CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-4GVJ-WFPH-8C6J
Vulnerability from github – Published: 2024-10-01 09:30 – Updated: 2024-10-01 09:30The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email.
{
"affected": [],
"aliases": [
"CVE-2024-9289"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-01T09:15:09Z",
"severity": "CRITICAL"
},
"details": "The WordPress \u0026 WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user\u0027s identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator\u0027s email.",
"id": "GHSA-4gvj-wfph-8c6j",
"modified": "2024-10-01T09:30:51Z",
"published": "2024-10-01T09:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9289"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/wordpress-woocommerce-affiliate-program/23580333"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed19835f-2718-41d8-95af-47c8b9589529?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4HPG-VXH4-JM69
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-10 21:30An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
{
"affected": [],
"aliases": [
"CVE-2024-11639"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T19:15:19Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access",
"id": "GHSA-4hpg-vxh4-jm69",
"modified": "2024-12-10T21:30:52Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11639"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4JHM-9928-RQX4
Vulnerability from github – Published: 2026-06-26 15:32 – Updated: 2026-06-26 15:32Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.
{
"affected": [],
"aliases": [
"CVE-2026-56029"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T15:16:42Z",
"severity": "HIGH"
},
"details": "Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway \u003c= 2.7.4 versions.",
"id": "GHSA-4jhm-9928-rqx4",
"modified": "2026-06-26T15:32:16Z",
"published": "2026-06-26T15:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56029"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/corvuspay-woocommerce-integration/vulnerability/wordpress-corvuspay-woocommerce-payment-gateway-plugin-2-7-4-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4JWP-2G8R-6M99
Vulnerability from github – Published: 2026-06-20 15:32 – Updated: 2026-06-20 15:32WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.
{
"affected": [],
"aliases": [
"CVE-2020-37255"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-20T14:16:18Z",
"severity": "HIGH"
},
"details": "WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.",
"id": "GHSA-4jwp-2g8r-6m99",
"modified": "2026-06-20T15:32:27Z",
"published": "2026-06-20T15:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37255"
},
{
"type": "WEB",
"url": "https://wptimecapsule.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47941"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wordpress-time-capsule-plugin-authentication-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4P49-FWP8-38MV
Vulnerability from github – Published: 2026-02-13 15:30 – Updated: 2026-06-06 09:31Authentication Bypass Using an Alternate Path or Channel vulnerability in Universal Software Inc. FlexCity/Kiosk allows Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
{
"affected": [],
"aliases": [
"CVE-2026-1618"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-13T14:16:09Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Universal Software Inc. FlexCity/Kiosk allows Privilege Escalation.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.",
"id": "GHSA-4p49-fwp8-38mv",
"modified": "2026-06-06T09:31:15Z",
"published": "2026-02-13T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1618"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0065"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-26-0065"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4PF4-JP4V-4G5C
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-06-30 03:35Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
{
"affected": [],
"aliases": [
"CVE-2026-4700"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-444"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T13:16:06Z",
"severity": "CRITICAL"
},
"details": "Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox \u003c 149 and Firefox ESR \u003c 140.9.",
"id": "GHSA-4pf4-jp4v-4g5c",
"modified": "2026-06-30T03:35:59Z",
"published": "2026-03-24T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4700"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8286"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8287"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8288"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8289"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8290"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8315"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8427"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8850"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-4700"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2003766"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450752"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4700.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-22"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-24"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5930"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5931"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5932"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6188"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6342"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6917"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7837"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7838"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7839"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7840"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7841"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7842"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7843"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7845"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8284"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8285"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4Q2C-288H-F42X
Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2024-08-12 15:30The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the 'woo_slg_confirm_email_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled.
