CWE-303
AllowedIncorrect Implementation of Authentication Algorithm
Abstraction: Base · Status: Draft
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
153 vulnerabilities reference this CWE, most recent first.
GHSA-6HGP-J96H-RQW4
Vulnerability from github – Published: 2026-05-04 18:30 – Updated: 2026-05-04 21:30In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2026-0073"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-04T18:16:26Z",
"severity": "HIGH"
},
"details": "In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-6hgp-j96h-rqw4",
"modified": "2026-05-04T21:30:24Z",
"published": "2026-05-04T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0073"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/2026/2026-05-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6RQH-8465-2XCW
Vulnerability from github – Published: 2025-04-14 15:31 – Updated: 2025-04-23 15:09Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.5.0"
},
{
"fixed": "10.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.11.0"
},
{
"fixed": "9.11.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20250220161544-fd356b62b4dd"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-2475"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-14T22:00:55Z",
"nvd_published_at": "2025-04-14T15:15:24Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 10.5.x \u003c= 10.5.1, 10.4.x \u003c= 10.4.3, 9.11.x \u003c= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.",
"id": "GHSA-6rqh-8465-2xcw",
"modified": "2025-04-23T15:09:22Z",
"published": "2025-04-14T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2475"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/124547a9ef424431e1e6cf09bdba6c1099d415de"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/40fd60714bd055e00c16301ba6dc0fddfc44e15e"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/88523ceed8a7547c4a4203a30e7c3a8097346280"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/bcd7a4c2bd856dbb40fcda227b363fa5f6f548a7"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/fd356b62b4dd3318d2c8019d2310abdd6ce24c8c"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3610"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm"
}
GHSA-6VX8-PCWV-XHF4
Vulnerability from github – Published: 2025-06-05 00:38 – Updated: 2025-06-05 00:38When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (signxml.XMLVerifier.verify(require_x509=False, hmac_key=...), prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the signxml.XMLVerifier.verify(expect_config=...) setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm.
Starting with signxml 4.0.4, specifying hmac_key causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "signxml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48994"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-05T00:38:20Z",
"nvd_published_at": "2025-06-02T17:15:40Z",
"severity": "MODERATE"
},
"details": "When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), prior versions of SignXML are vulnerable to a potential algorithm confusion attack. Unless the user explicitly limits the expected signature algorithms using the `signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker may supply a signature unexpectedly signed with a key other than the provided HMAC key, using a different (asymmetric key) signature algorithm.\n\nStarting with signxml 4.0.4, specifying `hmac_key` causes the set of accepted signature algorithms to be restricted to HMAC only, if not already restricted by the user.",
"id": "GHSA-6vx8-pcwv-xhf4",
"modified": "2025-06-05T00:38:20Z",
"published": "2025-06-05T00:38:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/XML-Security/signxml/security/advisories/GHSA-6vx8-pcwv-xhf4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48994"
},
{
"type": "WEB",
"url": "https://github.com/XML-Security/signxml/commit/e3c0c2b82a3329a65d917830657649c98b8c7600"
},
{
"type": "PACKAGE",
"url": "https://github.com/XML-Security/signxml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SignXML\u0027s signature verification with HMAC is vulnerable to an algorithm confusion attack"
}
GHSA-8259-2X72-2GVC
Vulnerability from github – Published: 2024-09-11 15:31 – Updated: 2026-02-02 15:37In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.edc:transfer-data-plane"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8642"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-11T17:31:04Z",
"nvd_published_at": "2024-09-11T14:15:14Z",
"severity": "MODERATE"
},
"details": "In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module \"transfer-data-plane\". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.",
"id": "GHSA-8259-2x72-2gvc",
"modified": "2026-02-02T15:37:32Z",
"published": "2024-09-11T15:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8642"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse-edc/Connector"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-edc/Connector/blob/bcb2e42aee82ce1863be3dcbdab29919d39a0e97/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/controlplane/transfer/dataplane/api/ConsumerPullTransferTokenValidationApiController.java"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/28"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green",
"type": "CVSS_V4"
}
],
"summary": "Eclipse Dataspace Components\u0027s ConsumerPullTransferTokenValidationApiController doesn\u0027t check for token validit"
}
GHSA-83C4-FFJP-MXP9
Vulnerability from github – Published: 2026-05-19 09:31 – Updated: 2026-06-26 09:30A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8922"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T17:30:58Z",
"nvd_published_at": "2026-05-19T08:16:18Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak\u0027s OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.",
"id": "GHSA-83c4-ffjp-mxp9",
"modified": "2026-06-26T09:30:45Z",
"published": "2026-05-19T09:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8922"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/49118"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/49129"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/b6cd645683f469724cd588fac415fe09bd20a27a"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/c5bda802e98b412e42fa62ff6240669e9ea4a858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-8922"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479586"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level `notBefore` Revocation Policies are Configured"
}
GHSA-86XF-RV86-26V4
Vulnerability from github – Published: 2026-01-16 15:31 – Updated: 2026-01-16 15:31Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120.
