CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-MQP5-VPV8-VHQM
Vulnerability from github – Published: 2024-09-10 21:31 – Updated: 2024-09-10 21:31An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.
{
"affected": [],
"aliases": [
"CVE-2024-8012"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T21:15:14Z",
"severity": "HIGH"
},
"details": "An authentication bypass weakness in the message broker service of Ivanti Workspace Control version 10.18.0.0 and below allows a local authenticated attacker to escalate their privileges.",
"id": "GHSA-mqp5-vpv8-vhqm",
"modified": "2024-09-10T21:31:40Z",
"published": "2024-09-10T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8012"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-IWC"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR2F-MM92-FPPW
Vulnerability from github – Published: 2024-05-07 06:30 – Updated: 2024-05-07 06:30The Build App Online plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.5. This is due to the 'eb_user_email_verification_key' default value is empty, and the not empty check is missing in the 'eb_user_email_verify' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This can only be exploited if the 'Email Verification' setting is enabled.
{
"affected": [],
"aliases": [
"CVE-2024-4186"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T06:15:09Z",
"severity": "CRITICAL"
},
"details": "The Build App Online plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.5. This is due to the \u0027eb_user_email_verification_key\u0027 default value is empty, and the not empty check is missing in the \u0027eb_user_email_verify\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This can only be exploited if the \u0027Email Verification\u0027 setting is enabled.",
"id": "GHSA-mr2f-mm92-fppw",
"modified": "2024-05-07T06:30:36Z",
"published": "2024-05-07T06:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4186"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/edwiser-bridge/tags/3.0.4/includes/class-eb-user-manager.php#L1571"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3081961/edwiser-bridge#file1"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6969d281-f280-4714-9859-38ac66e9cc60?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR3F-GMG7-3H9C
Vulnerability from github – Published: 2025-08-12 12:30 – Updated: 2025-08-12 12:30A vulnerability has been identified in SINUMERIK 828D PPU.4 (All versions < V4.95 SP5), SINUMERIK 828D PPU.5 (All versions < V5.25 SP1), SINUMERIK 840D sl (All versions < V4.95 SP5), SINUMERIK MC (All versions < V1.25 SP1), SINUMERIK MC V1.15 (All versions < V1.15 SP5), SINUMERIK ONE (All versions < V6.25 SP1), SINUMERIK ONE V6.15 (All versions < V6.15 SP5). The affected application improperly validates authentication for its VNC access service, allowing access with insufficient password verification. This could allow an attacker to gain unauthorized remote access and potentially compromise system confidentiality, integrity, or availability.
{
"affected": [],
"aliases": [
"CVE-2025-40743"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T12:15:35Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SINUMERIK 828D PPU.4 (All versions \u003c V4.95 SP5), SINUMERIK 828D PPU.5 (All versions \u003c V5.25 SP1), SINUMERIK 840D sl (All versions \u003c V4.95 SP5), SINUMERIK MC (All versions \u003c V1.25 SP1), SINUMERIK MC V1.15 (All versions \u003c V1.15 SP5), SINUMERIK ONE (All versions \u003c V6.25 SP1), SINUMERIK ONE V6.15 (All versions \u003c V6.15 SP5). The affected application improperly validates authentication for its VNC access service, allowing access with insufficient password verification.\nThis could allow an attacker to gain unauthorized remote access and potentially compromise system confidentiality, integrity, or availability.",
"id": "GHSA-mr3f-gmg7-3h9c",
"modified": "2025-08-12T12:30:33Z",
"published": "2025-08-12T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40743"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-177847.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MR5G-WHRV-MQMF
Vulnerability from github – Published: 2024-06-14 06:34 – Updated: 2024-06-14 06:34Attackers can bypass the web login authentication process to gain access to the printer's system information and upload malicious drivers to the printer. As for the affected products/models/versions, see the reference URL.