{
"affected": [],
"aliases": [
"CVE-2024-7503"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T13:38:43Z",
"severity": "CRITICAL"
},
"details": "The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the \u0027woo_slg_confirm_email_user\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled.",
"id": "GHSA-4q2c-288h-f42x",
"modified": "2024-08-12T15:30:52Z",
"published": "2024-08-12T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7503"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3b727ba-b39c-4a98-a6a6-ea33785079f6?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4QQ2-2J2X-X62C
Vulnerability from github – Published: 2026-06-18 14:25 – Updated: 2026-06-18 14:25Summary
The published npm package praisonai exports an MCPSecurity helper described in source as:
MCP Security - Authentication, authorization, and rate limiting
Provides security policies for MCP servers.
Its AuthMethod type advertises five authentication methods:
export type AuthMethod = 'none' | 'api-key' | 'bearer' | 'basic' | 'oauth';
The authentication-policy evaluator, however, only validates credentials for api-key and bearer:
if (policy.auth.method === 'api-key' || policy.auth.method === 'bearer') {
const valid = policy.auth.validate
? await policy.auth.validate(token)
: this.validateApiKey(token);
if (!valid) {
return { allowed: false, reason: 'Invalid credentials' };
}
}
return { allowed: true, context: { authenticated: true } };
For basic and oauth, any non-empty Authorization header skips the supplied validate callback and returns allowed. A local PoV configures auth.validate to always return false; invalid api-key and bearer credentials are rejected, while invalid basic and oauth credentials are accepted without calling the validator.
This is a protection-mechanism failure in the exported npm MCP security helper. It is distinct from the separate issue that the npm MCPServer HTTP transport does not enforce authentication by default.
Technical Details
SecurityPolicy.auth accepts both a method and a validator:
auth?: { method: AuthMethod; validate?: (token: string) => Promise<boolean> };
extractToken() parses both Bearer and Basic headers:
if (auth.startsWith('Bearer ')) {
return auth.slice(7);
}
if (auth.startsWith('Basic ')) {
return auth.slice(6);
}
return auth;
But evaluatePolicy() only calls policy.auth.validate() for two methods:
if (policy.auth.method === 'api-key' || policy.auth.method === 'bearer') {
const valid = policy.auth.validate
? await policy.auth.validate(token)
: this.validateApiKey(token);
if (!valid) {
return { allowed: false, reason: 'Invalid credentials' };
}
}
There is no validation branch for basic or oauth. After extracting any non-empty token, those methods fall through to the success return:
return { allowed: true, context: { authenticated: true } };
check() then ignores successful authentication context and returns a generic allowed result:
return { allowed: true, context: { authenticated: false } };
That context propagation issue is secondary. The security-relevant flaw is that invalid Basic/OAuth credentials are allowed at all.
Why This Is Not Intended Behavior
This is not a claim that every MCPSecurity user must choose Basic or OAuth. The issue is that the API explicitly exposes those methods as authentication methods and accepts a validator callback for the policy, but the implementation does not call the validator for those methods.
The control cases prove the intended security behavior:
- Missing Basic credentials are denied as
Authentication required. - Invalid
api-keycredentials are denied asInvalid credentials. - Invalid
bearercredentials are denied asInvalid credentials.
The only difference in the vulnerable cases is the selected advertised method. Invalid Basic/OAuth credentials should not become authenticated merely because the method is not listed in the two-method validation branch.
This also matches MCP authorization guidance. MCP servers acting as resource servers must validate received access tokens; receiving a token is not proof that it is valid or intended for the server.
PoV
Run from a local reproduction checkout:
node poc/pov_poc.js 1.7.1
The PoV:
- Installs
npm:praisonai@1.7.1into a temporary project with scripts disabled. - Imports
MCPSecurityfrom the package root. - Creates one
authenticatepolicy per method. - Supplies an
auth.validatecallback that always returnsfalse. - Sends invalid
api-key,bearer,basic, andoauthcredentials. - Confirms the missing-header Basic control is still denied.
