CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5966 vulnerabilities reference this CWE, most recent first.
CVE-2026-7844 (GCVE-0-2026-7844)
Vulnerability from cvelistv5 – Published: 2026-05-05 15:00 – Updated: 2026-05-06 14:16| URL | Tags |
|---|---|
| https://vuldb.com/vuln/361123 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/361123/cti | signaturepermissions-required |
| https://vuldb.com/submit/807790 | third-party-advisory |
| https://github.com/chatchat-space/Langchain-Chatc… | issue-tracking |
| https://github.com/3em0/cve_repo/blob/main/Langch… | exploit |
| https://github.com/chatchat-space/Langchain-Chatchat/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| chatchat-space | Langchain-Chatchat |
Affected:
0.3.1.0
Affected: 0.3.1.1 Affected: 0.3.1.2 Affected: 0.3.1.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7844",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T14:16:11.330952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T14:16:25.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Compatible File Service"
],
"product": "Langchain-Chatchat",
"vendor": "chatchat-space",
"versions": [
{
"status": "affected",
"version": "0.3.1.0"
},
{
"status": "affected",
"version": "0.3.1.1"
},
{
"status": "affected",
"version": "0.3.1.2"
},
{
"status": "affected",
"version": "0.3.1.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem00 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T15:00:13.227Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-361123 | chatchat-space Langchain-Chatchat Compatible File Service openai_routes.py delete_file missing authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/361123"
},
{
"name": "VDB-361123 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/361123/cti"
},
{
"name": "Submit #807790 | chatchat-space Langchain-Chatchat 0.3.1.3 Missing Authorization / CWE-862",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/807790"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/chatchat-space/Langchain-Chatchat/issues/5465"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-Endpoints.md"
},
{
"tags": [
"product"
],
"url": "https://github.com/chatchat-space/Langchain-Chatchat/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-05T12:26:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "chatchat-space Langchain-Chatchat Compatible File Service openai_routes.py delete_file missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7844",
"datePublished": "2026-05-05T15:00:13.227Z",
"dateReserved": "2026-05-05T10:20:48.141Z",
"dateUpdated": "2026-05-06T14:16:25.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7723 (GCVE-0-2026-7723)
Vulnerability from cvelistv5 – Published: 2026-05-04 02:30 – Updated: 2026-05-04 21:17 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/360899 | vdb-entry |
| https://vuldb.com/vuln/360899/cti | signaturepermissions-required |
| https://vuldb.com/submit/807256 | third-party-advisory |
| https://gist.github.com/nedlir/f1ab8aa038aafbcc6b… | exploit |
| https://github.com/PrefectHQ/prefect/pull/20372 | issue-trackingpatch |
| https://github.com/PrefectHQ/prefect/commit/f8afe… | patch |
| https://github.com/PrefectHQ/prefect/releases/tag… | patch |
| https://github.com/PrefectHQ/prefect/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| PrefectHQ | prefect |
Affected:
3.6.0
Affected: 3.6.1 Affected: 3.6.2 Affected: 3.6.3 Affected: 3.6.4 Affected: 3.6.5 Affected: 3.6.6 Affected: 3.6.7 Affected: 3.6.8 Affected: 3.6.9 Affected: 3.6.10 Affected: 3.6.11 Affected: 3.6.12 Affected: 3.6.13 Unaffected: 3.6.14 cpe:2.3:a:prefect:prefect:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7723",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T11:33:53.101447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T11:34:08.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:prefect:prefect:*:*:*:*:*:*:*:*"
],
"modules": [
"WebSocket Endpoint"
],
"product": "prefect",
"vendor": "PrefectHQ",
"versions": [
{
"status": "affected",
"version": "3.6.0"
},
{
"status": "affected",
"version": "3.6.1"
},
{
"status": "affected",
"version": "3.6.2"
},
{
"status": "affected",
"version": "3.6.3"
},
{
"status": "affected",
"version": "3.6.4"
},
{
"status": "affected",
"version": "3.6.5"
},
{
"status": "affected",
"version": "3.6.6"
},
{
"status": "affected",
"version": "3.6.7"
},
{
"status": "affected",
"version": "3.6.8"
},
{
"status": "affected",
"version": "3.6.9"
},
{
"status": "affected",
"version": "3.6.10"
},
{
"status": "affected",
"version": "3.6.11"
},
{
"status": "affected",
"version": "3.6.12"
},
{
"status": "affected",
"version": "3.6.13"
},
{
"status": "unaffected",
"version": "3.6.14"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "nedlir (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T21:17:54.417Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-360899 | PrefectHQ prefect WebSocket Endpoint in missing authentication",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/360899"
},
{
"name": "VDB-360899 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/360899/cti"
},
{
"name": "Submit #807256 | PerfectHQ Perfect \u003c=3.6.13 Missing Critical Step in Authentication",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/807256"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/PrefectHQ/prefect/pull/20372"
