CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-PRGF-4JMG-R3V9
Vulnerability from github – Published: 2025-02-07 03:32 – Updated: 2025-02-07 03:32Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any user's password within the system. This grants them unauthorized administrative access to protected areas of the application, compromising the device's system security.
{
"affected": [],
"aliases": [
"CVE-2025-0674"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-07T00:15:27Z",
"severity": "CRITICAL"
},
"details": "Multiple Elber products are affected by an authentication bypass \nvulnerability which allows unauthorized access to the password \nmanagement functionality. Attackers can exploit this issue by \nmanipulating the endpoint to overwrite any user\u0027s password within the \nsystem. This grants them unauthorized administrative access to protected\n areas of the application, compromising the device\u0027s system security.",
"id": "GHSA-prgf-4jmg-r3v9",
"modified": "2025-02-07T03:32:03Z",
"published": "2025-02-07T03:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0674"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-035-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PV5X-HH3R-86W9
Vulnerability from github – Published: 2026-02-04 21:30 – Updated: 2026-02-05 00:31Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.
{
"affected": [],
"aliases": [
"CVE-2026-0948"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T21:15:59Z",
"severity": "MODERATE"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.",
"id": "GHSA-pv5x-hh3r-86w9",
"modified": "2026-02-05T00:31:00Z",
"published": "2026-02-04T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0948"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PVCV-Q3Q7-266G
Vulnerability from github – Published: 2025-12-09 17:19 – Updated: 2026-06-08 20:07A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled.
If an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "filament/filament"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67507"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-09T17:19:10Z",
"nvd_published_at": "2025-12-10T01:15:52Z",
"severity": "HIGH"
},
"details": "A flaw in the handling of recovery codes for **app-based multi-factor authentication** allows the same recovery code to be reused indefinitely. This issue does **not** affect email-based MFA. It also only applies when recovery codes are enabled.\n\nIf an attacker gains access to both the user\u0027s password and their recovery codes, they can repeatedly complete MFA without the user\u0027s app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.",
"id": "GHSA-pvcv-q3q7-266g",
"modified": "2026-06-08T20:07:14Z",
"published": "2025-12-09T17:19:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67507"
},
{
"type": "WEB",
"url": "https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815"
},
{
"type": "PACKAGE",
"url": "https://github.com/filamentphp/filament"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Filament multi-factor authentication (app) recovery codes can be used multiple times"
}
GHSA-PVPX-MQP7-546V
Vulnerability from github – Published: 2025-11-27 06:31 – Updated: 2025-11-27 06:31The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findall_membership_check_facebook_user' and the 'findall_membership_check_google_user' functions. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.
{
"affected": [],
"aliases": [
"CVE-2025-13539"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-27T05:16:13Z",
"severity": "CRITICAL"
},
"details": "The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the \u0027findall_membership_check_facebook_user\u0027 and the \u0027findall_membership_check_google_user\u0027 functions. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user\u0027s email.",
"id": "GHSA-pvpx-mqp7-546v",
"modified": "2025-11-27T06:31:25Z",
"published": "2025-11-27T06:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13539"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/findall-business-directory-theme/24415962"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a856a96a-68d2-462d-b523-840668980807?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PW9V-F8VG-XPG6
Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2026-01-20 15:31Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3.
{
"affected": [],
"aliases": [
"CVE-2025-60041"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-22T15:15:56Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through \u003c= 3.5.3.",
"id": "GHSA-pw9v-f8vg-xpg6",
"modified": "2026-01-20T15:31:29Z",
"published": "2025-10-22T15:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60041"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/emails-catch-all/vulnerability/wordpress-emails-catch-all-plugin-3-5-3-broken-authentication-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/emails-catch-all/vulnerability/wordpress-emails-catch-all-plugin-3-5-3-broken-authentication-vulnerability"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/emails-catch-all/vulnerability/wordpress-emails-catch-all-plugin-3-5-3-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PXQ7-H93F-9JRG
Vulnerability from github – Published: 2026-04-15 19:24 – Updated: 2026-04-24 20:40Impact
A configuration-dependent authentication bypass exists in OAuth2 Proxy.
Deployments are affected when all of the following are true:
- Use of
skip_auth_routesor the legacyskip_auth_regex* Use of patterns that can be widened by attacker-controlled suffixes, such as^/foo/.*/bar$causing potential exposure of/foo/secret* Protected upstream applications that interpret#as a fragment delimiter or otherwise route the request to the protected base path
In deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form %23, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource.
Deployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, ARE NOT affected.
Patches
A fix has been implemented to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions.
Released as part of v7.15.2
Workarounds
Users who cannot upgrade immediately can reduce exposure by tightening or removing skip_auth_routes and skip_auth_regex rules, especially patterns that use broad wildcards across path segments.