Observed output summary from evidence/pov-npm-1.7.1.json:
{
"package": "praisonai",
"version": "1.7.1",
"cases": [
{
"method": "api-key",
"validateCalls": 1,
"allowed": false,
"reason": "Invalid credentials"
},
{
"method": "bearer",
"validateCalls": 1,
"allowed": false,
"reason": "Invalid credentials"
},
{
"method": "basic",
"validateCalls": 0,
"allowed": true
},
{
"method": "oauth",
"validateCalls": 0,
"allowed": true
},
{
"method": "basic",
"authorizationHeaderPresent": false,
"validateCalls": 0,
"allowed": false,
"reason": "Authentication required"
}
],
"controlsPass": true,
"vulnerable": true
}
The PoV is local-only. It does not start a server, contact a third-party target, or use live credentials.
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
A downstream application that uses MCPSecurity to protect an HTTP MCP transport, gateway, or equivalent tool/resource endpoint can believe it has enabled Basic or OAuth authentication while accepting any non-empty Authorization header.
Depending on the protected MCP tools and resources, this can allow an unauthenticated network caller to:
- list protected tools or resources;
- call tools that were intended to require authentication;
- read protected MCP resources;
- trigger agent/workflow actions exposed behind the security helper; and
- bypass audit assumptions based on the configured validator.
This report does not claim that npm PraisonAI wires MCPSecurity into the default MCPServer.startHttp() path. It is a library-level authentication bypass in an exported security component intended to protect MCP servers.
Severity
Suggested severity: High.
Rationale:
AV: the affected helper is intended to protect MCP server requests and equivalent HTTP security checks.AC: a single non-empty Basic or OAuth-style Authorization header is sufficient when such a policy is configured.PR: the bypass grants access without valid credentials.UI: no maintainer or user interaction is required after deployment.S: impact is within the PraisonAI-hosting service and its exposed MCP resources/tools.C: protected MCP resources or tool outputs may be disclosed.I: protected tool calls may perform state-changing actions depending on the registered tools; the score is conservative because the vulnerable helper is library-level and deployment-dependent.A: the PoV does not demonstrate availability impact.
If a deployment protects high-impact write or execution tools with MCPSecurity, maintainers may reasonably score integrity higher.
Suggested Fix
Make authentication evaluation fail closed for every advertised method.
Recommended:
- For
authenticatepolicies, callpolicy.auth.validate(token)whenever it is provided, regardless ofauth.method. - If no validator is provided, only fall back to
validateApiKey()forapi-keywhen that behavior is explicitly intended. - For
bearerandoauth, require a validator or a server-side token validation implementation; otherwise deny with a configuration error. - For
basic, decode the Basic credential safely and pass the decoded username/password or raw credential to a validator; if no validator exists, deny. - Treat unknown or unsupported methods as denied, not allowed.
- Return authenticated context from
check()after a successful authenticate policy instead of replacing it with{ authenticated: false }. - Add regression tests proving invalid credentials are rejected for
api-key,bearer,basic, andoauth, and that each configured validator is called.
Minimal fail-closed shape:
if (policy.type === 'authenticate') {
if (!policy.auth) return { allowed: false, reason: 'Authentication policy is not configured' };
const token = request.headers ? this.extractToken(request.headers) : null;
if (!token) return { allowed: false, reason: 'Authentication required' };
if (policy.auth.validate) {
const valid = await policy.auth.validate(token);
return valid
? { allowed: true, context: { authenticated: true } }
: { allowed: false, reason: 'Invalid credentials' };
}
if (policy.auth.method === 'api-key') {
return this.validateApiKey(token)
? { allowed: true, context: { authenticated: true } }
: { allowed: false, reason: 'Invalid credentials' };
}
return { allowed: false, reason: 'Authentication validator required' };
}
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI - Ecosystem:
npm - Package:
praisonai - Component: TypeScript MCP security helper
src/praisonai-ts/src/mcp/security.ts - Published dist path:
node_modules/praisonai/dist/mcp/security.js - Latest npm package validated:
1.7.1 - Current
origin/mainvalidated:1ad58ca02975ff1398efeda694ea2ab78f20cf3e src/praisonai-ts/package.jsonatorigin/main:praisonai1.7.1
Suggested affected range:
npm:praisonai >= 1.5.1, <= 1.7.1
All published npm 1.x versions were swept locally:
1.0.0through1.5.0: the tested root export was unavailable orMCPSecuritywas not exported as a constructor.1.5.1,1.5.2,1.5.3,1.5.4,1.6.0,1.7.0, and1.7.1: vulnerable.