},
{
"tags": [
"patch"
],
"url": "https://github.com/PrefectHQ/prefect/commit/f8afecadf88ea5f73694dafa3a365b9d8fae1ad6"
},
{
"tags": [
"patch"
],
"url": "https://github.com/PrefectHQ/prefect/releases/tag/3.6.14"
},
{
"tags": [
"product"
],
"url": "https://github.com/PrefectHQ/prefect/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-04T23:22:28.000Z",
"value": "VulDB entry last update"
}
],
"title": "PrefectHQ prefect WebSocket Endpoint in missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7723",
"datePublished": "2026-05-04T02:30:18.099Z",
"dateReserved": "2026-05-03T09:18:16.724Z",
"dateUpdated": "2026-05-04T21:17:54.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7722 (GCVE-0-2026-7722)
Vulnerability from cvelistv5 – Published: 2026-05-04 02:15 – Updated: 2026-05-04 21:17 X_Open Source- CWE-287 - Improper Authentication
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/360898 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/360898/cti | signaturepermissions-required |
| https://vuldb.com/submit/807255 | third-party-advisory |
| https://gist.github.com/nedlir/f576abbb0e491dc9bb… | exploit |
| https://github.com/PrefectHQ/prefect/pull/21063 | issue-trackingpatch |
| https://github.com/PrefectHQ/prefect/commit/e2161… | patch |
| https://github.com/PrefectHQ/prefect/releases/tag… | patch |
| https://github.com/PrefectHQ/prefect/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| PrefectHQ | prefect |
Affected:
3.6.0
Affected: 3.6.1 Affected: 3.6.2 Affected: 3.6.3 Affected: 3.6.4 Affected: 3.6.5 Affected: 3.6.6 Affected: 3.6.7 Affected: 3.6.8 Affected: 3.6.9 Affected: 3.6.10 Affected: 3.6.11 Affected: 3.6.12 Affected: 3.6.13 Affected: 3.6.14 Affected: 3.6.15 Affected: 3.6.16 Affected: 3.6.17 Affected: 3.6.18 Affected: 3.6.19 Affected: 3.6.20 Affected: 3.6.21 Unaffected: 3.6.22 cpe:2.3:a:prefect:prefect:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7722",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T12:56:10.889706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T12:56:25.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:prefect:prefect:*:*:*:*:*:*:*:*"
],
"modules": [
"Health Check API"
],
"product": "prefect",
"vendor": "PrefectHQ",
"versions": [
{
"status": "affected",
"version": "3.6.0"
},
{
"status": "affected",
"version": "3.6.1"
},
{
"status": "affected",
"version": "3.6.2"
},
{
"status": "affected",
"version": "3.6.3"
},
{
"status": "affected",
"version": "3.6.4"
},
{
"status": "affected",
"version": "3.6.5"
},
{
"status": "affected",
"version": "3.6.6"
},
{
"status": "affected",
"version": "3.6.7"
},
{
"status": "affected",
"version": "3.6.8"
},
{
"status": "affected",
"version": "3.6.9"
},
{
"status": "affected",
"version": "3.6.10"
},
{
"status": "affected",
"version": "3.6.11"
},
{
"status": "affected",
"version": "3.6.12"
},
{
"status": "affected",
"version": "3.6.13"
},
{
"status": "affected",
"version": "3.6.14"
},
{
"status": "affected",
"version": "3.6.15"
},
{
"status": "affected",
"version": "3.6.16"
},
{
"status": "affected",
"version": "3.6.17"
},
{
"status": "affected",
"version": "3.6.18"
},
{
"status": "affected",
"version": "3.6.19"
},
{
"status": "affected",
"version": "3.6.20"
},
{
"status": "affected",
"version": "3.6.21"
},
{
"status": "unaffected",
"version": "3.6.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "nedlir (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T21:17:46.743Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-360898 | PrefectHQ prefect Health Check API health endswith improper authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/360898"
},
{
"name": "VDB-360898 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/360898/cti"
},
{
"name": "Submit #807255 | PrefectHQ Perfect \u003c=3.6.21 Improper Authentication",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/807255"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/PrefectHQ/prefect/pull/21063"
},
{
"tags": [
"patch"
],
"url": "https://github.com/PrefectHQ/prefect/commit/e21617125335025b4b27e7d6f0ca028e8e8f3b79"
},
{
"tags": [
"patch"
],
"url": "https://github.com/PrefectHQ/prefect/releases/tag/3.6.22"
},
{
"tags": [
"product"
],
"url": "https://github.com/PrefectHQ/prefect/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-04T23:22:23.000Z",
"value": "VulDB entry last update"
}
],
"title": "PrefectHQ prefect Health Check API health endswith improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7722",
"datePublished": "2026-05-04T02:15:18.541Z",
"dateReserved": "2026-05-03T09:18:12.918Z",
"dateUpdated": "2026-05-04T21:17:46.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7714 (GCVE-0-2026-7714)
Vulnerability from cvelistv5 – Published: 2026-05-04 00:15 – Updated: 2026-05-04 12:56| URL | Tags |
|---|---|
| https://vuldb.com/vuln/360890 | vdb-entry |
| https://vuldb.com/vuln/360890/cti | signaturepermissions-required |
| https://vuldb.com/submit/806468 | third-party-advisory |
| https://github.com/crocodilestick/Calibre-Web-Aut… | issue-tracking |
| https://github.com/crocodilestick/Calibre-Web-Aut… | issue-trackingpatch |
| https://gist.github.com/menelausx/1b45c952d352a2e… | exploit |
| https://github.com/crocodilestick/Calibre-Web-Aut… | product |
