDF documents belonging to other tenants or organizations by manipulating object identifiers passed to the PDF generator. Classified under CWE-639 (IDOR) and CVSS 4.0 7.1, the flaw exposes confidential data (VC:H) without requiring integrity or availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Authentication bypass in MicroRealEstate (open-source property/real-estate management platform) through version 1.0.0-alpha3 lets remote unauthenticated attackers brute-force the One-Time Password (OTP) login flow to authenticate as any user. Because the OTP tokens are not tracked in server-side state, codes are not invalidated or rate-limited across attempts, collapsing the effective keyspace and enabling account takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution affects the DoLeads Integrator and wp2epub WordPress plugins (both versions through 0.65), which WPScan reports have been observed being leveraged to run arbitrary code on a blog once installed. The plugins are reachable via a broader flaw that lets unauthorized users install 'unclosed'/withdrawn extensions from the wordpress.org repository, turning plugin installation into a code-execution primitive. No public exploit has been identified at time of analysis, and EPSS remains very low (0.15%, 5th percentile), indicating no observed widespread exploitation despite the high CVSS.
Cross-tenant resource access in Coolify (self-hosted PaaS) before 4.0.0-beta.464 lets an authenticated user of one team clone resources into, and access resources owned by, other teams. The cloneTo() Livewire action in ResourceOperations.php checks authorization on the source resource but resolves destination resources with unscoped Eloquent lookups, breaking multi-tenant isolation. Rated CVSS 9.9 with scope change; no public exploit identified at time of analysis, but a fixing commit and vendor advisory are published.
Improper authorization in Coolify's terminal websocket bootstrap routes lets any low-privileged team member execute arbitrary commands on team-managed servers, because the routes verify only that a request is authenticated but never check whether the caller is authorized to use the terminal. Affecting all Coolify versions prior to 4.0.0-beta.471, this CWE-285 flaw carries a critical 9.9 CVSS score with a scope change, effectively granting shell access to underlying infrastructure from a minimal application role. No public exploit identified at time of analysis, but the low complexity and low privilege bar make it a high-priority patch.
Cross-tenant log disclosure in Coolify (self-hosted PaaS) before 4.0.0-beta.466 lets any authenticated user read application logs belonging to other teams by supplying a victim resource's UUID. The Logs::mount() component resolves resources by UUID alone without verifying the caller's team ownership, breaking the multi-tenant isolation boundary. Rated CVSS 7.7 (CWE-639, IDOR); no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is a one-line-class authorization check that is trivially reversible from the public commit.
Privilege escalation via broken authorization in Coolify's self-hosted server/application management platform lets any authenticated low-privilege user reach terminal WebSocket functionality for resources outside their authorized scope, prior to version 4.0.0-beta.471. Because the terminal bootstrap routes skipped the expected authorization middleware, an attacker with a valid account can potentially execute commands on servers and containers they should not control. No public exploit identified at time of analysis, and there is no CISA KEV listing, but the fix is confirmed in release v4.0.0-beta.471.
Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.
Sensitive information disclosure in OneBlog V2.3.9 lets remote unauthenticated attackers retrieve WeChat Official Account secrets - the access_token and jsapi_ticket - through unprotected REST endpoints backed by RestApiController.java, JsApiTicketComponent.java, and GetAccessTokenComponent.java. Because these credentials grant control over the linked WeChat public account, disclosure enables account takeover of the integration rather than just data leakage. Classified CWE-306 (Missing Authentication); a referenced public gist appears to contain proof-of-concept details, though EPSS is low (0.26%, 18th percentile) and it is not listed in CISA KEV.
Improper authentication in Fire-Boltt FB BGS001 smartwatch firmware MOY-JS14-2.0.4 lets a nearby attacker replay previously captured Bluetooth Low Energy (BLE) GATT Write Request packets to trigger device functionality without valid session validation. The device accepts write commands over BLE without sufficient authentication, so an attacker within radio range who has observed legitimate traffic can reissue those commands. A public technical writeup/PoC exists on GitHub (EmbdCDACHyd), but there is no evidence of active exploitation (SSVC Exploitation: none) and EPSS is low at 0.21% (11th percentile).
Broken object-level authorization in FOSSBilling 0.5.3 through 0.7.2 lets an authenticated client read and reset API key service secrets belonging to orders that are no longer active, such as suspended or canceled orders. Two client API endpoints skip the order-state check that the frontend UI and the module's own isActive() helper otherwise enforce, exposing high-value credentials to any logged-in customer for their non-active services. There is no public exploit identified at time of analysis, and the flaw is fixed in version 0.8.0.