The package root re-exports this helper:
export {
MCPClient, createMCPClient, getMCPTools,
MCPServer, createMCPServer,
MCPSession as MCPSessionManager, createMCPSession,
MCPSecurity, createMCPSecurity, createApiKeyPolicy, createRateLimitPolicy,
type MCPClientConfig, type MCPSession, type MCPTransportType,
type MCPServerConfig, type MCPServerTool,
type SecurityPolicy, type SecurityResult
} from './mcp';
Advisory History
Visible PraisonAI advisories and prior submissions were checked. The closest public advisory is GHSA-98f9-fqg5-hvq5 / CVE-2026-34953, but that issue is distinct:
GHSA-98f9-fqg5-hvq5affects the PyPI package and PythonOAuthManager.validate_token().- This report affects the npm package and TypeScript
src/praisonai-ts/src/mcp/security.ts. - The prior issue accepts arbitrary Bearer tokens because an empty Python token store falls through to
True. - This issue accepts invalid Basic/OAuth credentials because the TypeScript validator callback is never called for those advertised methods.
- The affected ranges and patched surfaces are different.
The earlier npm MCPServer report is also distinct: it covers missing auth in the HTTP transport by default. This report covers a fail-open branch in the separate exported MCPSecurity helper when users attempt to add Basic/OAuth authentication.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.1"
},
"package": {
"ecosystem": "npm",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.1"
},
{
"fixed": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:25:17Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe published npm package `praisonai` exports an `MCPSecurity` helper described in source as:\n\n```text\nMCP Security - Authentication, authorization, and rate limiting\nProvides security policies for MCP servers.\n```\n\nIts `AuthMethod` type advertises five authentication methods:\n\n```ts\nexport type AuthMethod = \u0027none\u0027 | \u0027api-key\u0027 | \u0027bearer\u0027 | \u0027basic\u0027 | \u0027oauth\u0027;\n```\n\nThe authentication-policy evaluator, however, only validates credentials for `api-key` and `bearer`:\n\n```ts\nif (policy.auth.method === \u0027api-key\u0027 || policy.auth.method === \u0027bearer\u0027) {\n const valid = policy.auth.validate\n ? await policy.auth.validate(token)\n : this.validateApiKey(token);\n\n if (!valid) {\n return { allowed: false, reason: \u0027Invalid credentials\u0027 };\n }\n}\n\nreturn { allowed: true, context: { authenticated: true } };\n```\n\nFor `basic` and `oauth`, any non-empty `Authorization` header skips the supplied `validate` callback and returns allowed. A local PoV configures `auth.validate` to always return `false`; invalid `api-key` and `bearer` credentials are rejected, while invalid `basic` and `oauth` credentials are accepted without calling the validator.\n\nThis is a protection-mechanism failure in the exported npm MCP security helper. It is distinct from the separate issue that the npm `MCPServer` HTTP transport does not enforce authentication by default.\n\n## Technical Details\n\n`SecurityPolicy.auth` accepts both a method and a validator:\n\n```ts\nauth?: { method: AuthMethod; validate?: (token: string) =\u003e Promise\u003cboolean\u003e };\n```\n\n`extractToken()` parses both Bearer and Basic headers:\n\n```ts\nif (auth.startsWith(\u0027Bearer \u0027)) {\n return auth.slice(7);\n}\nif (auth.startsWith(\u0027Basic \u0027)) {\n return auth.slice(6);\n}\nreturn auth;\n```\n\nBut `evaluatePolicy()` only calls `policy.auth.validate()` for two methods:\n\n```ts\nif (policy.auth.method === \u0027api-key\u0027 || policy.auth.method === \u0027bearer\u0027) {\n const valid = policy.auth.validate\n ? await policy.auth.validate(token)\n : this.validateApiKey(token);\n\n