{
"affected": [],
"aliases": [
"CVE-2025-14510"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T13:16:10Z",
"severity": "CRITICAL"
},
"details": "Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120.",
"id": "GHSA-86xf-rv86-26v4",
"modified": "2026-01-16T15:31:24Z",
"published": "2026-01-16T15:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14510"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8CGX-9CCJ-3GWR
Vulnerability from github – Published: 2025-05-30 15:30 – Updated: 2025-05-30 18:48Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.7.0-rc1"
},
{
"fixed": "10.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0-rc1"
},
{
"fixed": "10.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-rc1"
},
{
"fixed": "9.11.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20250414095146-04676582cdd2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.6.0-rc1"
},
{
"fixed": "10.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-2571"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-30T18:48:23Z",
"nvd_published_at": "2025-05-30T15:15:40Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 10.7.x \u003c= 10.7.0, 10.6.x \u003c= 10.6.2, 10.5.x \u003c= 10.5.3, 9.11.x \u003c= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.",
"id": "GHSA-8cgx-9ccj-3gwr",
"modified": "2025-05-30T18:48:23Z",
"published": "2025-05-30T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2571"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/04676582cdd26f4fdfa78fcf60a7f8745e6b27f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to clear Google OAuth credentials"
}
GHSA-8QW7-Q76P-7F4H
Vulnerability from github – Published: 2024-07-22 15:32 – Updated: 2024-07-22 15:32In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection
{
"affected": [],
"aliases": [
"CVE-2024-41829"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-22T15:15:05Z",
"severity": "LOW"
},
"details": "In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection",
"id": "GHSA-8qw7-q76p-7f4h",
"modified": "2024-07-22T15:32:42Z",
"published": "2024-07-22T15:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41829"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8WW9-XWC2-P9CC
Vulnerability from github – Published: 2024-11-09 18:30 – Updated: 2024-11-14 18:30Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds
{
"affected": [],
"aliases": [
"CVE-2024-36250"
],
"database_specific": {
"cwe_ids": [
"CWE-294",
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-09T18:15:14Z",
"severity": "LOW"
},
"details": "Mattermost versions 9.11.x \u003c= 9.11.2, and 9.5.x \u003c= 9.5.10 fail to\u00a0protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within\u00a0~30 seconds",
"id": "GHSA-8ww9-xwc2-p9cc",
"modified": "2024-11-14T18:30:33Z",
"published": "2024-11-09T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36250"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9238-XF4H-W28W
Vulnerability from github – Published: 2026-03-11 06:31 – Updated: 2026-05-07 18:30MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status.
{
"affected": [],
"aliases": [
"CVE-2026-29515"
],
"database_specific": {
"cwe_ids": [
"CWE-303",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T04:17:37Z",
"severity": "CRITICAL"
},
"details": "MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status.",
"id": "GHSA-9238-xf4h-w28w",
"modified": "2026-05-07T18:30:32Z",
"published": "2026-03-11T06:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29515"
},
{
"type": "WEB",
"url": "https://github.com/MiCode/FileExplorer"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/micode-fileexplorer-swiftp-server-authentication-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-90: Reflection Attack in Authentication Protocol
An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.