| Vendor | Product | Version | |
|---|---|---|---|
| crocodilestick | Calibre-Web-Automated |
Affected:
4.0.0
Affected: 4.0.1 Affected: 4.0.2 Affected: 4.0.3 Affected: 4.0.4 Affected: 4.0.5 Affected: 4.0.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7714",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T12:55:51.982856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T12:56:04.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Admin Endpoint"
],
"product": "Calibre-Web-Automated",
"vendor": "crocodilestick",
"versions": [
{
"status": "affected",
"version": "4.0.0"
},
{
"status": "affected",
"version": "4.0.1"
},
{
"status": "affected",
"version": "4.0.2"
},
{
"status": "affected",
"version": "4.0.3"
},
{
"status": "affected",
"version": "4.0.4"
},
{
"status": "affected",
"version": "4.0.5"
},
{
"status": "affected",
"version": "4.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "JasperX (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.4,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T00:15:11.837Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-360890 | crocodilestick Calibre-Web-Automated Admin Endpoint cwa_functions.py missing authentication",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/360890"
},
{
"name": "VDB-360890 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/360890/cti"
},
{
"name": "Submit #806468 | crocodilestick Calibre-Web-Automated v1.0.0-v4.0.6 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/806468"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/crocodilestick/Calibre-Web-Automated/issues/1304"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/crocodilestick/Calibre-Web-Automated/pull/1308"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/menelausx/1b45c952d352a2ebdc01cd8d5aa88e87"
},
{
"tags": [
"product"
],
"url": "https://github.com/crocodilestick/Calibre-Web-Automated/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-03T10:04:58.000Z",
"value": "VulDB entry last update"
}
],
"title": "crocodilestick Calibre-Web-Automated Admin Endpoint cwa_functions.py missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7714",
"datePublished": "2026-05-04T00:15:11.837Z",
"dateReserved": "2026-05-03T07:59:49.252Z",
"dateUpdated": "2026-05-04T12:56:04.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7710 (GCVE-0-2026-7710)
Vulnerability from cvelistv5 – Published: 2026-05-03 23:15 – Updated: 2026-05-04 13:07- CWE-287 - Improper Authentication
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/360886 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/360886/cti | signaturepermissions-required |
| https://vuldb.com/submit/806493 | third-party-advisory |
| https://github.com/9str0IL/CVE/issues/5 | exploitissue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| YunaiV | yudao-cloud |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 Affected: 3.8.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7710",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T13:07:08.864995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T13:07:34.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Ruoyi-Vue-Pro"
],
"product": "yudao-cloud",
"vendor": "YunaiV",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
},
{
"status": "affected",
"version": "3.8.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "9str0il (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. This affects the function doFilterInternal of the file JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of the argument mock-token results in improper authentication. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T23:15:17.816Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-360886 | YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilter.java doFilterInternal improper authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/360886"
},
{
"name": "VDB-360886 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/360886/cti"
},
{
"name": "Submit #806493 | YunaiV yudao-cloud yudao-cloud up to 2026.01 Authentication Bypass by Primary Weakness",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/806493"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/9str0IL/CVE/issues/5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-03T09:43:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilter.java doFilterInternal improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7710",
"datePublished": "2026-05-03T23:15:17.816Z",
"dateReserved": "2026-05-03T07:38:31.974Z",
"dateUpdated": "2026-05-04T13:07:34.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7679 (GCVE-0-2026-7679)
Vulnerability from cvelistv5 – Published: 2026-05-03 04:15 – Updated: 2026-05-04 14:55- CWE-287 - Improper Authentication
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/360832 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/360832/cti | signaturepermissions-required |
| https://vuldb.com/submit/800866 | third-party-advisory |
| https://github.com/9str0IL/CVE/issues/1 | exploitissue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| YunaiV | yudao-cloud |
Affected:
2026.01
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7679",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T14:55:13.779067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T14:55:27.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yudao-cloud",
