CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-QWVG-F3GP-J7F2
Vulnerability from github – Published: 2025-08-13 18:31 – Updated: 2025-08-14 03:31In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
{
"affected": [],
"aliases": [
"CVE-2025-51452"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T16:15:32Z",
"severity": "CRITICAL"
},
"details": "In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm.",
"id": "GHSA-qwvg-f3gp-j7f2",
"modified": "2025-08-14T03:31:16Z",
"published": "2025-08-13T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51452"
},
{
"type": "WEB",
"url": "https://gist.github.com/lin-3-start/5b20f6fbe3aa0c3fc75f320cd589182a"
},
{
"type": "WEB",
"url": "https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/171/ids/36.html"
},
{
"type": "WEB",
"url": "http://a7000rfirmware.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QX5F-GHC2-7G5C
Vulnerability from github – Published: 2026-05-05 21:11 – Updated: 2026-05-13 16:26Summary
Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment.
A related lower-severity denial-of-service issue, in which an unauthenticated attacker could prevent a legitimate data subject from completing their own privacy requests, is also patched in the fix for this vulnerability.
Am I affected?
This vulnerability only affects deployments that use Fides's privacy request (data subject request) features, also known collectively as "Lethe". Deployments that do not submit, process, or manage privacy requests through Fides are not affected.
Within deployments that do use privacy request features, your deployment is affected if both of the following settings are effectively set to true:
subject_identity_verification_requiredprivacy_request_duplicate_detection.enabled
Both settings default to false.
Each setting can be configured in multiple places. If the same setting is configured in more than one place, Fides resolves conflicts in the following precedence order, highest priority first:
- Admin UI / configuration API - stored in the application database and applied at runtime
- Environment variables - read at webserver startup
fides.toml- read at webserver startup- Default value - used if none of the above set the value
To determine whether your deployment is affected, check each setting in every location that applies to your configuration management.
subject_identity_verification_required
fides.toml: under the[execution]section assubject_identity_verification_required = true- Environment variable:
FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED=true - No Admin UI control - this setting is not exposed through the Admin UI and cannot be set via the configuration API
privacy_request_duplicate_detection.enabled
fides.toml: under the[privacy_request_duplicate_detection]section asenabled = true- Environment variable:
FIDES__PRIVACY_REQUEST_DUPLICATE_DETECTION__ENABLED=true - Admin UI: Settings → Privacy requests → Duplicate detection, via the "Enable duplicate detection" toggle. The toggle reflects only values set through the Admin UI or configuration API. A value set via
fides.tomlor environment variable will not appear here.
Details
When duplicate detection classifies a privacy request as a duplicate before its identity has been verified, the administrative interface presents that request with Approve, Deny, and Delete options. An administrator performing routine duplicate request triage may approve such a request without realising the identity was never verified. The request is then processed as if verification had succeeded.
An attacker exploits this by submitting two privacy requests using a target's email address, never completing the OTP verification. The second request is classified as a duplicate and becomes approvable through the administrative interface.
The fix for this vulnerability also patches a lower-severity issue, present in versions 2.82.0 through 2.83.1, in which a legitimate data subject could not complete identity verification on a privacy request that had been classified as a duplicate, allowing an unauthenticated attacker to block that data subject from exercising their privacy rights through the affected deployment.
Impact
An unauthenticated attacker who knows a target's email address and can reach the public Privacy Center can cause an erasure privacy request to be approved by an administrator and processed without identity verification. The result is unauthorized deletion of the data subject's records across every integration configured in the affected deployment. Effects may be permanent and may cascade into downstream systems.
Access privacy requests are a less meaningful vector: the resulting access package is delivered to the data subject's registered email address, not to the attacker, so the attacker does not gain the data. The request still represents unauthorized processing.
Patches
The vulnerabilities have been patched in Fides OSS version 2.83.2. Users are advised to upgrade to this version or later to secure their systems against these threats.
Fides Enterprise (fidesplus) version 2.83.2 contains the same patch.
Workarounds
Disable duplicate detection by setting privacy_request_duplicate_detection.enabled to false. This can be changed under Settings → Privacy Requests → Duplicate detection in the Admin UI). This fully mitigates the vulnerability and is the recommended interim workaround for deployments that cannot immediately upgrade.
The "Enable duplicate detection" toggle when it's disabled, under Settings → Privacy requests in the Admin UI.
Administrators of deployments that must retain duplicate detection should deny or delete, rather than approve, any privacy request whose identity has not been verified. This reduces the likelihood of exploitation but relies on administrator vigilance during each triage action.
Severity
This vulnerability has been assigned a severity of MEDIUM.
The rating reflects the fact that exploitation requires an administrator to approve the malicious request. An attacker alone cannot cause a privacy request to be processed. The administrative interface understates the verification state of a duplicate-classified request, which increases the likelihood of inadvertent approval during routine triage, but without administrator user interaction the vulnerability is not exploitable.