Incorrect authorization in FOSSBilling versions 0.5.6 through 0.7.2 allows authenticated clients with unverified email addresses to bypass the 'Require Email Confirmation' access control gate and read sensitive financial account data - including wallet balances and full transaction history - across all client-area pages. The application maintains two separate authorization layers: an API-level guard that correctly restricts unverified clients, and a page-level routing guard that is overly permissive, admitting any request whose URL path begins with /client, creating an exploitable enforcement gap. No public exploit has been identified at time of analysis; the CVSS 4.0 score of 5.3 reflects a realistic but bounded confidentiality impact gated behind prior authentication.
Brute-force protection bypass in the 9router dashboard (npm package 9router) lets remote attackers defeat the login lockout by rotating the attacker-controlled X-Forwarded-For header on each request, giving every attempt a fresh rate-limit bucket. Because the CVSS vector is PR:N/UI:N, unauthenticated remote attackers can target any instance directly exposed or sitting behind a proxy that does not overwrite forwarding headers, enabling unlimited password guessing and, against default or weak credentials, full administrative takeover. A working exploit is published in the GitHub Security Advisory (GHSA-7cfm-pqrj-xgq7); the issue is not listed in CISA KEV and no EPSS score was provided.
Insecure Direct Object Reference (IDOR) in Coolify's ActivityMonitor Livewire component allows any authenticated user to enumerate and read activity records belonging to other teams, including full SSH process command outputs that may contain secrets, credentials, and infrastructure configuration details. Affected are all Coolify self-hosted deployments prior to version 4.0.0-beta.471. No special privileges beyond a valid user account are required, and auto-incrementing integer activity IDs make enumeration trivial. No public exploit code has been identified at time of analysis and this CVE is not in CISA KEV, but the low attack complexity and sensitive data exposure make this a meaningful risk for multi-tenant Coolify deployments.
Cross-origin request forgery via CORS same-owner bypass in Coder's subdomain workspace app proxy allows an authenticated attacker to exfiltrate data from a victim's workspace apps. The flaw exists across Coder release lines 2.29 through 2.34, and was disclosed by Anthropic's Security Team. No public exploit exists and no CISA KEV listing is present, but the vulnerability is directly exploitable against any deployment with wildcard subdomain routing enabled, making prompt patching critical for affected configurations.
Incorrect authorization in Coder's AI Bridge proxy (introduced in v2.30.0) permits suspended users to continue accessing LLM proxy endpoints using previously issued, unexpired API keys. The `Server.IsAuthorized` function in `coderd/aibridgeserver` validates key format, expiry, secret, and deleted/system-user status but omits the active/suspended status check present in the standard API key middleware, creating a divergence that survives indefinitely until tokens expire or are manually deleted. No public exploit code exists and the flaw is not listed in CISA KEV; the vendor patched all active release lines following coordinated disclosure by Anthropic's Security Team (ANT-2026-22446).
Unauthenticated access to Coolify's POST /api/feedback endpoint allows any remote attacker to forward arbitrary content directly to the operator's configured Discord webhook, enabling spam flooding, content injection, and webhook rate-limit abuse. All self-hosted Coolify instances prior to 4.0.0-beta.474 are affected, with CVSS AV:N/AC:L/PR:N/UI:N confirming zero-barrier network exploitation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the trivial exploit conditions (plain unauthenticated HTTP POST) make automated abuse straightforward.
Authorization bypass in the Coder devcontainer recreate endpoint allows any authenticated user holding only read-level workspace access - such as Template Admin or Org Template Admin roles - to trigger a destructive container rebuild that destroys uncommitted in-container state. Unlike the sibling delete endpoint, which correctly enforces an ActionUpdate check, the recreate endpoint relied solely on route middleware verifying ActionRead, leaving the destructive operation unguarded against lower-privileged principals. No public exploit has been identified at time of analysis; vendor-confirmed patches are available across all supported release lines.