"vendor": "YunaiV",
"versions": [
{
"status": "affected",
"version": "2026.01"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "9str0il (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T04:15:10.929Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-360832 | YunaiV yudao-cloud OAuth2TokenServiceImpl.java getAccessToken improper authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/360832"
},
{
"name": "VDB-360832 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/360832/cti"
},
{
"name": "Submit #800866 | YunaiV yudao-cloud up to 2026.01 Authentication Bypass by Primary Weakness",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/800866"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/9str0IL/CVE/issues/1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-02T10:44:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "YunaiV yudao-cloud OAuth2TokenServiceImpl.java getAccessToken improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7679",
"datePublished": "2026-05-03T04:15:10.929Z",
"dateReserved": "2026-05-02T08:39:00.470Z",
"dateUpdated": "2026-05-04T14:55:27.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7664 (GCVE-0-2026-7664)
Vulnerability from cvelistv5 – Published: 2026-06-22 14:10 – Updated: 2026-06-23 18:48- CWE-287 - Improper Authentication
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7277243 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Langflow OSS |
Affected:
1.0.0 , ≤ 1.8.4
(semver)
cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:langflow_oss:1.8.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T03:55:59.093462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:48:23.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:langflow_oss:1.8.4:*:*:*:*:*:*:*"
],
"product": "Langflow OSS",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.8.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.\u003c/p\u003e"
}
],
"value": "IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T14:10:25.584Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7277243"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading \u003ca href=\"https://pypi.org/project/langflow/\" rel=\"nofollow\"\u003eLangflow OSS to version 1.9.1\u003c/a\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.9.1 https://pypi.org/project/langflow/"
}
],
"title": "Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-7664",
"datePublished": "2026-06-22T14:10:25.584Z",
"dateReserved": "2026-05-01T19:46:59.287Z",
"dateUpdated": "2026-06-23T18:48:23.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7630 (GCVE-0-2026-7630)
Vulnerability from cvelistv5 – Published: 2026-05-02 13:15 – Updated: 2026-05-04 13:12 X_Open Source- CWE-287 - Improper Authentication
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/360576 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/360576/cti | signaturepermissions-required |
| https://vuldb.com/submit/806484 | third-party-advisory |
| https://github.com/innocommerce/innoshop/issues/314 | exploitissue-tracking |
| https://github.com/innocommerce/innoshop/issues/3… | issue-tracking |
| https://github.com/innocommerce/innoshop/commit/4… | patch |
| https://github.com/innocommerce/innoshop/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| innocommerce | InnoShop |
Affected:
0.6.*
Affected: 0.7.0 Affected: 0.7.1 Affected: 0.7.2 Affected: 0.7.3 Affected: 0.7.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7630",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T13:12:01.184969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T13:12:56.976Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Installation Endpoint"
],
"product": "InnoShop",
"vendor": "innocommerce",
"versions": [
{
"status": "affected",
"version": "0.6.*"
},
{
"status": "affected",
"version": "0.7.0"
},
{
"status": "affected",
"version": "0.7.1"
},
{
"status": "affected",
"version": "0.7.2"
},
{
"status": "affected",
"version": "0.7.3"
},
{
"status": "affected",
"version": "0.7.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "anch0r (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T13:15:13.485Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-360576 | innocommerce InnoShop Installation Endpoint InstallServiceProvider.php boot improper authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/360576"
},
{
"name": "VDB-360576 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/360576/cti"
},
{
"name": "Submit #806484 | innocommerce innoshop \u003c= 0.7.3 Missing Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/806484"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/innocommerce/innoshop/issues/314"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/innocommerce/innoshop/issues/314#issuecomment-4357464458"
},
{
"tags": [
"patch"
],
"url": "https://github.com/innocommerce/innoshop/commit/45758e4ec22451ab944ae2ae826b1e70f6450dc9"
},
{
"tags": [
"product"
],
"url": "https://github.com/innocommerce/innoshop/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-01T16:33:46.000Z",
"value": "VulDB entry last update"
}
],
"title": "innocommerce InnoShop Installation Endpoint InstallServiceProvider.php boot improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7630",
