CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-J5CW-4R7C-4VW8
Vulnerability from github – Published: 2026-07-07 06:31 – Updated: 2026-07-07 06:31MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords (OTP) to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3.
{
"affected": [],
"aliases": [
"CVE-2026-57867"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T06:16:22Z",
"severity": "HIGH"
},
"details": "MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords (OTP) to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3.",
"id": "GHSA-j5cw-4r7c-4vw8",
"modified": "2026-07-07T06:31:24Z",
"published": "2026-07-07T06:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57867"
},
{
"type": "WEB",
"url": "https://github.com/microrealestate/microrealestate"
},
{
"type": "WEB",
"url": "https://www.themissinglink.com.au/security-advisories/cve-2026-57867"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J69J-3GV3-PWVG
Vulnerability from github – Published: 2026-04-07 15:30 – Updated: 2026-04-09 15:35In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication.
{
"affected": [],
"aliases": [
"CVE-2026-30079"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T15:17:38Z",
"severity": "CRITICAL"
},
"details": "In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication.",
"id": "GHSA-j69j-3gv3-pwvg",
"modified": "2026-04-09T15:35:05Z",
"published": "2026-04-07T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30079"
},
{
"type": "WEB",
"url": "https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J7HX-8FJX-QHRV
Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-01 18:32Authentication Bypass Using an Alternate Path or Channel vulnerability in www.vbsso.com vBSSO-lite allows Authentication Bypass.This issue affects vBSSO-lite: from n/a through 1.4.3.
{
"affected": [],
"aliases": [
"CVE-2024-54297"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-13T15:15:33Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in www.vbsso.com vBSSO-lite allows Authentication Bypass.This issue affects vBSSO-lite: from n/a through 1.4.3.",
"id": "GHSA-j7hx-8fjx-qhrv",
"modified": "2026-04-01T18:32:43Z",
"published": "2024-12-13T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54297"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/vbsso-lite/vulnerability/wordpress-vbsso-lite-plugin-1-4-3-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J7V2-6JX7-Q9XM
Vulnerability from github – Published: 2025-08-23 09:30 – Updated: 2025-08-23 09:30The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.0. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email.
{
"affected": [],
"aliases": [
"CVE-2025-5060"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-23T07:15:31Z",
"severity": "HIGH"
},
"details": "The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.0. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user\u0027s email.",
"id": "GHSA-j7v2-6jx7-q9xm",
"modified": "2025-08-23T09:30:22Z",
"published": "2025-08-23T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5060"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/graviton-construction-wordpress-theme/50429299"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c52f1a-2203-4abe-b777-064bd6fd1714?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J83Q-R8XW-CFM6
Vulnerability from github – Published: 2026-06-15 15:31 – Updated: 2026-06-15 15:31Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation.
This issue affects Faust.Js: from n/a through 1.8.7.
{
"affected": [],
"aliases": [
"CVE-2026-49062"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T14:16:35Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation.\n\nThis issue affects Faust.Js: from n/a through 1.8.7.",
"id": "GHSA-j83q-r8xw-cfm6",
"modified": "2026-06-15T15:31:33Z",
"published": "2026-06-15T15:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49062"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/faustwp/vulnerability/wordpress-faust-js-plugin-1-8-7-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J8GG-P56J-XQC5
Vulnerability from github – Published: 2025-02-17 03:31 – Updated: 2025-02-17 03:31Authentication bypass using an alternate path or channel issue exists in ”RoboForm Password Manager" App for Android versions prior to 9.7.4, which may allow an attacker with access to a device where the application is installed to bypass the lock screen and obtain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2025-26700"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-17T03:15:09Z",
"severity": "MODERATE"
},
"details": "Authentication bypass using an alternate path or channel issue exists in \u201dRoboForm Password Manager\" App for Android versions prior to 9.7.4, which may allow an attacker with access to a device where the application is installed to bypass the lock screen and obtain sensitive information.",
"id": "GHSA-j8gg-p56j-xqc5",
"modified": "2025-02-17T03:31:12Z",
"published": "2025-02-17T03:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26700"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU92071645"
},
{
"type": "WEB",
"url": "https://www.roboform.com/news-android"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JC23-WH9W-86HG
Vulnerability from github – Published: 2026-05-26 21:32 – Updated: 2026-05-27 21:31AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents, an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-68711"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T21:16:36Z",
"severity": "LOW"
},
"details": "AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android\u0027s secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents, an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.",
"id": "GHSA-jc23-wh9w-86hg",
"modified": "2026-05-27T21:31:19Z",
"published": "2026-05-26T21:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68711"
},
{
"type": "WEB",
"url": "https://github.com/actuator/applock.passwordfingerprint.applockz"
},
{
"type": "WEB",
"url": "https://github.com/actuator/applock.passwordfingerprint.applockz/blob/main/CVE-2025-68711"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=applock.passwordfingerprint.applockz"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JC6W-V2GH-GQX3
Vulnerability from github – Published: 2023-01-20 09:30 – Updated: 2023-02-01 03:30A vulnerability in the web-based management interface of Cisco IP Phone 7800 and 8800 Series Phones could allow an unauthenticated, remote attacker to bypass authentication on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to access certain parts of the web interface that would normally require authentication.