{
"affected": [],
"aliases": [
"CVE-2024-3496"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-14T05:15:48Z",
"severity": "HIGH"
},
"details": "Attackers can bypass the web login authentication process to gain access to the printer\u0027s system information and upload malicious drivers to the printer. As for the affected products/models/versions, see the reference URL.",
"id": "GHSA-mr5g-whrv-mqmf",
"modified": "2024-06-14T06:34:48Z",
"published": "2024-06-14T06:34:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3496"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU97136265/index.html"
},
{
"type": "WEB",
"url": "https://www.toshibatec.com/information/20240531_01.html"
},
{
"type": "WEB",
"url": "https://www.toshibatec.com/information/pdf/information20240531_01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR95-WR78-6G74
Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2022-04-26 00:01An Incorrect Ownership Assignment vulnerability in Juniper Networks Contrail Service Orchestration (CSO) allows a locally authenticated user to have their permissions elevated without authentication thereby taking control of the local system they are currently authenticated to. This issue affects: Juniper Networks Contrail Service Orchestration 6.0.0 versions prior to 6.0.0 Patch v3 on On-premises installations. This issue does not affect Juniper Networks Contrail Service Orchestration On-premises versions prior to 6.0.0.
{
"affected": [],
"aliases": [
"CVE-2022-22189"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-14T16:15:00Z",
"severity": "HIGH"
},
"details": "An Incorrect Ownership Assignment vulnerability in Juniper Networks Contrail Service Orchestration (CSO) allows a locally authenticated user to have their permissions elevated without authentication thereby taking control of the local system they are currently authenticated to. This issue affects: Juniper Networks Contrail Service Orchestration 6.0.0 versions prior to 6.0.0 Patch v3 on On-premises installations. This issue does not affect Juniper Networks Contrail Service Orchestration On-premises versions prior to 6.0.0.",
"id": "GHSA-mr95-wr78-6g74",
"modified": "2022-04-26T00:01:07Z",
"published": "2022-04-15T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22189"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA69498"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR9J-4J48-XCM2
Vulnerability from github – Published: 2025-10-02 12:31 – Updated: 2025-11-05 20:47Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin.
This issue affects Apache Kylin: from 4.0.0 through 5.0.2.
Users are recommended to upgrade to version 5.0.3, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kylin:kylin"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "5.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kylin:kylin-core-common"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "5.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61733"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-02T21:07:54Z",
"nvd_published_at": "2025-10-02T10:15:39Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin.\n\nThis issue affects Apache Kylin: from 4.0.0 through 5.0.2.\n\nUsers are recommended to upgrade to version 5.0.3, which fixes the issue.",
"id": "GHSA-mr9j-4j48-xcm2",
"modified": "2025-11-05T20:47:37Z",
"published": "2025-10-02T12:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61733"
},
{
"type": "WEB",
"url": "https://github.com/apache/kylin/pull/2336"
},
{
"type": "WEB",
"url": "https://github.com/apache/kylin/commit/8b2cb8c71bd9885d70dad4f1a9822e38d9949b8c"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/kylin"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/KYLIN-6081"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/8wmcffly6gp50nmfw8j4w3hlmv843yo0"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/30/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Kylin Authentication Bypass Vulnerability"
}
GHSA-MRQP-Q7VX-V2CX
Vulnerability from github – Published: 2025-02-13 17:16 – Updated: 2026-01-22 21:47Summary / Details Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges.
Affected Versions - Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 - versions 4.1.0-1.0.0 through 4.1.8-1.0.0 when installed into Apache Cassandra version 4.x.
Required Configuration for Exploit These are the conditions required to enable exploit: 1. Cassandra 4.x 2. Vulnerable version of the Cassandra-Lucene-Index plugin configured for use 3. Data added to tables 4. Lucene index created 5. Cassandra flush has run
Mitigation/Prevention Mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possible any time the required conditions are met.
Solution
Upgrade to a fixed version of the Cassandra-Lucene-Index plugin.
