Common Weakness Enumeration

CWE-294

Allowed

Authentication Bypass by Capture-replay

Abstraction: Base · Status: Incomplete

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

342 vulnerabilities reference this CWE, most recent first.

GHSA-HHQ4-97C2-P447

Vulnerability from github – Published: 2026-04-02 20:59 – Updated: 2026-05-06 02:40
VLAI
Summary
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass
Details

Summary

Zalo webhook replay cache cross-target messageId scope bypass

Current Maintainer Triage

  • Status: narrow
  • Normalized severity: low
  • Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather than arbitrary unauthenticated attackers.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • 4d038bb242c11f39e45f6a4bde400e5fd42e4ebf — 2026-03-31T19:33:57+09:00

Release Process Note

  • The fix is already present in released version 2026.3.31.
  • This draft looks ready for final maintainer disposition or publication, not additional code-fix work.

Thanks @smaeljaish771 for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294",
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T20:59:11Z",
    "nvd_published_at": "2026-04-28T19:37:43Z",
    "severity": "LOW"
  },
  "details": "## Summary\nZalo webhook replay cache cross-target messageId scope bypass\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather than arbitrary unauthenticated attackers.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` \u2014 2026-03-31T19:33:57+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.",
  "id": "GHSA-hhq4-97c2-p447",
  "modified": "2026-05-06T02:40:21Z",
  "published": "2026-04-02T20:59:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41402"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-cache-cross-target-messageid-scope-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass"
}

GHSA-HJCG-4H7X-VMJ6

Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-18 00:01
VLAI
Details

A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent.

Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-09T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent.\n\nAffected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)",
  "id": "GHSA-hjcg-4h7x-vmj6",
  "modified": "2022-03-18T00:01:28Z",
  "published": "2022-03-10T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22806"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2022-067-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJQG-7WQ4-XVWX

Vulnerability from github – Published: 2024-04-19 18:31 – Updated: 2024-07-03 18:36
VLAI
Details

An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-19T18:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages.",
  "id": "GHSA-hjqg-7wq4-xvwx",
  "modified": "2024-07-03T18:36:13Z",
  "published": "2024-04-19T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47435"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blinkfox/hexo-theme-matery/issues/897"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HWJ7-FRGJ-7829

Vulnerability from github – Published: 2023-03-21 06:30 – Updated: 2023-03-23 16:30
VLAI
Summary
Answer vulnerable to Authentication Bypass by Capture-replay
Details

Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/answerdev/answer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-21T22:32:10Z",
    "nvd_published_at": "2023-03-21T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6.",
  "id": "GHSA-hwj7-frgj-7829",
  "modified": "2023-03-23T16:30:20Z",
  "published": "2023-03-21T06:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/answerdev/answer/commit/813ad0b9894673b1bdd489a2e9ab60a44fe990af"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/answerdev/answer"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/171cde18-a447-446c-a9ab-297953ad9b86"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Answer vulnerable to Authentication Bypass by Capture-replay"
}

GHSA-HWMR-XJ5R-936P

Vulnerability from github – Published: 2026-03-29 15:30 – Updated: 2026-03-29 15:30
VLAI
Details

OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-29T13:17:02Z",
    "severity": "CRITICAL"
  },
  "details": "OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.",
  "id": "GHSA-hwmr-xj5r-936p",
  "modified": "2026-03-29T15:30:19Z",
  "published": "2026-03-29T15:30:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32987"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J56C-WPQM-H24X

Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 20:18
VLAI
Summary
Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cg6c-q2hx-69h7. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T20:18:47Z",
    "nvd_published_at": "2026-04-09T22:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-cg6c-q2hx-69h7. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.",
  "id": "GHSA-j56c-wpqm-h24x",
  "modified": "2026-04-10T20:18:47Z",
  "published": "2026-04-10T00:30:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants",
  "withdrawn": "2026-04-10T20:18:47Z"
}

GHSA-J6M4-4C94-5XFW

Vulnerability from github – Published: 2024-01-11 21:31 – Updated: 2024-01-19 15:30
VLAI
Details