The related denial-of-service issue addressed in the same patch is also rated medium-severity in isolation and does not raise the overall severity of this advisory.
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ethyca-fides"
},
"ranges": [
{
"events": [
{
"introduced": "2.75.0"
},
{
"fixed": "2.83.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42303"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306",
"CWE-841"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T21:11:37Z",
"nvd_published_at": "2026-05-12T18:17:24Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nFides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject\u0027s records across every integration configured in the affected deployment.\n\nA related lower-severity denial-of-service issue, in which an unauthenticated attacker could prevent a legitimate data subject from completing their own privacy requests, is also patched in the fix for this vulnerability.\n\n### Am I affected?\n\nThis vulnerability only affects deployments that use Fides\u0027s privacy request (data subject request) features, also known collectively as \"Lethe\". Deployments that do not submit, process, or manage privacy requests through Fides are not affected.\n\nWithin deployments that do use privacy request features, your deployment is affected if both of the following settings are effectively set to `true`:\n\n- `subject_identity_verification_required`\n- `privacy_request_duplicate_detection.enabled`\n\nBoth settings default to `false`.\n\nEach setting can be configured in multiple places. If the same setting is configured in more than one place, Fides resolves conflicts in the following precedence order, highest priority first:\n\n1. **Admin UI / configuration API** - stored in the application database and applied at runtime\n2. **Environment variables** - read at webserver startup\n3. **`fides.toml`** - read at webserver startup\n4. **Default value** - used if none of the above set the value\n\nTo determine whether your deployment is affected, check each setting in every location that applies to your configuration management.\n\n**`subject_identity_verification_required`**\n\n- `fides.toml`: under the `[execution]` section as `subject_identity_verification_required = true`\n- Environment variable: `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED=true`\n- No Admin UI control - this setting is not exposed through the Admin UI and cannot be set via the configuration API\n\n**`privacy_request_duplicate_detection.enabled`**\n\n- `fides.toml`: under the `[privacy_request_duplicate_detection]` section as `enabled = true`\n- Environment variable: `FIDES__PRIVACY_REQUEST_DUPLICATE_DETECTION__ENABLED=true`\n- Admin UI: **Settings \u2192 Privacy requests \u2192 Duplicate detection**, via the \"Enable duplicate detection\" toggle. The toggle reflects only values set through the Admin UI or configuration API. A value set via `fides.toml` or environment variable will not appear here.\n\n\u003cfigure\u003e\n\u003cimg width=\"1392\" height=\"940\" alt=\"GHSA - Duplicate Detection Enabled\" src=\"https://github.com/user-attachments/assets/e384f273-ce68-403c-adb2-93536eca5f3a\" /\u003e\n\u003cfigcaption\u003e\n\u003cem\u003e\nThe \"Enable duplicate detection\" toggle when it\u0027s enabled, under Settings \u2192 Privacy requests in the Admin UI.\n\u003c/em\u003e\n\u003c/figcaption\u003e\n\u003c/figure\u003e\n\n### Details\n\nWhen duplicate detection classifies a privacy request as a duplicate before its identity has been verified, the administrative interface presents that request with Approve, Deny, and Delete options. An administrator performing routine duplicate request triage may approve such a request without realising the identity was never verified. The request is then processed as if verification had succeeded.\n\nAn attacker exploits this by submitting two privacy requests using a target\u0027s email address, never completing the OTP verification. The second request is classified as a duplicate and becomes approvable through the administrative interface.\n\nThe fix for this vulnerability also patches a lower-severity issue, present in versions `2.82.0` through `2.83.1`, in which a legitimate data subject could not complete identity verification on a privacy request that had been classified as a duplicate, allowing an unauthenticated attacker to block that data subject from exercising their privacy rights through the affected deployment.\n\n### Impact\n\nAn unauthenticated attacker who knows a target\u0027s email address and can reach the public Privacy Center can cause an erasure privacy request to be approved by an administrator and processed without identity verification. The result is unauthorized deletion of the data subject\u0027s records across every integration configured in the affected deployment. Effects may be permanent and may cascade into downstream systems.\n\nAccess privacy requests are a less meaningful vector: the resulting access package is delivered to the data subject\u0027s registered email address, not to the attacker, so the attacker does not gain the data. The request still represents unauthorized processing.\n\n### Patches\n\nThe vulnerabilities have been patched in Fides OSS version `2.83.2`. Users are advised to upgrade to this version or later to secure their systems against these threats.\n\nFides Enterprise (fidesplus) version `2.83.2` contains the same patch.\n\n### Workarounds\n\nDisable duplicate detection by setting `privacy_request_duplicate_detection.enabled` to `false`. This can be changed under **Settings \u2192 Privacy Requests \u2192 Duplicate detection** in the Admin UI). This fully mitigates the vulnerability and is the recommended interim workaround for deployments that cannot immediately upgrade.