Recommended mitigations:
- Replace broad rules with exact, anchored public paths and explicit HTTP methods
- Reject requests whose path contains
%23or#at the ingress, load balancer, or WAF level - Avoid placing sensitive application paths behind broad
skip_auth_routesrules
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/oauth2-proxy/oauth2-proxy/v7"
},
"ranges": [
{
"events": [
{
"introduced": "7.5.0"
},
{
"fixed": "7.15.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41059"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-15T19:24:13Z",
"nvd_published_at": "2026-04-22T00:16:27Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA configuration-dependent authentication bypass exists in OAuth2 Proxy.\n\nDeployments are affected when all of the following are true:\n\n* Use of `skip_auth_routes` or the legacy `skip_auth_regex` * Use of patterns that can be widened by attacker-controlled suffixes, such as `^/foo/.*/bar$` causing potential exposure of `/foo/secret` * Protected upstream applications that interpret `#` as a fragment delimiter or otherwise route the request to the protected base path\n\nIn deployments that rely on these settings, an unauthenticated attacker can send a crafted request containing a number sign in the path, including the browser-safe encoded form `%23`, so that OAuth2 Proxy matches a public allowlist rule while the backend serves a protected resource.\n\nDeployments that do not use these skip-auth options, or that only allow exact public paths with tightly scoped method and path rules, **ARE NOT** affected.\n\n### Patches\n\nA fix has been implemented to normalize request paths more conservatively before skip-auth matching so fragment content does not influence allowlist decisions.\n\nReleased as part of `v7.15.2`\n\n### Workarounds\n\nUsers who cannot upgrade immediately can reduce exposure by tightening or removing `skip_auth_routes` and `skip_auth_regex` rules, especially patterns that use broad wildcards across path segments.\n\nRecommended mitigations:\n\n* Replace broad rules with exact, anchored public paths and explicit HTTP methods\n* Reject requests whose path contains `%23` or `#` at the ingress, load balancer, or WAF level\n* Avoid placing sensitive application paths behind broad `skip_auth_routes` rules",
"id": "GHSA-pxq7-h93f-9jrg",
"modified": "2026-04-24T20:40:56Z",
"published": "2026-04-15T19:24:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41059"
},
{
"type": "PACKAGE",
"url": "https://github.com/oauth2-proxy/oauth2-proxy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex"
}
GHSA-Q342-7M92-3WGM
Vulnerability from github – Published: 2023-01-03 03:30 – Updated: 2025-04-10 15:31In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
{
"affected": [],
"aliases": [
"CVE-2022-3614"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-03T02:15:00Z",
"severity": "MODERATE"
},
"details": "In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.",
"id": "GHSA-q342-7m92-3wgm",
"modified": "2025-04-10T15:31:22Z",
"published": "2023-01-03T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3614"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/post/2022/sa2022-26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q52P-775J-HJV8
Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2026-04-01 18:35Authentication Bypass Using an Alternate Path or Channel vulnerability in mediaticus Subaccounts for WooCommerce allows Authentication Abuse. This issue affects Subaccounts for WooCommerce: from n/a through 1.6.6.
{
"affected": [],
"aliases": [
"CVE-2025-47461"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-23T13:15:38Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in mediaticus Subaccounts for WooCommerce allows Authentication Abuse. This issue affects Subaccounts for WooCommerce: from n/a through 1.6.6.",
"id": "GHSA-q52p-775j-hjv8",
"modified": "2026-04-01T18:35:15Z",
"published": "2025-05-23T15:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47461"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/subaccounts-for-woocommerce/vulnerability/wordpress-subaccounts-for-woocommerce-plugin-1-6-6-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q579-MCRQ-Q4VR
Vulnerability from github – Published: 2025-12-05 00:31 – Updated: 2025-12-05 00:31DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine.
{
"affected": [],
"aliases": [
"CVE-2025-66238"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T22:15:49Z",
"severity": "HIGH"
},
"details": "DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance\u0027s virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine.",
"id": "GHSA-q579-mcrq-q4vr",
"modified": "2025-12-05T00:31:05Z",
"published": "2025-12-05T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66238"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q5JM-5P84-M8RP
Vulnerability from github – Published: 2025-06-12 06:30 – Updated: 2025-06-12 06:30The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user's identity prior to logging them in when verifying an account with an email address. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they know user's email address. This is only exploitable fi the user's confirmation_key has not already been set by the plugin.
{
"affected": [],
"aliases": [
"CVE-2025-4973"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-12T06:15:23Z",
"severity": "CRITICAL"
},
"details": "The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user\u0027s identity prior to logging them in when verifying an account with an email address. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they know user\u0027s email address. This is only exploitable fi the user\u0027s confirmation_key has not already been set by the plugin.",
"id": "GHSA-q5jm-5p84-m8rp",
"modified": "2025-06-12T06:30:28Z",
"published": "2025-06-12T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4973"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454#item-description__release-3-3-2-23-may-2025"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e7693a3-642a-4eff-902c-d29a3c12deb0?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.