CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-8HFC-FQ58-R658
Vulnerability from github – Published: 2026-03-20 00:31 – Updated: 2026-03-20 20:41Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-starter-actuator"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"last_affected": "3.4.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-starter-actuator"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "3.5.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-starter-actuator"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-M1"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22731"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:41:29Z",
"nvd_published_at": "2026-03-19T23:16:41Z",
"severity": "HIGH"
},
"details": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.",
"id": "GHSA-8hfc-fq58-r658",
"modified": "2026-03-20T20:41:29Z",
"published": "2026-03-20T00:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22731"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-boot"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-22731"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Boot has an Authentication Bypass under Actuator Health groups paths"
}
GHSA-8J2W-6FMM-M587
Vulnerability from github – Published: 2026-03-12 14:22 – Updated: 2026-03-25 18:47Summary
Gateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.
Details
On affected versions, server-http only applies gateway auth when raw requestPath matches exactly:
- /api/channels
- /api/channels/*
If a plugin handler canonicalizes path input (for example decodeURIComponent(pathname).toLowerCase()), requests like:
- /API/channels/nostr/default/profile
- /api/channels%2Fnostr%2Fdefault%2Fprofile
can be interpreted as /api/channels/* by the plugin, while the gateway auth guard is skipped.
Impact
Authentication boundary bypass for plugin channel HTTP routes under canonicalization mismatch conditions. Unauthorized callers may access plugin channel APIs that are expected to require gateway auth.
CWE: CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (Base 5.3, Moderate)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.25"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32031"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:22:04Z",
"nvd_published_at": "2026-03-19T22:16:38Z",
"severity": "MODERATE"
},
"details": "### Summary\nGateway auth for plugin channel endpoints can be bypassed when path canonicalization differs between the gateway guard and plugin handler routing.\n\n### Details\nOn affected versions, `server-http` only applies gateway auth when raw `requestPath` matches exactly:\n- `/api/channels`\n- `/api/channels/*`\n\nIf a plugin handler canonicalizes path input (for example `decodeURIComponent(pathname).toLowerCase()`), requests like:\n- `/API/channels/nostr/default/profile`\n- `/api/channels%2Fnostr%2Fdefault%2Fprofile`\ncan be interpreted as `/api/channels/*` by the plugin, while the gateway auth guard is skipped.\n\n### Impact\nAuthentication boundary bypass for plugin channel HTTP routes under canonicalization mismatch conditions. Unauthorized callers may access plugin channel APIs that are expected to require gateway auth.\n\nCWE: CWE-288 (Authentication Bypass Using an Alternate Path or Channel)\nCVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N` (Base 5.3, Moderate)",
"id": "GHSA-8j2w-6fmm-m587",
"modified": "2026-03-25T18:47:40Z",
"published": "2026-03-12T14:22:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8j2w-6fmm-m587"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32031"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-path-canonicalization-mismatch-in-api-channels-gateway"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch"
}
GHSA-8JFC-89MC-PJWM
Vulnerability from github – Published: 2024-03-05 21:30 – Updated: 2024-03-05 21:30Services that are running and bound to the loopback interface on the Artica Proxy are accessible through the proxy service. In particular, the "tailon" service is running, running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Security issues associated with exposing this network service are documented at gvalkov's 'tailon' GitHub repo. Using the tailon service, the contents of any file on the Artica Proxy can be viewed.
{
"affected": [],
"aliases": [
"CVE-2024-2056"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-05T20:16:01Z",
"severity": null
},
"details": "Services that are running and bound to the loopback interface on the Artica Proxy are accessible through the proxy service. In particular, the \"tailon\" service is running, running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Security issues associated with exposing this network service are documented at gvalkov\u0027s \u0027tailon\u0027 GitHub repo. Using the tailon service, the contents of any file on the Artica Proxy can be viewed.",
"id": "GHSA-8jfc-89mc-pjwm",
"modified": "2024-03-05T21:30:25Z",
"published": "2024-03-05T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2056"
},
{
"type": "WEB",
"url": "https://github.com/gvalkov/tailon#security"
},
{
"type": "WEB",
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/14"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8M7G-5HFV-C2JG
Vulnerability from github – Published: 2025-09-18 06:30 – Updated: 2025-09-18 18:30The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP API without providing any valid credentials. The root cause of this vulnerability lies in a weak verification mechanism within the authentication implementation present in the Nginx Podman container on the CBIS/NCS Manager host machine. The risk can be partially mitigated by restricting access to the management network using external firewall.