\n\n\u003cfigure\u003e\n\u003cp\u003e\n\u003cimg width=\"1392\" height=\"880\" alt=\"GHSA - Disable Duplicate Detection\" src=\"https://github.com/user-attachments/assets/fc0c87a1-7e40-4698-ba9e-e1721f591310\" /\u003e\n\u003cfigcaption\u003e\n\u003cem\u003e\nThe \"Enable duplicate detection\" toggle when it\u0027s disabled, under Settings \u2192 Privacy requests in the Admin UI.\n\u003c/em\u003e\n\u003c/figcaption\u003e\n\u003cp\u003e\n\u003c/figure\u003e\n\nAdministrators of deployments that must retain duplicate detection should deny or delete, rather than approve, any privacy request whose identity has not been verified. This reduces the likelihood of exploitation but relies on administrator vigilance during each triage action.\n\n\u003cimg width=\"1392\" height=\"1044\" alt=\"GHSA - Admin Approval of Unverified Privacy Request\" src=\"https://github.com/user-attachments/assets/b2ad4940-40d3-468b-897e-8cca6ce4707e\" /\u003e\n\u003cfigcaption\u003e\n\u003cem\u003e\nAn administrator\u0027s view when approving an unverified privacy request in the Admin UI.\n\u003c/em\u003e\n\u003c/figcaption\u003e\n\u003c/figure\u003e\n\n### Severity\n\nThis vulnerability has been assigned a severity of **MEDIUM**.\n\nThe rating reflects the fact that exploitation requires an administrator to approve the malicious request. An attacker alone cannot cause a privacy request to be processed. The administrative interface understates the verification state of a duplicate-classified request, which increases the likelihood of inadvertent approval during routine triage, but without administrator user interaction the vulnerability is not exploitable.\n\nThe related denial-of-service issue addressed in the same patch is also rated medium-severity in isolation and does not raise the overall severity of this advisory.\n\n### References\n\n- Fides OSS `2.83.2` release: https://github.com/ethyca/fides/releases/tag/2.83.2\n- Fix for the identity bypass vulnerability: [PR #7972](https://github.com/ethyca/fides/pull/7972), commit [`e7a6527`](https://github.com/ethyca/fides/commit/e7a6527b0f9fdc9887b86a89bb5453e7421882dd)\n- Fix for the related denial-of-service issue: [PR #7971](https://github.com/ethyca/fides/pull/7971), commit [`0e320b2`](https://github.com/ethyca/fides/commit/0e320b20934eb5af3a3d5127dba2691605d7ff37)",
"id": "GHSA-qx5f-ghc2-7g5c",
"modified": "2026-05-13T16:26:42Z",
"published": "2026-05-05T21:11:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-qx5f-ghc2-7g5c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42303"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/pull/7971"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/pull/7972"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/commit/0e320b20934eb5af3a3d5127dba2691605d7ff37"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/commit/e7a6527b0f9fdc9887b86a89bb5453e7421882dd"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethyca/fides"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/releases/tag/2.83.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection"
}
GHSA-R2J9-RJWP-GQ2X
Vulnerability from github – Published: 2026-02-10 09:30 – Updated: 2026-02-10 09:30Agentflow developed by Flowring has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality.
{
"affected": [],
"aliases": [
"CVE-2026-2096"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T07:16:14Z",
"severity": "CRITICAL"
},
"details": "Agentflow developed by Flowring has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality.",
"id": "GHSA-r2j9-rjwp-gq2x",
"modified": "2026-02-10T09:30:27Z",
"published": "2026-02-10T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2096"
},
{
"type": "WEB",
"url": "https://forum.flowring.com/post/view?bid=72\u0026id=45611\u0026tpg=1\u0026ppg=1\u0026sty=1#45939"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10700-3534d-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10699-49c0b-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R2P2-9V38-JGQG
Vulnerability from github – Published: 2024-11-26 09:30 – Updated: 2025-11-04 18:31"sessionlist.html" and "sys_trayentryreboot.html" are accessible with no authentication. "sessionlist.html" provides logged-in users' session information including session cookies, and "sys_trayentryreboot.html" allows to reboot the device. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
{
"affected": [],
"aliases": [
"CVE-2024-33610"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T08:15:05Z",
"severity": "CRITICAL"
},
"details": "\"sessionlist.html\" and \"sys_trayentryreboot.html\" are accessible with no authentication. \"sessionlist.html\" provides logged-in users\u0027 session information including session cookies, and \"sys_trayentryreboot.html\" allows to reboot the device. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].",
"id": "GHSA-r2p2-9v38-jgqg",
"modified": "2025-11-04T18:31:30Z",
"published": "2024-11-26T09:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33610"
},
{
"type": "WEB",
"url": "https://global.sharp/products/copier/info/info_security_2024-05.html"
},
{
"type": "WEB",
"url": "https://jp.sharp/business/print/information/info_security_2024-05.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU93051062"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html"
},
{
"type": "WEB",
"url": "https://www.toshibatec.co.jp/information/20240531_02.html"
},
{
"type": "WEB",
"url": "https://www.toshibatec.com/information/20240531_02.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R33H-M6Q3-6VR3
Vulnerability from github – Published: 2026-03-19 09:30 – Updated: 2026-04-28 21:35Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through 1.2.6.