Port-sharing policy bypass in Coder's CreateSubAgent RPC allows an authenticated workspace owner to register sub-agent apps at sharing levels exceeding the template's administrator-configured MaxPortSharingLevel, potentially exposing workspace apps as PUBLIC to unauthenticated users via wildcard app subdomains. Exploitation is gated behind authenticated workspace ownership with an agent token and requires an Enterprise deployment with both port-sharing policy enforcement and wildcard app hostnames active - making this a meaningful privilege escalation within a constrained environment rather than a broadly exploitable network flaw. No public exploit has been identified at time of analysis; vendor-released patches are available across all supported release lines.
Missing authorization in Coolify's Settings/Updates Livewire component allows any authenticated non-admin user to access the Updates settings page and modify auto-update behavior or trigger update checks. Affected versions span all releases prior to 4.0.0-beta.471 of the self-hosted server management platform. No public exploit code or CISA KEV listing exists at time of analysis, but the network-accessible nature and low authentication bar (any valid account) make this a meaningful integrity risk in multi-tenant or shared Coolify deployments.
Incorrect authorization in Coolify's API layer allows any holder of a read-scoped API token to invoke mutating validation endpoints - including cloud token validation and server validation - that should require write-level privileges. All Coolify deployments prior to version 4.0.0-beta.466 are affected. No public exploit or active exploitation has been identified at time of analysis, but the low attack complexity and network accessibility via API make this straightforward to abuse for any user who has been issued even a minimal API token.
Broken access control in FOSSBilling before 0.8.0 lets an unauthenticated attacker who knows an unpaid invoice's hash change the payment gateway (gateway_id) tied to that invoice, because the Guest API invoice/update endpoint omits an authorization check that its sibling invoice endpoints enforce. The attacker can only select gateways an administrator has already installed and configured, and the impact is further gated by the invoice_accessible_from_hash setting, so it cannot redirect funds to an arbitrary external endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Traffic interception in Coder's tailnet coordinator allows a malicious workspace agent to hijack another agent's tailnet address by advertising forged WireGuard AllowedIPs prefixes. The coordinator authorizes an agent's Addresses against its authenticated UUID but performs no equivalent check on AllowedIPs, which it forwards verbatim to tunnel peers; because ServerTailnet routes by tailnet IP, an attacker who claims a victim's prefix can intercept web terminal and workspace app traffic and serve spoofed content. Rated CVSS 8.2 (CWE-285, improper authorization); a vendor patch is available and no public exploit is identified at time of analysis.
Cross-workspace agent hijacking in Coder (self-hosted cloud development environment platform) lets a user with template-authorship or external-provisioner privileges rebind another user's workspace app to an attacker-controlled agent. By submitting a crafted CompleteJob payload referencing a known victim app UUID, the attacker causes later app traffic - including IDE and terminal sessions - to be proxied through their own workspace, enabling interception. No public exploit is identified at time of analysis; it is not listed in CISA KEV. Fixed in v2.34.2, v2.33.8, v2.32.7, and v2.29.17.
Unauthenticated payment bypass in FOSSBilling 0.6.0 through 0.7.2 lets a remote attacker mark any unpaid invoice as paid and credit the associated client's account balance with a single crafted HTTP request to the IPN callback endpoint (/ipn.php), provided the Custom payment adapter is enabled. The flaw stems from missing authentication (CWE-306) on a financially critical callback, so no credentials or user interaction are needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it 9.2 (CVSS 4.0) and a patched release (0.8.0) is available.
{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the practical blast radius is bounded by the need to already hold the privileged user-admin role.
Account takeover in Coder's OIDC login (versions before v2.34.2, v2.33.8, v2.32.7, and ESR v2.29.17) lets an attacker who controls a matching email address at the configured identity provider log in as a victim and seize their workspaces, templates and resources. Two chained flaws are responsible: email-based user matching silently linked accounts by email without verifying an existing IdP-subject link, and the email_verified claim was only honored when explicitly boolean false, so absent or malformed claims were treated as verified. CVSS is 7.4 (High) with no public exploit identified at time of analysis; the issue was privately reported by Anthropic's Security Team.
Account takeover in Coder's OIDC login flow allows an unauthenticated remote attacker to hijack an existing user account by registering the victim's email at a compatible identity provider. A Go `bool` type assertion on the `email_verified` claim failed open when an IdP returned the claim as a non-boolean (e.g. the string "false") or omitted it entirely, and an unconditional email-based account fallback then matched the attacker's session to the victim's account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was privately disclosed by Anthropic's Security Team and fixed across all supported release lines.