Review users in Cassandra to validate all superuser privileges.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.instaclustr:cassandra-lucene-index-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "4.0-rc1-1.0.0"
},
{
"fixed": "4.0.17-1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.instaclustr:cassandra-lucene-index-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0-1.0.0"
},
{
"fixed": "4.1.8-1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-26511"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-13T17:16:27Z",
"nvd_published_at": "2025-02-13T16:16:50Z",
"severity": "HIGH"
},
"details": "**Summary / Details**\nSystems running the Instaclustr fork of Stratio\u0027s Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges. \n\n**Affected Versions**\n-\tCassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 \n-\tversions 4.1.0-1.0.0 through 4.1.8-1.0.0\nwhen installed into Apache Cassandra version 4.x.\n\n**Required Configuration for Exploit**\nThese are the conditions required to enable exploit:\n1. Cassandra 4.x\n2. Vulnerable version of the Cassandra-Lucene-Index plugin configured for use\n3. Data added to tables\n4. Lucene index created\n5. Cassandra flush has run\n\n**Mitigation/Prevention**\nMitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possible any time the required conditions are met.\n\n**Solution**\nUpgrade to a fixed version of the Cassandra-Lucene-Index plugin. \nReview users in Cassandra to validate all superuser privileges.",
"id": "GHSA-mrqp-q7vx-v2cx",
"modified": "2026-01-22T21:47:02Z",
"published": "2025-02-13T17:16:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/instaclustr/cassandra-lucene-index/security/advisories/GHSA-mrqp-q7vx-v2cx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26511"
},
{
"type": "WEB",
"url": "https://github.com/instaclustr/cassandra-lucene-index/commit/44ab4b639c9354a6335f40b1cf6178c745c6e101"
},
{
"type": "WEB",
"url": "https://github.com/instaclustr/cassandra-lucene-index/commit/94380b165bd3e597d3e22e47f8cc674ec7c7bf7f"
},
{
"type": "PACKAGE",
"url": "https://github.com/instaclustr/cassandra-lucene-index"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC"
}
GHSA-MV8W-C2QV-CGRG
Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-04 18:31A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system.
This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.
{
"affected": [],
"aliases": [
"CVE-2026-20079"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T18:16:24Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system.\n\n This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.",
"id": "GHSA-mv8w-c2qv-cgrg",
"modified": "2026-03-04T18:31:55Z",
"published": "2026-03-04T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20079"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MW7W-G3MG-XQM7
Vulnerability from github – Published: 2026-03-27 22:32 – Updated: 2026-03-27 22:32Summary
BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
BlueBubbles group reaction events previously bypassed requireMention and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit f8c98630785288cc1f1d0893503ef3b653a3cede applies the reaction path to the same mention gate as normal group messages.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit f8c98630785288cc1f1d0893503ef3b653a3cede.
Fix Commit(s)
f8c98630785288cc1f1d0893503ef3b653a3cede
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2026.3.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T22:32:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nBlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nBlueBubbles group reaction events previously bypassed `requireMention` and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit `f8c98630785288cc1f1d0893503ef3b653a3cede` applies the reaction path to the same mention gate as normal group messages.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f8c98630785288cc1f1d0893503ef3b653a3cede`.\n\n## Fix Commit(s)\n\n- `f8c98630785288cc1f1d0893503ef3b653a3cede`",
"id": "GHSA-mw7w-g3mg-xqm7",
"modified": "2026-03-27T22:32:06Z",
"published": "2026-03-27T22:32:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events"
}
GHSA-MX7M-J9XF-62HW
Vulnerability from github – Published: 2025-11-14 17:46 – Updated: 2025-11-14 17:46Summary
A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline or named fragments. A fix to composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives.
Details
Apollo Federation allows users to specify access control directives (@authenticated, @requiresScopes, and @policy) to protect object and interface types and fields. However, the GraphQL specification does not define inheritance rules for directives from interfaces to their implementations. When querying object or interface types/fields, Apollo Router will enforce any directives on those object or interface types/fields, but ignore any directives on interface types/fields they implement. This inconsistent enforcement behavior leads to unexpected runtime security gaps.
Who is impacted
This vulnerability impacts Apollo Federation customers defining @authenticated, @requiresScopes, or @policy directives on interface types/fields.
Scope of Impact
This vulnerability could allow a malicious actor to craft a query that can bypass access control requirements on the interface types/fields by instead querying them via implementing object types/fields that don't have the same access control requirements via inline or named fragments.
Patches
This vulnerability has been fixed in Apollo Federation's composition logic by rejecting user-defined access control directives entirely on interface types and fields (note that access control directives on @interfaceObject fields are not rejected, as those are really specifying requirements on the virtual object fields). Instead, Apollo Federation's composition logic will automatically generate access control directives for interface types/fields in the supergraph schema based on the access control directives on the implementations in subgraph schemas.
Note that this is a breaking change to Apollo Federation, as it no longer allows user-defined access control directives directly on interfaces types and fields. You will need to remove all access control requirements on interface types/fields and manually apply them to each implementing object type/field, where appropriate.
If users are using the Apollo Studio build pipeline with federation version 2.9 or above, then this composition patch version update is automatic and they only need to adjust the access control requirements in your subgraph schemas as mentioned above.
