CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-9WQX-G2CW-VC7R
Vulnerability from github – Published: 2026-03-27 22:31 – Updated: 2026-04-10 17:21Summary
Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Matrix verification notices previously bypassed DM access checks and could reply to peers that were unpaired or otherwise outside the allowed DM policy. Commit 2383daf5c4a4e08d9553e0e949552ad755ef9ec2 gates verification notices on DM access before sending.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit 2383daf5c4a4e08d9553e0e949552ad755ef9ec2.
Fix Commit(s)
2383daf5c4a4e08d9553e0e949552ad755ef9ec2
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2026.3.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35647"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T22:31:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nMatrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nMatrix verification notices previously bypassed DM access checks and could reply to peers that were unpaired or otherwise outside the allowed DM policy. Commit `2383daf5c4a4e08d9553e0e949552ad755ef9ec2` gates verification notices on DM access before sending.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `2383daf5c4a4e08d9553e0e949552ad755ef9ec2`.\n\n## Fix Commit(s)\n\n- `2383daf5c4a4e08d9553e0e949552ad755ef9ec2`",
"id": "GHSA-9wqx-g2cw-vc7r",
"modified": "2026-04-10T17:21:40Z",
"published": "2026-03-27T22:31:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9wqx-g2cw-vc7r"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/2383daf5c4a4e08d9553e0e949552ad755ef9ec2"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers"
}
GHSA-9X97-7GH3-F487
Vulnerability from github – Published: 2023-07-06 21:15 – Updated: 2024-04-04 05:45The iBoot device’s basic discovery protocol assists in initial device configuration. The discovery protocol shows basic information about devices on the network and allows users to perform configuration changes.
{
"affected": [],
"aliases": [
"CVE-2022-47320"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-22T23:15:09Z",
"severity": "HIGH"
},
"details": "The iBoot device\u2019s basic discovery protocol assists in initial device configuration. The discovery protocol shows basic information about devices on the network and allows users to perform configuration changes.",
"id": "GHSA-9x97-7gh3-f487",
"modified": "2024-04-04T05:45:34Z",
"published": "2023-07-06T21:15:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47320"
},
{
"type": "WEB",
"url": "https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C2HR-CQG6-8J6R
Vulnerability from github – Published: 2024-07-01 18:35 – Updated: 2024-07-02 02:40Impact
This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.
Patches
The algorithm to detect SQL injection has been improved.
Workarounds
None.
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r
- https://github.com/parse-community/parse-server/pull/9167 (fix for Parse Server 7)
- https://github.com/parse-community/parse-server/pull/9168 (fix for Parse Server 6)
Credits
- Smile Thanapattheerakul of Trend Micro (finder)
- Manuel Trezza (coordinator)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39309"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-01T18:35:04Z",
"nvd_published_at": "2024-07-01T22:15:03Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThis vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.\n\n### Patches\n\nThe algorithm to detect SQL injection has been improved.\n\n### Workarounds\n\nNone.\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r\n- https://github.com/parse-community/parse-server/pull/9167 (fix for Parse Server 7)\n- https://github.com/parse-community/parse-server/pull/9168 (fix for Parse Server 6)\n\n### Credits\n\n- Smile Thanapattheerakul of Trend Micro (finder)\n- Manuel Trezza (coordinator)",
"id": "GHSA-c2hr-cqg6-8j6r",
"modified": "2024-07-02T02:40:41Z",
"published": "2024-07-01T18:35:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39309"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/9167"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/9168"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/f332d54577608c5ad927255e06d8c694e2e0ff5b"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability"
}
GHSA-C379-GMCC-4R2M
Vulnerability from github – Published: 2024-11-12 12:32 – Updated: 2024-11-12 12:32The Relais 2FA plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0. This is due to incorrect authentication and capability checking in the 'rl_do_ajax' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
{
"affected": [],
"aliases": [
"CVE-2024-10245"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T10:15:04Z",
"severity": "CRITICAL"
},
"details": "The Relais 2FA plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0. This is due to incorrect authentication and capability checking in the \u0027rl_do_ajax\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.",
"id": "GHSA-c379-gmcc-4r2m",
"modified": "2024-11-12T12:32:34Z",
"published": "2024-11-12T12:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10245"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/relais-2fa/trunk/relais.php?rev=2439540#L39"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d476336-e997-4379-a8f6-963ae22b2417?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C3XM-4WH2-JMCG
Vulnerability from github – Published: 2025-05-13 18:30 – Updated: 2025-05-13 18:30An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.