Cross-tenant information disclosure in OpenRemote Manager lets a realm admin of one tenant read the profile, realm roles, and client roles of any user in any other realm - including the privileged master realm - simply by supplying the target user's UUID in the REST API path. Three read endpoints in UserResourceImpl verify the caller's read:admin role but never confirm the target user belongs to the caller's realm, breaking multi-tenant isolation for user data. Publicly available exploit code exists (a working curl-based PoC with live-instance HTTP 200 responses is documented), though it is not listed in CISA KEV and no active exploitation is confirmed.
Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row - password hashes, TOTP secrets, and session tokens - by invoking the users.getUser method with arbitrary user IDs (CWE-639, broken object-level authorization). Because the API returns records without verifying the caller owns or is authorized for the requested ID, a low-privileged user can enumerate and harvest credentials for every account, including administrators. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.6 (High).
Filter context poisoning in Traefik v3.7.0-v3.7.5 allows a low-privileged Kubernetes user to cause security-sensitive backendRef filters - such as tenant identity or authorization headers trusted by the backend - to be applied to requests from a different, co-located HTTPRoute that targets the same backend Service:port. This affects multi-tenant Kubernetes Gateway API deployments and can cross namespace boundaries when a ReferenceGrant permits cross-namespace backend targeting, making it an authorization bypass and tenant-isolation failure. No public exploit identified at time of analysis; the issue is fixed in Traefik v3.7.6.
Header injection in Traefik's ForwardAuth middleware allows unauthenticated remote attackers to manipulate the X-Forwarded-Port value sent to authentication backends, enabling bypass of port-based authorization checks. Affected are all Traefik v2.x prior to v2.11.51, v3.6.x from 3.0.0 prior to v3.6.22, and v3.7.x from 3.7.0 prior to v3.7.6. The flaw persists even when the trustForwardHeader: false safeguard is active, because the port derivation logic reads the original incoming request rather than the sanitized forwarded context. No public exploit code has been identified at time of analysis, and vendor-released patches are available.
Unauthenticated video stream access in Genetec Security Center 5.14.0.0 (builds prior to 5.14.178.18) lets remote attackers pull live video feeds by exploiting a flaw in the authentication mechanism that guards video stream requests. Because the CVSS vector is AV:N/PR:N/UI:N, no credentials or user interaction are needed, and the CWE-287 root cause means the stream endpoint fails to properly verify the requester's identity. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.
Subkey rollback protection in OP-TEE OS versions 3.20.0 through 4.10.x is completely non-functional due to a missing field assignment in the Trusted Application loading pipeline, allowing revoked or downgraded subkeys to authenticate TAs without detection. A locally authenticated attacker who can supply TA binaries to the REE filesystem loader can bypass the entire key-chain revocation model, loading previously invalidated trusted code into the TrustZone secure world. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the integrity impact is categorical - the rollback database never advances, permanently defeating the control for any deployment relying on subkey-based TA signing chains.
Multi-factor authentication bypass in Devolutions Server (DVLS) versions 2026.2.4 through 2026.2.8 lets an attacker who already holds valid user credentials authenticate without completing MFA, defeating an enforced 'MFA Required' policy. The flaw triggers when DVLS encounters an invalid default MFA value, causing the mandatory second factor to be skipped. It is vendor-reported with a patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).
Uncontrolled memory allocation in Python Pillow before 12.3.0 lets a crafted BDF font file exhaust available memory and crash the host application. The BdfFontFile parser trusts the attacker-supplied BBX width/height fields and hands them to Image.new() while skipping Pillow's decompression-bomb size check, so a tiny malicious font can request a huge in-memory bitmap. Impact is availability-only (denial of service); there is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Unauthenticated OS command execution in flyto-core (Python package, confirmed on 2.26.2) allows any client that can reach the HTTP MCP endpoint (POST /mcp) to run arbitrary shell commands as the server process. The JSON-RPC tools/call handler lacks the require_auth dependency present on the equivalent REST route, so an attacker can invoke execute_module against sandbox.execute_shell and reach asyncio.create_subprocess_shell with attacker-controlled input. Publicly available exploit code exists (a curl one-liner and poc.py in the advisory); there is no CISA KEV listing and no EPSS score provided, and by default the server binds to 127.0.0.1, making this a local (CVSS 8.4) issue that becomes network-exploitable only when started with --host 0.0.0.0.