If users are using Apollo Rover for local composition, they will need to update its composition version (after updating Apollo Router, if necessary) to one of the following versions:
- 2.9.5+
- 2.10.4+
- 2.11.5+
- 2.12.1+
Users will then need adjust the access control requirements in your subgraph schemas as mentioned above.
Workarounds
- If using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, users should manually copy the access control requirements on interface types/fields to each implementing object type/field where appropriate. Do not remove those access control requirements from the interface types/fields, as unpatched Apollo Composition will not automatically generate them in the supergraph schema.
- Customers not using Apollo Router access control features (
@authenticated,@requiresScopes, or@policydirectives) or not specifying access control requirements on interface types/fields are not affected and do not need to take action.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@apollo/composition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@apollo/composition"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0-alpha.3"
},
{
"fixed": "2.10.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@apollo/composition"
},
"ranges": [
{
"events": [
{
"introduced": "2.11.0-preview.1"
},
{
"fixed": "2.11.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@apollo/composition"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0-preview.1"
},
{
"fixed": "2.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64530"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-14T17:46:55Z",
"nvd_published_at": "2025-11-13T23:15:49Z",
"severity": "HIGH"
},
"details": "# Summary\nA vulnerability in Apollo Federation\u0027s composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead querying the implementing object types/fields in Apollo Router via inline or named fragments. A fix to composition logic in Federation now disallows interfaces types and fields to contain user-defined access control directives.\n\n## Details\nApollo Federation allows users to specify access control directives ([`@authenticated`, `@requiresScopes`, and `@policy`](https://www.apollographql.com/docs/graphos/routing/security/authorization#authorization-directives)) to protect object and interface types and fields. However, the GraphQL specification does not define inheritance rules for directives from interfaces to their implementations. When querying object or interface types/fields, Apollo Router will enforce any directives on those object or interface types/fields, but ignore any directives on interface types/fields they implement. This inconsistent enforcement behavior leads to unexpected runtime security gaps.\n\n## Who is impacted\nThis vulnerability impacts Apollo Federation customers defining `@authenticated`, `@requiresScopes`, or `@policy` directives on interface types/fields.\n\n### Scope of Impact\nThis vulnerability could allow a malicious actor to craft a query that can bypass access control requirements on the interface types/fields by instead querying them via implementing object types/fields that don\u0027t have the same access control requirements via inline or named fragments.\n\n## Patches\nThis vulnerability has been fixed in Apollo Federation\u0027s composition logic by rejecting user-defined access control directives entirely on interface types and fields (note that access control directives on `@interfaceObject` fields are not rejected, as those are really specifying requirements on the virtual object fields). Instead, Apollo Federation\u0027s composition logic will automatically generate access control directives for interface types/fields in the supergraph schema based on the access control directives on the implementations in subgraph schemas. \n\n_Note that this is a breaking change to Apollo Federation, as it no longer allows user-defined access control directives directly on interfaces types and fields. You will need to remove all access control requirements on interface types/fields and manually apply them to each implementing object type/field, where appropriate._\n\nIf users are using the Apollo Studio build pipeline with federation version 2.9 or above, then this composition patch version update is automatic and they only need to adjust the access control requirements in your subgraph schemas as mentioned above.\n\nIf users are using Apollo Rover for local composition, they will need to update its composition version (after updating Apollo Router, [if necessary](https://www.apollographql.com/docs/graphos/platform/graph-management/updates#recommended-update-order)) to one of the following versions:\n\n- 2.9.5+\n- 2.10.4+\n- 2.11.5+\n- 2.12.1+\n\nUsers will then need adjust the access control requirements in your subgraph schemas as mentioned above.\n\n## Workarounds\n- If using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, users should manually copy the access control requirements on interface types/fields to each implementing object type/field where appropriate. _Do not_ remove those access control requirements from the interface types/fields, as unpatched Apollo Composition will not automatically generate them in the supergraph schema.\n- Customers not using Apollo Router access control features (`@authenticated`, `@requiresScopes`, or `@policy` directives) or not specifying access control requirements on interface types/fields are not affected and do not need to take action.",
"id": "GHSA-mx7m-j9xf-62hw",
"modified": "2025-11-14T17:46:55Z",
"published": "2025-11-14T17:46:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apollographql/federation/security/advisories/GHSA-mx7m-j9xf-62hw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64530"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/federation/pull/3340"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/federation/pull/3341"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/federation/pull/3343"
},
{
"type": "PACKAGE",
"url": "https://github.com/apollographql/federation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields"
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.