if (!valid) {\n return { allowed: false, reason: \u0027Invalid credentials\u0027 };\n }\n}\n```\n\nThere is no validation branch for `basic` or `oauth`. After extracting any non-empty token, those methods fall through to the success return:\n\n```ts\nreturn { allowed: true, context: { authenticated: true } };\n```\n\n`check()` then ignores successful authentication context and returns a generic allowed result:\n\n```ts\nreturn { allowed: true, context: { authenticated: false } };\n```\n\nThat context propagation issue is secondary. The security-relevant flaw is that invalid Basic/OAuth credentials are allowed at all.\n\n### Why This Is Not Intended Behavior\n\nThis is not a claim that every `MCPSecurity` user must choose Basic or OAuth. The issue is that the API explicitly exposes those methods as authentication methods and accepts a validator callback for the policy, but the implementation does not call the validator for those methods.\n\nThe control cases prove the intended security behavior:\n\n- Missing Basic credentials are denied as `Authentication required`.\n- Invalid `api-key` credentials are denied as `Invalid credentials`.\n- Invalid `bearer` credentials are denied as `Invalid credentials`.\n\nThe only difference in the vulnerable cases is the selected advertised method. Invalid Basic/OAuth credentials should not become authenticated merely because the method is not listed in the two-method validation branch.\n\nThis also matches MCP authorization guidance. MCP servers acting as resource servers must validate received access tokens; receiving a token is not proof that it is valid or intended for the server.\n\n## PoV\n\nRun from a local reproduction checkout:\n\n```bash\nnode poc/pov_poc.js 1.7.1\n```\n\nThe PoV:\n\n1. Installs `npm:praisonai@1.7.1` into a temporary project with scripts disabled.\n2. Imports `MCPSecurity` from the package root.\n3. Creates one `authenticate` policy per method.\n4. Supplies an `auth.validate` callback that always returns `false`.\n5. Sends invalid `api-key`, `bearer`, `basic`, and `oauth` credentials.\n6. Confirms the missing-header Basic control is still denied.\n\nObserved output summary from `evidence/pov-npm-1.7.1.json`:\n\n```json\n{\n \"package\": \"praisonai\",\n \"version\": \"1.7.1\",\n \"cases\": [\n {\n \"method\": \"api-key\",\n \"validateCalls\": 1,\n \"allowed\": false,\n \"reason\": \"Invalid credentials\"\n },\n {\n \"method\": \"bearer\",\n \"validateCalls\": 1,\n \"allowed\": false,\n \"reason\": \"Invalid credentials\"\n },\n {\n \"method\": \"basic\",\n \"validateCalls\": 0,\n \"allowed\": true\n },\n {\n \"method\": \"oauth\",\n \"validateCalls\": 0,\n \"allowed\": true\n },\n {\n \"method\": \"basic\",\n \"authorizationHeaderPresent\": false,\n \"validateCalls\": 0,\n \"allowed\": false,\n \"reason\": \"Authentication required\"\n }\n ],\n \"controlsPass\": true,\n \"vulnerable\": true\n}\n```\n\nThe PoV is local-only. It does not start a server, contact a third-party target, or use live credentials.\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nA downstream application that uses `MCPSecurity` to protect an HTTP MCP transport, gateway, or equivalent tool/resource endpoint can believe it has enabled Basic or OAuth authentication while accepting any non-empty `Authorization` header.\n\nDepending on the protected MCP tools and resources, this can allow an unauthenticated network caller to:\n\n- list protected tools or resources;\n- call tools that were intended to require authentication;\n- read protected MCP resources;\n- trigger agent/workflow actions exposed behind the security helper; and\n- bypass audit assumptions based on the configured validator.