{
"affected": [],
"aliases": [
"CVE-2026-25471"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-19T08:16:19Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through 1.2.6.",
"id": "GHSA-r33h-m6q3-6vr3",
"modified": "2026-04-28T21:35:59Z",
"published": "2026-03-19T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25471"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/admin-safety-guard/vulnerability/wordpress-admin-safety-guard-plugin-1-2-2-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R827-RRRF-HQ75
Vulnerability from github – Published: 2026-05-20 18:31 – Updated: 2026-05-20 18:31An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials.
{
"affected": [],
"aliases": [
"CVE-2026-8598"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T16:16:27Z",
"severity": "CRITICAL"
},
"details": "An undocumented configuration export port is accessible on some models \nof ZKTeco CCTV cameras. This port does not require authentication and \nexposes critical information about the camera such as open services and \ncamera account credentials.",
"id": "GHSA-r827-rrrf-hq75",
"modified": "2026-05-20T18:31:35Z",
"published": "2026-05-20T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8598"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-04.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-04"
},
{
"type": "WEB",
"url": "https://www.zkteco.com/en/announcement/23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R889-QG9M-H7H4
Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause an authentication bypass through an alternative path or channel. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
{
"affected": [],
"aliases": [
"CVE-2026-47481"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T20:17:03Z",
"severity": "MODERATE"
},
"details": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause an authentication bypass through an alternative path or channel. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.",
"id": "GHSA-r889-qg9m-h7h4",
"modified": "2026-07-14T21:32:17Z",
"published": "2026-07-14T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47481"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47481"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RF6H-5GPW-QRGQ
Vulnerability from github – Published: 2026-03-29 15:49 – Updated: 2026-04-10 17:25Summary
MS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Microsoft Teams feedback invokes previously bypassed sender authorization and could record feedback or trigger reflection for unauthorized senders. Commit c5415a474bb085404c20f8b312e436997977b1ea applies the same DM and group authorization checks to feedback invokes.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit c5415a474bb085404c20f8b312e436997977b1ea.
Fix Commit(s)
c5415a474bb085404c20f8b312e436997977b1ea
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35654"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:49:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nMS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nMicrosoft Teams feedback invokes previously bypassed sender authorization and could record feedback or trigger reflection for unauthorized senders. Commit `c5415a474bb085404c20f8b312e436997977b1ea` applies the same DM and group authorization checks to feedback invokes.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `c5415a474bb085404c20f8b312e436997977b1ea`.\n\n## Fix Commit(s)\n\n- `c5415a474bb085404c20f8b312e436997977b1ea`",
"id": "GHSA-rf6h-5gpw-qrgq",
"modified": "2026-04-10T17:25:07Z",
"published": "2026-03-29T15:49:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback"
}
GHSA-RFMJ-78J3-H4XF
Vulnerability from github – Published: 2024-03-05 21:30 – Updated: 2024-08-26 18:33The "Rich Filemanager" feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user.
{
"affected": [],
"aliases": [
"CVE-2024-2055"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-05T20:16:01Z",
"severity": "CRITICAL"
},
"details": "The \"Rich Filemanager\" feature of Artica Proxy provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user.",
"id": "GHSA-rfmj-78j3-h4xf",
"modified": "2024-08-26T18:33:32Z",
"published": "2024-03-05T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2055"
},
{
"type": "WEB",
"url": "https://korelogic.com/Resources/Advisories/KL-001-2024-003.txt"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RGQX-F26C-5V58
Vulnerability from github – Published: 2025-07-26 06:30 – Updated: 2025-07-26 06:30The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.
{
"affected": [],
"aliases": [
"CVE-2025-6895"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-26T05:15:25Z",
"severity": "CRITICAL"
},
"details": "The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.",
"id": "GHSA-rgqx-f26c-5v58",
"modified": "2025-07-26T06:30:33Z",
"published": "2025-07-26T06:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6895"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/class-melapress-login-security.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/modules/temporary-logins/class-temporary-logins.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3328137"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/melapress-login-security/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f65d5c4-6f53-4836-9130-c9f4ed3be893?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.