Missing authorization on Cilium's Envoy admin socket lets any local user on a cluster node reach privileged Envoy admin endpoints when L7 (Layer 7) network policy functionality is enabled. Affecting Cilium 1.17.x before 1.17.14, 1.18.0-1.18.7, and 1.19.0-1.19.1 in both embedded and standalone Envoy models, it carries a CVSS 9.2 (scope-changing) rating and allows dumping TLS secrets, disrupting cluster traffic, or killing the Envoy proxy. No public exploit identified at time of analysis, and there is no workaround - only upgrading resolves it.
{realm}/asset/predicted/{assetId}/{attributeName}) incorrectly authorizes write operations by checking READ_ASSETS permission instead of WRITE_ASSETS, enabling any authenticated user with read:assets privileges to persist arbitrary predicted datapoint values to the database. This privilege escalation exposes IoT asset prediction data to tampering by low-privileged or compromised accounts. A working proof-of-concept is embedded in the public GitHub Security Advisory GHSA-xj53-j257-hxvg; no active exploitation has been identified in CISA KEV.
Authentication bypass in BeyondTrust Remote Support (and the related Privileged Remote Access product) lets an unauthenticated remote attacker defeat access controls in the appliance's authentication subsystem and log in as arbitrary accounts, including highly privileged ones. Rated CVSS 4.0 9.2 (critical) and tracked as CWE-287 (Improper Authentication), the flaw is pre-authentication and network-reachable but is gated by a specific authentication configuration being enabled, reflected in the vector's Attack Requirements (AT:P). No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Pre-authentication access-control bypass in BeyondTrust Remote Support and Privileged Remote Access appliances lets a network-positioned attacker abuse improper authentication-data validation to reach the appliance and take over accounts, including privileged ones. Exploitation only works when a specific authentication configuration is enabled, and success requires overcoming meaningful attack conditions (CVSS 4.0 AC:H/AT:P). No public exploit has been identified at time of analysis and it is not on CISA KEV, but the pre-auth nature and privileged-access role of these appliances make it high-priority for internet-exposed deployments.
Authentication bypass in the default SFTP server component shared across Ciena's 6500 S-Series, 6500 T-Series, PTS, and CPL packet-optical transport platforms allows a remote, unauthenticated attacker to reach the underlying filesystem and read or modify system files. Rated CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and classified as CWE-288, the flaw undermines the primary access control on management-plane file transfer. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Cross-tenant authorization bypass in Adiss Biloop allows an authenticated user to manipulate the company ID parameter in a backend POST request and access or modify data belonging to other companies (tenants) hosted in the same subdomain environment. The flaw exposes sensitive customer information including billing data and permits unauthorized modification of third-party records. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and low privilege requirement make this a high-priority issue for multi-tenant Biloop deployments.
Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauthenticated attacker forge the sessionId parameter on certain Thrift RPC query handlers and retrieve valid query results without ever calling openSession. This exposes stored time-series data to arbitrary readers. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile) despite the 9.1 CVSS, so exploitation is not confirmed in the wild.
Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can reach the internal DataNode RPC port to smuggle path-traversal sequences in an uploaded Trigger JAR filename, writing files outside the Trigger installation directory with the IoTDB process's privileges. Because the write is attacker-controlled, it can plausibly be escalated to remote code execution by overwriting configuration or startup artifacts. There is no public exploit identified at time of analysis, and the EPSS score is low (0.15%, 4th percentile), consistent with exploitation being gated on an exposed internal port rather than a default-reachable service.
Query injection and authorization bypass in the Apache Camel Lucene component (camel-lucene) lets remote unauthenticated HTTP clients override the full-text search a route intends to run. Because the raw header names QUERY and RETURN_LUCENE_DOCS lack the Camel/camel prefix, HttpHeaderFilterStrategy does not strip them at the HTTP boundary, so an attacker-supplied header flows straight into the Exchange and executes against the index - enabling disclosure of documents the requester should not see (e.g. a match-all query dumping the whole index) and CPU-heavy regex queries. Affects 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; no public exploit identified at time of analysis, and EPSS is low (0.16%, 6th percentile).
Authorization bypass in Apache Camel's camel-elasticsearch-rest-client component allows unauthenticated remote attackers to override Elasticsearch query operations by injecting HTTP headers. Because the component uses unprefixed header constants ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') that are not blocked by Camel's inbound HttpHeaderFilterStrategy - which filters only 'Camel'-prefixed names - any HTTP client reaching a Camel route that fronts an elasticsearch-rest-client producer can substitute their own query body, operation type, or target index. Practical outcomes include full index enumeration via match_all, targeted document deletion, and field-level data exfiltration. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the attack requires no credentials and is trivially reproducible from the description alone.