{
"affected": [],
"aliases": [
"CVE-2025-22462"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T16:15:28Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.",
"id": "GHSA-c3xm-4wh2-jmcg",
"modified": "2025-05-13T18:30:52Z",
"published": "2025-05-13T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22462"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-on-premises-only-CVE-2025-22462"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C566-V3FV-6G65
Vulnerability from github – Published: 2025-10-15 09:30 – Updated: 2025-10-15 09:30The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet.
{
"affected": [],
"aliases": [
"CVE-2025-10294"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T09:15:39Z",
"severity": "CRITICAL"
},
"details": "The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet.",
"id": "GHSA-c566-v3fv-6g65",
"modified": "2025-10-15T09:30:18Z",
"published": "2025-10-15T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10294"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/ownid-passwordless-login"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dd6008-e9b8-4a87-b1c7-0dc272850cbd?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C83W-FG37-X4J7
Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30Unauthenticated Broken Authentication in ReviewX <= 2.3.6 versions.
{
"affected": [],
"aliases": [
"CVE-2026-40781"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T21:16:50Z",
"severity": "HIGH"
},
"details": "Unauthenticated Broken Authentication in ReviewX \u003c= 2.3.6 versions.",
"id": "GHSA-c83w-fg37-x4j7",
"modified": "2026-06-15T21:30:46Z",
"published": "2026-06-15T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40781"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/reviewx/vulnerability/wordpress-reviewx-plugin-2-3-6-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C8WX-V976-XHGJ
Vulnerability from github – Published: 2023-10-20 09:30 – Updated: 2024-04-04 08:49The WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthenticated settings export in versions up to, and including, 2.4.1. This is due to missing authorization on the export() function which makes makes it possible for unauthenticated attackers to export the plugin's settings.
{
"affected": [],
"aliases": [
"CVE-2021-4353"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-20T07:15:14Z",
"severity": "MODERATE"
},
"details": "The WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthenticated settings export in versions up to, and including, 2.4.1. This is due to missing authorization on the export() function which makes makes it possible for unauthenticated attackers to export the plugin\u0027s settings.",
"id": "GHSA-c8wx-v976-xhgj",
"modified": "2024-04-04T08:49:34Z",
"published": "2023-10-20T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4353"
},
{
"type": "WEB",
"url": "https://blog.nintechnet.com/woocommerce-dynamic-pricing-and-discounts-plugin-fixed-multiple-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c1e6685-44a7-452e-89ab-b9fffb65a12b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CFV5-944V-WGJM
Vulnerability from github – Published: 2026-03-11 18:30 – Updated: 2026-03-12 18:30An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the URL and by sending an Authorization header that uses "admin" as the username.
{
"affected": [],
"aliases": [
"CVE-2025-67039"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T17:16:52Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the URL and by sending an Authorization header that uses \"admin\" as the username.",
"id": "GHSA-cfv5-944v-wgjm",
"modified": "2026-03-12T18:30:30Z",
"published": "2026-03-11T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67039"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02"
},
{
"type": "WEB",
"url": "http://eds3000ps.com"
},
{
"type": "WEB",
"url": "http://lantronix.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CG3J-75XH-7FV3
Vulnerability from github – Published: 2024-02-21 18:31 – Updated: 2024-02-21 21:30ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel
vulnerability, which may allow an attacker direct access to confidential information or
critical systems.
{
"affected": [],
"aliases": [
"CVE-2024-1709"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-21T16:15:50Z",
"severity": "CRITICAL"
},
"details": "ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel\n\n vulnerability, which may allow an attacker direct access to confidential information or \n\ncritical systems.\n\n",
"id": "GHSA-cg3j-75xh-7fv3",
"modified": "2024-02-21T21:30:24Z",
"published": "2024-02-21T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1709"
},
{
"type": "WEB",
"url": "https://github.com/rapid7/metasploit-framework/pull/18870"
},
{
"type": "WEB",
"url": "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc"
},
{
"type": "WEB",
"url": "https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit"
},
{
"type": "WEB",
"url": "https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw"
},
{
"type": "WEB",
"url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
},
{
"type": "WEB",
"url": "https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive"
},
{
"type": "WEB",
"url": "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass"
},
{
"type": "WEB",
"url": "https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2"
},
{
"type": "WEB",
"url": "https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8"
},
{
"type": "WEB",
"url": "https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.