\n\nThis report does not claim that npm PraisonAI wires `MCPSecurity` into the default `MCPServer.startHttp()` path. It is a library-level authentication bypass in an exported security component intended to protect MCP servers.\n\n### Severity\n\nSuggested severity: High.\n\nRationale:\n\n- `AV`: the affected helper is intended to protect MCP server requests and equivalent HTTP security checks.\n- `AC`: a single non-empty Basic or OAuth-style Authorization header is sufficient when such a policy is configured.\n- `PR`: the bypass grants access without valid credentials.\n- `UI`: no maintainer or user interaction is required after deployment.\n- `S`: impact is within the PraisonAI-hosting service and its exposed MCP resources/tools.\n- `C`: protected MCP resources or tool outputs may be disclosed.\n- `I`: protected tool calls may perform state-changing actions depending on the registered tools; the score is conservative because the vulnerable helper is library-level and deployment-dependent.\n- `A`: the PoV does not demonstrate availability impact.\n\nIf a deployment protects high-impact write or execution tools with `MCPSecurity`, maintainers may reasonably score integrity higher.\n\n## Suggested Fix\n\nMake authentication evaluation fail closed for every advertised method.\n\nRecommended:\n\n1. For `authenticate` policies, call `policy.auth.validate(token)` whenever it is provided, regardless of `auth.method`.\n2. If no validator is provided, only fall back to `validateApiKey()` for `api-key` when that behavior is explicitly intended.\n3. For `bearer` and `oauth`, require a validator or a server-side token validation implementation; otherwise deny with a configuration error.\n4. For `basic`, decode the Basic credential safely and pass the decoded username/password or raw credential to a validator; if no validator exists, deny.\n5. Treat unknown or unsupported methods as denied, not allowed.\n6. Return authenticated context from `check()` after a successful authenticate policy instead of replacing it with `{ authenticated: false }`.\n7. Add regression tests proving invalid credentials are rejected for `api-key`, `bearer`, `basic`, and `oauth`, and that each configured validator is called.\n\nMinimal fail-closed shape:\n\n```ts\nif (policy.type === \u0027authenticate\u0027) {\n if (!policy.auth) return { allowed: false, reason: \u0027Authentication policy is not configured\u0027 };\n\n const token = request.headers ? this.extractToken(request.headers) : null;\n if (!token) return { allowed: false, reason: \u0027Authentication required\u0027 };\n\n if (policy.auth.validate) {\n const valid = await policy.auth.validate(token);\n return valid\n ? { allowed: true, context: { authenticated: true } }\n : { allowed: false, reason: \u0027Invalid credentials\u0027 };\n }\n\n if (policy.auth.method === \u0027api-key\u0027) {\n return this.validateApiKey(token)\n ? { allowed: true, context: { authenticated: true } }\n : { allowed: false, reason: \u0027Invalid credentials\u0027 };\n }\n\n return { allowed: false, reason: \u0027Authentication validator required\u0027 };\n}\n```\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Ecosystem: `npm`\n- Package: `praisonai`\n- Component: TypeScript MCP security helper `src/praisonai-ts/src/mcp/security.ts`\n- Published dist path: `node_modules/praisonai/dist/mcp/security.js`\n- Latest npm package validated: `1.7.1`\n- Current `origin/main` validated: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n- `src/praisonai-ts/package.json` at `origin/main`: `praisonai` `1.7.1`\n\nSuggested affected range:\n\n```text\nnpm:praisonai \u003e= 1.5.1, \u003c= 1.7.1\n```\n\nAll published npm `1.x` versions were swept locally:\n\n- `1.0.0` through `1.5.0`: the tested root export was unavailable or `MCPSecurity` was not exported as a constructor.