Credential exposure and authentication bypass in PROG MIS's ERP App lets unauthenticated remote attackers log in using hard-coded credentials, then read application source code and extract the backing database account and password. Because the leaked database credentials grant direct access to the data tier, a single successful login can escalate into full compromise of the application's stored data. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and the CWE-798 root cause make this a high-priority fix for any organization running this Taiwanese ERP product.
Improper authorization in Craft CMS up to 4.18.0.1 allows authenticated low-privileged users to access new user statistics for arbitrary user groups via the Charts endpoint. The flaw resides in the `actionGetNewUsersData` function within `src/controllers/ChartsController.php`, where the `userGroupId` parameter is not properly validated against the requesting user's authorization scope, enabling horizontal privilege escalation to read data across user group boundaries. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 4.18.1.
Authorization bypass in Craft CMS up to 4.18.0.1 allows authenticated low-privilege users to invoke the reorder-sets endpoint and manipulate Global Set ordering outside their authorized scope. The flaw resides in the actionReorderSets function of GlobalsController.php and is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), an IDOR-class root cause where resource-level permission checks are absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; a vendor-released patch is available in version 4.18.1.
Improper access control in Formbricks 5.0.0 allows remote unauthenticated attackers to bypass authorization checks in the link survey handler, enabling unauthorized manipulation of survey data with limited integrity and availability impact. The flaw resides in the Survey Handler component (apps/web/modules/survey/link/actions.ts) and is tagged as an authentication bypass, confirmed by the CVSS 4.0 PR:N metric indicating no credentials are required. No active exploitation has been confirmed and no public exploit code has been identified; a patch is available as release candidate 5.1.0-rc.1.
CVE-2026-58251 has been reported by Ubuntu with no description, CVSS score, CWE classification, or technical details available at time of analysis. The affected component, attack vector, and impact are entirely unknown. No exploitation status, patch availability, or severity rating can be determined from the provided intelligence.
CVE-2026-58254 has been reported through Ubuntu's vendor channel, but no description, CVSS score, CWE classification, or technical details are available in the provided intelligence data. The affected product, vulnerability class, and impact cannot be characterized at this time. No meaningful synthesis is possible without a description, patch reference, or advisory content.
Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network connect to the cluster (route) or leafnode listener and be silently dropped into the privileged no_auth_user account, bypassing the separate route/leafnode authorization. Any server configured with no_auth_user is affected up to the fixed releases (v2.11.16, v2.12.7, v2.14.0), enabling cross-account message injection over the internal route protocol. No public exploit identified at time of analysis, though the vendor's own regression test demonstrates the exact attack.
CVE-2026-58211 was reported by Ubuntu with no description, CVSS score, CWE, or technical detail available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from available data. Security teams should monitor the Ubuntu security tracker and NVD for updates before assessing risk.
Insufficient data exists to characterize CVE-2026-58209 beyond its association with an Ubuntu vendor report. The CVE description is absent, no CVSS score or vector has been assigned, no CWE root cause is identified, and no additional intelligence sources were provided. Security teams should treat this as an unresolved reservation requiring active follow-up with Ubuntu Security Notices (USN) or the NVD pending full disclosure.
Insufficient data exists to characterize this vulnerability. CVE-2026-58214 was reported by Ubuntu (vendor source) but carries no description, CVSS score, vector, or CWE at time of analysis. The affected component, attack vector, and impact are all unknown. Security teams should monitor the Ubuntu Security Notices (USN) feed and the NVD entry for this CVE for forthcoming details.
CVE-2026-58252 is attributed to Ubuntu per vendor reporting, but no description, CVSS score, CWE classification, or technical details are available in the provided intelligence data. The vulnerability cannot be characterized beyond its association with the Ubuntu platform. Security teams should consult Ubuntu Security Notices (USN) directly for authoritative details as this record is effectively unpopulated.
Authentication bypass in Apache Camel's camel-keycloak component (versions 4.15.0-4.18.2 and 4.19.0-4.20.x) allows any caller presenting a non-null Authorization: Bearer header value - including an arbitrary string or a forged, unsigned JWT - to bypass Keycloak token verification entirely and access routes protected by KeycloakSecurityPolicy. The cryptographic token checks (signature, issuer, expiry) are embedded exclusively inside role and permission validation routines that are never invoked when requiredRoles and requiredPermissions are empty, which is the documented default 'Basic Setup.' Where the protected route connects to a code-execution-capable Camel producer, this authentication bypass can escalate to unauthenticated remote code execution; no public exploit has been identified at time of analysis.