{
"affected": [],
"aliases": [
"CVE-2023-49564"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T06:15:33Z",
"severity": "HIGH"
},
"details": "The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows attackers to reach restricted or sensitive endpoints of the HTTP API without providing any valid credentials. The root cause of this vulnerability lies in a weak verification mechanism within the authentication implementation present in the Nginx Podman container on the CBIS/NCS Manager host machine.\nThe risk can be partially mitigated by restricting access to the management network using external firewall.",
"id": "GHSA-8m7g-5hfv-c2jg",
"modified": "2025-09-18T18:30:26Z",
"published": "2025-09-18T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49564"
},
{
"type": "WEB",
"url": "https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/CVE-2023-49564"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8P38-3423-M7Q8
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 15:30Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.
{
"affected": [],
"aliases": [
"CVE-2026-3214"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T16:16:22Z",
"severity": "MODERATE"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CAPTCHA allows Functionality Bypass.This issue affects CAPTCHA: from 0.0.0 before 1.17.0, from 2.0.0 before 2.0.10.",
"id": "GHSA-8p38-3423-m7q8",
"modified": "2026-03-26T15:30:33Z",
"published": "2026-03-25T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3214"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8PRX-VW4F-9Q7P
Vulnerability from github – Published: 2023-05-19 03:30 – Updated: 2024-04-04 04:14The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
{
"affected": [],
"aliases": [
"CVE-2023-2704"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-19T03:15:08Z",
"severity": "CRITICAL"
},
"details": "The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.",
"id": "GHSA-8prx-vw4f-9q7p",
"modified": "2024-04-04T04:14:57Z",
"published": "2023-05-19T03:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2704"
},
{
"type": "WEB",
"url": "https://lana.codes/lanavdb/1bd0dfd9-ffec-4d69-bc55-286751300cab"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L138"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L188"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2914042%40bp-social-connect%2Ftrunk\u0026old=1904372%40bp-social-connect%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file6"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44c96df2-530a-4ebe-b722-c606a7b135f9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8PXV-CHRC-9C6J
Vulnerability from github – Published: 2026-05-20 06:31 – Updated: 2026-05-20 06:31NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to escalation of privileges, denial of service, or information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-24206"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T04:16:45Z",
"severity": "HIGH"
},
"details": "NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to escalation of privileges, denial of service, or information disclosure.",
"id": "GHSA-8pxv-chrc-9c6j",
"modified": "2026-05-20T06:31:52Z",
"published": "2026-05-20T06:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24206"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24206"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8Q8M-RVGF-6QVC
Vulnerability from github – Published: 2026-04-02 09:30 – Updated: 2026-04-16 21:31SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password.
{
"affected": [],
"aliases": [
"CVE-2026-29139"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-02T09:16:22Z",
"severity": "HIGH"
},
"details": "SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password.",
"id": "GHSA-8q8m-rvgf-6qvc",
"modified": "2026-04-16T21:31:10Z",
"published": "2026-04-02T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29139"
},
{
"type": "WEB",
"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8QWF-P858-GVG4
Vulnerability from github – Published: 2024-04-08 15:30 – Updated: 2024-08-01 15:31TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to bypass login through the Form_Login function.
{
"affected": [],
"aliases": [
"CVE-2024-31814"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T13:15:08Z",
"severity": "HIGH"
},
"details": "TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to bypass login through the Form_Login function.",
"id": "GHSA-8qwf-p858-gvg4",
"modified": "2024-08-01T15:31:37Z",
"published": "2024-04-08T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31814"
},
{
"type": "WEB",
"url": "https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/Login_Bypass/bypass.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R96-X95V-Q4MH
Vulnerability from github – Published: 2026-01-08 12:30 – Updated: 2026-01-20 15:33Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3.
{
"affected": [],
"aliases": [
"CVE-2025-23504"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-08T10:15:48Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through \u003c= 1.1.3.",
"id": "GHSA-8r96-x95v-q4mh",
"modified": "2026-01-20T15:33:08Z",
"published": "2026-01-08T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23504"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-account-takeover-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.