\n- `1.5.1`, `1.5.2`, `1.5.3`, `1.5.4`, `1.6.0`, `1.7.0`, and `1.7.1`: vulnerable.\n\nThe package root re-exports this helper:\n\n```ts\nexport {\n MCPClient, createMCPClient, getMCPTools,\n MCPServer, createMCPServer,\n MCPSession as MCPSessionManager, createMCPSession,\n MCPSecurity, createMCPSecurity, createApiKeyPolicy, createRateLimitPolicy,\n type MCPClientConfig, type MCPSession, type MCPTransportType,\n type MCPServerConfig, type MCPServerTool,\n type SecurityPolicy, type SecurityResult\n} from \u0027./mcp\u0027;\n```\n\n## Advisory History\n\nVisible PraisonAI advisories and prior submissions were checked. The closest public advisory is `GHSA-98f9-fqg5-hvq5` / `CVE-2026-34953`, but that issue is distinct:\n\n- `GHSA-98f9-fqg5-hvq5` affects the PyPI package and Python `OAuthManager.validate_token()`.\n- This report affects the npm package and TypeScript `src/praisonai-ts/src/mcp/security.ts`.\n- The prior issue accepts arbitrary Bearer tokens because an empty Python token store falls through to `True`.\n- This issue accepts invalid Basic/OAuth credentials because the TypeScript validator callback is never called for those advertised methods.\n- The affected ranges and patched surfaces are different.\n\nThe earlier npm `MCPServer` report is also distinct: it covers missing auth in the HTTP transport by default. This report covers a fail-open branch in the separate exported `MCPSecurity` helper when users attempt to add Basic/OAuth authentication.",
"id": "GHSA-4qq2-2j2x-x62c",
"modified": "2026-06-18T14:25:17Z",
"published": "2026-06-18T14:25:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4qq2-2j2x-x62c"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation"
}
GHSA-4QXF-VV9Q-J2G9
Vulnerability from github – Published: 2026-07-13 12:35 – Updated: 2026-07-13 12:35Authentication Bypass Using an Alternate Path or Channel vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Password Recovery Exploitation.This issue affects ProfileGrid : from n/a through <= 5.9.9.6.
{
"affected": [],
"aliases": [
"CVE-2026-57697"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T10:16:37Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Password Recovery Exploitation.This issue affects ProfileGrid : from n/a through \u003c= 5.9.9.6.",
"id": "GHSA-4qxf-vv9q-j2g9",
"modified": "2026-07-13T12:35:03Z",
"published": "2026-07-13T12:35:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57697"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/profilegrid-user-profiles-groups-and-communities/vulnerability/wordpress-profilegrid-plugin-5-9-9-6-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4QXP-C58R-4XG9
Vulnerability from github – Published: 2024-08-20 18:31 – Updated: 2024-08-20 18:31A tampering vulnerability in the CylanceOPTICS Windows Installer Package of CylanceOPTICS for Windows version 3.2 and 3.3 could allow an attacker to potentially uninstall CylanceOPTICS from a system thereby leaving it with only the protection of CylancePROTECT.
{
"affected": [],
"aliases": [
"CVE-2024-35214"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-20T18:15:08Z",
"severity": "HIGH"
},
"details": "A tampering vulnerability in the CylanceOPTICS Windows Installer Package of CylanceOPTICS for Windows version 3.2 and 3.3 could allow an attacker to potentially uninstall CylanceOPTICS from a system thereby leaving it with only the protection of CylancePROTECT.",
"id": "GHSA-4qxp-c58r-4xg9",
"modified": "2024-08-20T18:31:26Z",
"published": "2024-08-20T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35214"
},
{
"type": "WEB",
"url": "https://support.blackberry.com/pkb/s/article/140080"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.