Header injection in Apache Camel's camel-salesforce component allows any HTTP client to override SOQL queries, SOSL searches, Salesforce object targets, and Apex REST endpoints by setting non-Camel-prefixed Exchange headers that the framework's HttpHeaderFilterStrategy fails to block. Routes that bridge an HTTP consumer (such as platform-http) into a salesforce: producer are the attack surface; when that HTTP consumer is unauthenticated, exploitation requires zero attacker credentials. All injected operations execute under the configured Salesforce integration user's permissions, which are typically broad, enabling unauthorized data exfiltration or destructive CRUD and Apex calls across the organization's Salesforce instance. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Routing header injection in Apache Camel's camel-dapr component allows any actor with publish access to a subscribed Dapr Pub/Sub topic to redirect or exfiltrate re-published messages to an arbitrary Dapr Pub/Sub component and topic. The flaw exists in routes that both consume and republish via Dapr - specifically, DaprPubSubConsumer blindly copies attacker-controlled CloudEvent fields (pub/sub-name and topic) into producer-direction routing headers (CamelDaprPubSubName and CamelDaprTopic), which DaprConfigurationOptionsProxy then prefers over the route's configured endpoint destination. No public exploit code or CISA KEV listing exists at time of analysis, but exploitation is mechanically straightforward for any publisher on the subscribed topic.
Authorization bypass in Apache Camel's camel-jira component (versions 4.0.0 through pre-4.21.0) allows unauthenticated HTTP clients - in routes that bridge an HTTP consumer to a jira: producer - to drive arbitrary JIRA issue operations using the endpoint's configured service-account credentials, including deleting or transitioning issues, creating issues in unauthorized projects, modifying fields, and manipulating watchers. The root cause is that JIRA control header constants (IssueKey, ProjectKey, IssueTransitionId, linkType, and others) use non-Camel-prefixed string values, bypassing the HttpHeaderFilterStrategy which only guards the 'Camel/'/'camel' header namespace at the HTTP boundary. Fixes are confirmed in 4.14.8, 4.18.3, and 4.21.0; no public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Local privilege escalation in Pardus Update (versions <=0.6.3, fixed in 0.6.6), the software-update component of TÜBİTAK BİLGEM's Debian-based Pardus Linux distribution, allows a low-privileged local user to perform actions they should not be authorized for and escalate to root-level control. The CWE-862 Missing Authorization flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in stumasy, a PHP-based student management system, exposes the Note Handler and Assignment Handler endpoints at /PHP/objects/notes to unauthenticated remote exploitation by manipulating the assignment_item_id parameter. The flaw (CWE-285: Improper Authorization) allows an attacker to read, modify, or otherwise interact with notes and assignment records belonging to other users without possessing the required authorization. Public exploit code exists per the CVSS 4.0 E:P threat metric, and the project maintainer has not responded to the disclosure, meaning no patch is available at time of analysis.
Unrestricted file upload in Ruijie RG-UAC unified access controller appliances (all versions through 1.0-R1.8.2.p5) allows unauthenticated remote attackers to upload arbitrary files via the upload_image parameter in user_auth_commit.php. The combination of an authentication bypass (CWE-284) and unrestricted file type acceptance creates a pathway to persistent server-side code execution if uploaded content reaches an executable web path. A public proof-of-concept exploit exists, elevating the urgency of remediation despite the absence of a CISA KEV listing.
Keycloak's OIDC broker incorrectly applies the email_verified claim from the id_token to whichever email address is returned by the userinfo endpoint, even when those two sources disagree. An attacker who controls or compromises an upstream OIDC identity provider can exploit this desynchronization - configured with trustEmail=true - to mark an arbitrary, attacker-chosen email address as verified in Keycloak's database. The practical consequence is bypassing email verification workflows or triggering account linkage/takeover in applications that trust the email_verified flag from Keycloak for identity decisions. No public exploit code exists and no CISA KEV listing applies at time of analysis.
