CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-6F9W-R8MJ-4H2W
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-01-05 00:02Mesa Labs AmegaView Versions 3.0 uses default cookies that could be set to bypass authentication to the web application, which may allow an attacker to gain access.
{
"affected": [],
"aliases": [
"CVE-2021-27453"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Mesa Labs AmegaView Versions 3.0 uses default cookies that could be set to bypass authentication to the web application, which may allow an attacker to gain access.",
"id": "GHSA-6f9w-r8mj-4h2w",
"modified": "2022-01-05T00:02:04Z",
"published": "2021-12-22T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27453"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-147-03"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6H7H-M7P5-HJQP
Vulnerability from github – Published: 2026-03-30 18:04 – Updated: 2026-03-31 21:40Impact
A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.
Patches
The issue was patched in release 2.6.22 and 3.0.5.
Workarounds
Create a Symfony Request Listener checking the permissions for the specific roles.
Resources
Github Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sulu/sulu"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "2.6.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sulu/sulu"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34372"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T18:04:10Z",
"nvd_published_at": "2026-03-31T21:16:29Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.\n\n### Patches\n\nThe issue was patched in release 2.6.22 and 3.0.5.\n\n### Workarounds\n\nCreate a Symfony Request Listener checking the permissions for the specific roles.\n\n### Resources\n\nGithub Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp",
"id": "GHSA-6h7h-m7p5-hjqp",
"modified": "2026-03-31T21:40:41Z",
"published": "2026-03-30T18:04:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34372"
},
{
"type": "PACKAGE",
"url": "https://github.com/sulu/sulu"
},
{
"type": "WEB",
"url": "https://github.com/sulu/sulu/releases/tag/2.6.22"
},
{
"type": "WEB",
"url": "https://github.com/sulu/sulu/releases/tag/3.0.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sulu checks fix permissions for subentities endpoints"
}
GHSA-6JH2-MQQC-57CX
Vulnerability from github – Published: 2024-10-28 03:30 – Updated: 2024-10-28 03:30The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities.
{
"affected": [],
"aliases": [
"CVE-2024-10438"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T03:15:02Z",
"severity": "HIGH"
},
"details": "The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities.",
"id": "GHSA-6jh2-mqqc-57cx",
"modified": "2024-10-28T03:30:39Z",
"published": "2024-10-28T03:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10438"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-8165-7da2f-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-8164-fe7c5-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6JWP-4WVJ-6597
Vulnerability from github – Published: 2025-04-01 09:30 – Updated: 2025-05-27 18:34Authentication Bypass Issue
If the path does not contain / and contain., authentication is not required.
Expected Normal Request and Response Example
curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users
Return: {"code":401,"error":"HTTP 401 Unauthorized"}
Malicious Request and Response Example
curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; .
Return: {"users":{}}
A new user gets added bypassing authentication, enabling the user to control Pinot.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pinot:pinot-broker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pinot:pinot-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pinot:pinot-controller"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-56325"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-01T18:20:48Z",
"nvd_published_at": "2025-04-01T09:15:15Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass Issue\n\nIf the path does not contain / and contain., authentication is not required.\n\nExpected Normal Request and Response Example\n\ncurl -X POST -H \"Content-Type: application/json\" -d {\\\"username\\\":\\\"hack2\\\",\\\"password\\\":\\\"hack\\\",\\\"component\\\":\\\"CONTROLLER\\\",\\\"role\\\":\\\"ADMIN\\\",\\\"tables\\\":[],\\\"permissions\\\":[],\\\"usernameWithComponent\\\":\\\"hack_CONTROLLER\\\"} http://{server_ip}:9000/users \n\n\nReturn: {\"code\":401,\"error\":\"HTTP 401 Unauthorized\"}\n\n\nMalicious Request and Response Example \n\ncurl -X POST -H \"Content-Type: application/json\" -d \u0027{\\\"username\\\":\\\"hack\\\",\\\"password\\\":\\\"hack\\\",\\\"component\\\":\\\"CONTROLLER\\\",\\\"role\\\":\\\"ADMIN\\\",\\\"tables\\\":[],\\\"permissions\\\":[],\\\"usernameWithComponent\\\":\\\"hack_CONTROLLER\\\"}\u0027 http://{serverip}:9000/users; http://{serverip}:9000/users; .\n\n\nReturn: {\"users\":{}}\n\n\n\n \n\nA new user gets added bypassing authentication, enabling the user to control Pinot.",
"id": "GHSA-6jwp-4wvj-6597",
"modified": "2025-05-27T18:34:51Z",
"published": "2025-04-01T09:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56325"
},
{
"type": "WEB",
"url": "https://github.com/apache/pinot/pull/14383"
},
{
"type": "WEB",
"url": "https://github.com/apache/pinot/commit/1b87488aeaf4836e3ef25b426ebbf1ad5a68e68f"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/pinot"
},
{
"type": "WEB",
"url": "https://github.com/apache/pinot/releases/tag/release-1.3.0"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/03/27/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Pinot Vulnerable to Authentication Bypass"
}
GHSA-6MJQ-9P26-VG33
Vulnerability from github – Published: 2023-04-25 21:30 – Updated: 2024-04-04 03:40PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated.