{
"affected": [],
"aliases": [
"CVE-2023-20018"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T07:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco IP Phone 7800 and 8800 Series Phones could allow an unauthenticated, remote attacker to bypass authentication on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to access certain parts of the web interface that would normally require authentication.",
"id": "GHSA-jc6w-v2gh-gqx3",
"modified": "2023-02-01T03:30:29Z",
"published": "2023-01-20T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20018"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-auth-bypass-pSqxZRPR"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JCWM-G9H6-HF43
Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2024-06-27 21:32An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device. Only routers or conductors that are running in high-availability redundant configurations are affected by this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue affects:
Session Smart Router:
- All versions before 5.6.15,
- from 6.0 before 6.1.9-lts,
- from 6.2 before 6.2.5-sts.
Session Smart Conductor:
- All versions before 5.6.15,
- from 6.0 before 6.1.9-lts,
- from 6.2 before 6.2.5-sts.
WAN Assurance Router:
- 6.0 versions before 6.1.9-lts,
- 6.2 versions before 6.2.5-sts.
{
"affected": [],
"aliases": [
"CVE-2024-2973"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-27T21:15:15Z",
"severity": "CRITICAL"
},
"details": "An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device.\nOnly routers or conductors that are running in high-availability redundant configurations are affected by this vulnerability.\n\n\n\n\nNo other Juniper Networks products or platforms are affected by this issue.\n\n\n\n\n\nThis issue affects:\n\nSession Smart Router:\u00a0\n\n\n\n * All versions before 5.6.15,\u00a0\n * from 6.0 before 6.1.9-lts,\u00a0\n * from 6.2 before 6.2.5-sts.\n\n\n\nSession Smart Conductor:\u00a0\n\n\n\n * All versions before 5.6.15,\u00a0\n * from 6.0 before 6.1.9-lts,\u00a0\n * from 6.2 before 6.2.5-sts.\u00a0\n\n\n\nWAN Assurance Router:\u00a0\n\n\n\n * 6.0 versions before 6.1.9-lts,\u00a0\n * 6.2 versions before 6.2.5-sts.",
"id": "GHSA-jcwm-g9h6-hf43",
"modified": "2024-06-27T21:32:08Z",
"published": "2024-06-27T21:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2973"
},
{
"type": "WEB",
"url": "https://support.juniper.net/support/eol/software/ssr"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA83126"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JFXG-6GV4-F2GH
Vulnerability from github – Published: 2025-05-14 18:30 – Updated: 2025-11-03 21:33It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
{
"affected": [],
"aliases": [
"CVE-2025-3932"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-14T17:15:48Z",
"severity": "HIGH"
},
"details": "It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird \u003c 128.10.1 and Thunderbird \u003c 138.0.1.",
"id": "GHSA-jfxg-6gv4-f2gh",
"modified": "2025-11-03T21:33:54Z",
"published": "2025-05-14T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3932"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1960412"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-34"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-35"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.