Incorrect authorization in nextlevelbuilder GoClaw's WebSocket RPC Handler allows authenticated low-privilege remote attackers to bypass access controls on restricted methods. Affects all versions up to and including 3.13.0-beta.2. No public exploit identified as actively exploited (not in CISA KEV), but a publicly available proof-of-concept exists, lowering the barrier for exploitation against any exposed GoClaw deployment.
Missing authentication in CowAgent 2.1.0's /wx WeChat endpoint allows remote unauthenticated attackers to bypass server verification by supplying an empty or default wechatmp_token, causing the underlying HMAC signature check to silently degenerate into a predictable hash. The vendor confirms the flaw exists in verify_server() within channel/wechatmp/common.py, where no explicit non-empty token guard was enforced, making the endpoint fail open rather than closed. A public proof-of-concept exists (GitHub issue #2860), and the fix is available in version 2.1.1; no active exploitation has been confirmed by CISA KEV.
Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a low-privileged remote attacker to invoke the cancel_order function in classes/Master.php against orders they do not own, enabling unauthorized order cancellation and limited disruption of platform integrity. The vulnerability stems from CWE-285 (Improper Authorization) - the application fails to verify that the requesting user has authority over the targeted order resource. A proof-of-concept exploit has been publicly disclosed on GitHub, lowering the bar for exploitation; however, no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to invoke the save_users function in classes/Users.php without valid authorization checks, enabling unauthorized user account creation or modification. The CVSS 4.0 vector confirms network-accessible, zero-privilege exploitation with low confidentiality, integrity, and availability impact on the vulnerable system. A public proof-of-concept exploit exists (GitHub), and no CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.
Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS application in one tenant inherit OAuth/OpenID consent that a user granted to a same-named application in a different tenant, breaking tenant isolation of authorization scopes. Because matching is done by application name rather than a tenant-scoped identifier, an application in attacker-controlled tenant B can read and modify a victim's data in tenant A without that user's explicit authorization. No active exploitation is reported (not in CISA KEV, EPSS 0.15%/4th percentile) and no public exploit is identified, but a vendor patch is available.
Improper authentication in NousResearch hermes-agent through version 0.15.2 allows remote attackers to bypass the Discord user allowlist by exploiting a logic flaw in the `DiscordAdapter._is_allowed_user` function within `gateway/platforms/discord.py`. Exploitation is rated high complexity (CVSS 4.0 AC:H), resulting in limited but confirmed confidentiality, integrity, and availability impact against the vulnerable system. A public proof-of-concept exploit has been disclosed via GitHub Gist; no vendor patch exists as the vendor did not respond to responsible disclosure.
Privilege escalation and remote code execution in the HestiaCP control panel allows an authenticated low-privilege user to abuse the panel's cronjob feature, which invokes HestiaCP management scripts via passwordless sudo, to run arbitrary commands and seize administrator accounts and the underlying webserver. Because the cronjob editor lets an ordinary panel user schedule execution of privileged v-scripts, the flaw yields a straight path from a normal hosting account to full host compromise. A detailed public write-up (projectblack.io) documents the exploitation technique, though it is not listed in CISA KEV.
Unauthenticated access to the administrative AJAX endpoint in jairiidriss/restaurant-website-php-mysql exposes backend admin functions to any remote attacker without credentials. The /admin/ajax_files endpoint fails to enforce authentication (CWE-306), allowing manipulation of whatever administrative operations it services - likely CRUD operations on menu items, orders, or reservations. No CISA KEV listing exists, but a public proof-of-concept was published via GitHub issue #6, and the maintainer has not responded to disclosure, leaving all deployments up to commit 521428b5b612449df0cf4a5d15ee40cba67f3d35 unpatched.
Arbitrary command execution in the n8n workflow automation platform lets authenticated users abuse the built-in Execute Command node to run OS commands directly on the host running n8n. Any user with workflow-editing access or stolen credentials can leverage this by-design node to exfiltrate data, disrupt the service, or fully compromise the underlying host, and CWE-284 (Improper Access Control) reflects that command execution is not restricted to trusted operators. Reported by VulnCheck; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Security feature bypass in Microsoft Edge for Android exposes high-confidentiality data to unauthenticated network attackers who can induce user interaction. The vulnerability stems from improper access control (CWE-284) in the Chromium-based mobile browser, allowing an attacker to circumvent a security boundary and access protected information without credentials. No active exploitation is confirmed (CISA KEV absent, temporal metric E:U), and a vendor patch is available via MSRC, making this a patch-priority item rather than an emergency response.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- auth
- Total CVEs
- 31263