The remote keyless system of the Hozard alarm system (alarmsystemen) v1.0 sends an identical radio frequency signal for each request, which results in an attacker being able to conduct replay attacks to bring the alarm system to a disarmed state.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-11T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The remote keyless system of the Hozard alarm system (alarmsystemen) v1.0 sends an identical radio frequency signal for each request, which results in an attacker being able to conduct replay attacks to bring the alarm system to a disarmed state.",
  "id": "GHSA-j6m4-4c94-5xfw",
  "modified": "2024-01-19T15:30:18Z",
  "published": "2024-01-11T21:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50128"
    },
    {
      "type": "WEB",
      "url": "https://www.secura.com/services/iot/consumer-products/security-concerns-in-popular-smart-home-devices"
    },
    {
      "type": "WEB",
      "url": "http://hozard.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J7R7-7QMF-XQ87

Vulnerability from github – Published: 2025-10-29 15:31 – Updated: 2025-11-05 20:51
VLAI
Summary
Jenkins SAML Plugin does not implement a replay cache
Details

Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache.

This allows attackers able to obtain information about the SAML authentication flow between a user’s web browser and Jenkins to replay those requests, authenticating to Jenkins as that user.

SAML Plugin 4.583.585.v22ccc1139f55 implements a replay cache that rejects replayed requests.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.583.585.v22ccc1139f55"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T22:03:43Z",
    "nvd_published_at": "2025-10-29T14:15:57Z",
    "severity": "HIGH"
  },
  "details": "Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache.\n\nThis allows attackers able to obtain information about the SAML authentication flow between a user\u2019s web browser and Jenkins to replay those requests, authenticating to Jenkins as that user.\n\nSAML Plugin 4.583.585.v22ccc1139f55 implements a replay cache that rejects replayed requests.",
  "id": "GHSA-j7r7-7qmf-xq87",
  "modified": "2025-11-05T20:51:56Z",
  "published": "2025-10-29T15:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64131"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/saml-plugin/commit/6170b1013daf52770de29a66aeb57893aae1d7d6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/saml-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3613"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/29/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins SAML Plugin does not implement a replay cache"
}

GHSA-JCMP-PHFM-38X8

Vulnerability from github – Published: 2026-05-28 18:30 – Updated: 2026-05-28 18:30
VLAI
Details

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion’s subject, including administrator accounts, without needing the user’s password or MFA credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T17:16:34Z",
    "severity": "HIGH"
  },
  "details": "Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion\u2019s subject, including administrator accounts, without needing the user\u2019s password or MFA credentials.",
  "id": "GHSA-jcmp-phfm-38x8",
  "modified": "2026-05-28T18:30:32Z",
  "published": "2026-05-28T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9095"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/780781"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JGVP-6MMR-4MRW

Vulnerability from github – Published: 2026-02-09 15:30 – Updated: 2026-02-09 15:30
VLAI
Details

Crafted delegations or IP fragments can poison cached delegations in Recursor.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-09T15:16:10Z",
    "severity": "HIGH"
  },
  "details": "Crafted delegations or IP fragments can poison cached delegations in Recursor.",
  "id": "GHSA-jgvp-6mmr-4mrw",
  "modified": "2026-02-09T15:30:31Z",
  "published": "2026-02-09T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59023"
    },
    {
      "type": "WEB",
      "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Utilize some sequence or time stamping functionality along with a checksum which takes this into account in order to ensure that messages can be parsed only once.

Mitigation
Architecture and Design

Since any attacker who can listen to traffic can see sequence numbers, it is necessary to sign messages with some kind of cryptography to ensure that sequence numbers are not simply doctored along with content.

CAPEC-102: Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

CAPEC-509: Kerberoasting

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

CAPEC-555: Remote Services with Stolen Credentials

This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.

CAPEC-561: Windows Admin Shares with Stolen Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.

CAPEC-60: Reusing Session IDs (aka Session Replay)

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

CAPEC-644: Use of Captured Hashes (Pass The Hash)

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

CAPEC-645: Use of Captured Tickets (Pass The Ticket)

An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-701: Browser in the Middle (BiTM)

An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.