"datePublished": "2026-05-02T13:15:13.485Z",
"dateReserved": "2026-05-01T14:28:41.503Z",
"dateUpdated": "2026-05-04T13:12:56.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7113 (GCVE-0-2026-7113)
Vulnerability from cvelistv5 – Published: 2026-04-27 10:00 – Updated: 2026-04-27 13:29| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359713 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359713/cti | signaturepermissions-required |
| https://vuldb.com/submit/800802 | third-party-advisory |
| https://github.com/NousResearch/hermes-agent/issu… | exploitissue-tracking |
| https://github.com/NousResearch/hermes-agent/pull/6445 | issue-trackingpatch |
| https://github.com/NousResearch/hermes-agent/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| NousResearch | hermes-agent |
Affected:
0.8.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7113",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T13:09:41.231194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:29:05.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Webhooks Endpoint"
],
"product": "hermes-agent",
"vendor": "NousResearch",
"versions": [
{
"status": "affected",
"version": "0.8.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu-Bao (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitation is known to be difficult. The exploit has been made public and could be used. The project was informed of the problem early through a pull request but has not reacted yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T10:00:17.997Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359713 | NousResearch hermes-agent Webhooks Endpoint webhook.py missing authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359713"
},
{
"name": "VDB-359713 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359713/cti"
},
{
"name": "Submit #800802 | NousResearch hermes-agent 0.8.0 Unauthenticated Remote Code Execution Webhook",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/800802"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/NousResearch/hermes-agent/issues/6440"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/NousResearch/hermes-agent/pull/6445"
},
{
"tags": [
"product"
],
"url": "https://github.com/NousResearch/hermes-agent/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T18:00:08.000Z",
"value": "VulDB entry last update"
}
],
"title": "NousResearch hermes-agent Webhooks Endpoint webhook.py missing authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7113",
"datePublished": "2026-04-27T10:00:17.997Z",
"dateReserved": "2026-04-26T15:54:52.370Z",
"dateUpdated": "2026-04-27T13:29:05.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7112 (GCVE-0-2026-7112)
Vulnerability from cvelistv5 – Published: 2026-04-27 09:45 – Updated: 2026-04-27 12:21- CWE-287 - Improper Authentication
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/359712 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/359712/cti | signaturepermissions-required |
| https://vuldb.com/submit/800800 | third-party-advisory |
| https://github.com/NousResearch/hermes-agent/issu… | exploitissue-tracking |
| https://github.com/NousResearch/hermes-agent/pull/6477 | issue-trackingpatch |
| https://github.com/NousResearch/hermes-agent/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| NousResearch | hermes-agent |
Affected:
0.8.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7112",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T12:21:19.774754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T12:21:26.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"API_SERVER_KEY Handler"
],
"product": "hermes-agent",
"vendor": "NousResearch",
"versions": [
{
"status": "affected",
"version": "0.8.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu-Bao (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in NousResearch hermes-agent 0.8.0. Affected by this vulnerability is the function _check_auth of the file gateway/platforms/api_server.py of the component API_SERVER_KEY Handler. The manipulation leads to improper authentication. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T09:45:11.517Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-359712 | NousResearch hermes-agent API_SERVER_KEY api_server.py _check_auth improper authentication",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/359712"
},
{
"name": "VDB-359712 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/359712/cti"
},
{
"name": "Submit #800800 | NousResearch hermes-agent 0.8.0 Unauthenticated Remote Code Execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/800800"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/NousResearch/hermes-agent/issues/6439"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/NousResearch/hermes-agent/pull/6477"
},
{
"tags": [
"product"
],
"url": "https://github.com/NousResearch/hermes-agent/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-26T18:00:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "NousResearch hermes-agent API_SERVER_KEY api_server.py _check_auth improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7112",
"datePublished": "2026-04-27T09:45:11.517Z",
"dateReserved": "2026-04-26T15:54:42.744Z",
"dateUpdated": "2026-04-27T12:21:26.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.