{
"affected": [],
"aliases": [
"CVE-2022-40725"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-25T19:15:10Z",
"severity": "MODERATE"
},
"details": "PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated.",
"id": "GHSA-6mjq-9p26-vg33",
"modified": "2024-04-04T03:40:54Z",
"published": "2023-04-25T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40725"
},
{
"type": "WEB",
"url": "https://docs.pingidentity.com/r/en-us/pingid/desktop_app_1.7.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6MMX-XCWP-RVJ9
Vulnerability from github – Published: 2025-05-05 21:31 – Updated: 2025-05-06 15:31An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request.
{
"affected": [],
"aliases": [
"CVE-2025-45607"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-05T20:15:19Z",
"severity": "CRITICAL"
},
"details": "An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request.",
"id": "GHSA-6mmx-xcwp-rvj9",
"modified": "2025-05-06T15:31:04Z",
"published": "2025-05-05T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45607"
},
{
"type": "WEB",
"url": "https://github.com/michaelliao/itranswarp/issues/73"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6Q34-632F-JR72
Vulnerability from github – Published: 2026-04-16 15:31 – Updated: 2026-04-16 15:31Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.
{
"affected": [],
"aliases": [
"CVE-2026-3324"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T15:17:38Z",
"severity": "HIGH"
},
"details": "Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.",
"id": "GHSA-6q34-632f-jr72",
"modified": "2026-04-16T15:31:33Z",
"published": "2026-04-16T15:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3324"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/log-management/advisory/CVE-2026-3324.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6WPW-J4XP-QQV8
Vulnerability from github – Published: 2026-06-02 18:31 – Updated: 2026-06-02 18:31Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation.
This issue affects BookIt: from n/a before 2.5.4.1.
{
"affected": [],
"aliases": [
"CVE-2026-40780"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-02T16:16:39Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation.\n\nThis issue affects BookIt: from n/a before 2.5.4.1.",
"id": "GHSA-6wpw-j4xp-qqv8",
"modified": "2026-06-02T18:31:32Z",
"published": "2026-06-02T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40780"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/bookit/vulnerability/wordpress-bookit-plugin-2-5-1-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6WXW-HVR8-55J8
Vulnerability from github – Published: 2025-06-09 18:32 – Updated: 2026-04-01 18:35Authentication Bypass Using an Alternate Path or Channel vulnerability in PayU India PayU India allows Authentication Abuse. This issue affects PayU India: from n/a through 3.8.5.
{
"affected": [],
"aliases": [
"CVE-2025-31022"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-09T16:15:36Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in PayU India PayU India allows Authentication Abuse. This issue affects PayU India: from n/a through 3.8.5.",
"id": "GHSA-6wxw-hvr8-55j8",
"modified": "2026-04-01T18:35:24Z",
"published": "2025-06-09T18:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31022"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/payu-india/vulnerability/wordpress-payu-india-plugin-3-8-5-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-73C8-PH6W-G64X
Vulnerability from github – Published: 2024-06-11 15:31 – Updated: 2024-06-11 15:31vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code to be executed on the UNEM server allowing sensitive data to be read or modified or could cause other unintended behavior
{
"affected": [],
"aliases": [
"CVE-2024-2012"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T14:15:11Z",
"severity": "CRITICAL"
},
"details": "vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or \ncode to be executed on the UNEM server allowing sensitive data to \nbe read or modified or could cause other unintended behavior",
"id": "GHSA-73c8-ph6w-g64x",
"modified": "2024-06-11T15:31:14Z",
"published": "2024-06-11T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2012"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201\u0026languageCode=en\u0026Preview=true"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.