CWE-305
AllowedAuthentication Bypass by Primary Weakness
Abstraction: Base · Status: Draft
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
281 vulnerabilities reference this CWE, most recent first.
GHSA-45J5-GMRP-65WR
Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2026-05-18 15:30A vulnerability in MEPSAN's USC+ before version 3.0 has a weakness in login function which lets attackers to generate high privileged accounts passwords.
{
"affected": [],
"aliases": [
"CVE-2021-45031"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-30T20:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in MEPSAN\u0027s USC+ before version 3.0 has a weakness in login function which lets attackers to generate high privileged accounts passwords.",
"id": "GHSA-45j5-gmrp-65wr",
"modified": "2026-05-18T15:30:31Z",
"published": "2022-03-31T00:00:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45031"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-22-0269"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-22-0269"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-485M-923F-95WX
Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2025-10-22 00:33VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
{
"affected": [],
"aliases": [
"CVE-2024-37085"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-25T15:15:12Z",
"severity": "MODERATE"
},
"details": "VMware ESXi contains an authentication bypass vulnerability.\u00a0A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group (\u0027ESXi Admins\u0027 by default) after it was deleted from AD.",
"id": "GHSA-485m-923f-95wx",
"modified": "2025-10-22T00:33:03Z",
"published": "2024-06-25T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37085"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37085"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4979-4XQF-M5VX
Vulnerability from github – Published: 2025-01-02 12:32 – Updated: 2026-04-28 21:35Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28.
{
"affected": [],
"aliases": [
"CVE-2023-46611"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-02T12:15:12Z",
"severity": "MODERATE"
},
"details": "Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28.",
"id": "GHSA-4979-4xqf-m5vx",
"modified": "2026-04-28T21:35:29Z",
"published": "2025-01-02T12:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46611"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/yop-poll/vulnerability/wordpress-yop-poll-plugin-6-5-28-vote-manipulation-due-to-broken-captcha-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4F9F-MPMJ-4C52
Vulnerability from github – Published: 2023-03-30 21:30 – Updated: 2024-03-27 15:30An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
{
"affected": [],
"aliases": [
"CVE-2023-27536"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-30T20:15:00Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass vulnerability exists libcurl \u003c8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.",
"id": "GHSA-4f9f-mpmj-4c52",
"modified": "2024-03-27T15:30:36Z",
"published": "2023-03-30T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27536"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1895135"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-12"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230420-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4MQ7-PVJG-XP2R
Vulnerability from github – Published: 2026-03-20 20:51 – Updated: 2026-03-27 20:59Description
Ory Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The oauth2_introspection authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server.
Preconditions
Ory Oathkeeper has to be configured with multiple oauth2_introspection authenticator servers, each accepting different tokens. The authenticators also must be configured to use caching. An attacker has to have a way to gain a valid token for one of the configured introspection servers.
Mitigation
Ory Oathkeeper now includes the introspection server URL in the cache key, preventing confusion of tokens.
Update to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for oauth2_introspection authenticators.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ory/oathkeeper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.40.10-0.20260320084801-198a2bc82a99"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33496"
],
"database_specific": {
"cwe_ids": [
"CWE-1289",
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:51:07Z",
"nvd_published_at": "2026-03-26T18:16:30Z",
"severity": "HIGH"
},
"details": "## Description\n\nOry Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server.\n\n## Preconditions\n\nOry Oathkeeper has to be configured with multiple `oauth2_introspection` authenticator servers, each accepting different tokens. The authenticators also must be [configured to use caching](https://www.ory.com/docs/oathkeeper/pipeline/authn#oauth2_introspection-configuration). An attacker has to have a way to gain a valid token for one of the configured introspection servers.\n\n## Mitigation\n\nOry Oathkeeper now includes the introspection server URL in the cache key, preventing confusion of tokens.\n\nUpdate to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for `oauth2_introspection` authenticators.",
"id": "GHSA-4mq7-pvjg-xp2r",
"modified": "2026-03-27T20:59:10Z",
"published": "2026-03-20T20:51:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-4mq7-pvjg-xp2r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33496"
},
{
"type": "WEB",
"url": "https://github.com/ory/oathkeeper/commit/198a2bc82a99e0a77bd0ffe290cbdd5285a1b17c"
},
{
"type": "PACKAGE",
"url": "https://github.com/ory/oathkeeper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ory Oathkeeper has an authentication bypass by cache key confusion"
}
GHSA-4QRV-GCG3-8H65
Vulnerability from github – Published: 2025-12-19 18:31 – Updated: 2025-12-19 18:31Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gotham Instances
{
"affected": [],
"aliases": [
"CVE-2024-49587"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-19T17:15:50Z",
"severity": "CRITICAL"
},
"details": "Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gotham Instances",
"id": "GHSA-4qrv-gcg3-8h65",
"modified": "2025-12-19T18:31:18Z",
"published": "2025-12-19T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49587"
},
{
"type": "WEB",
"url": "https://palantir.safebase.us/?tcuUid=95e2d805-dd2f-4544-b164-e61100f47b11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4RCC-7PG7-F57F
Vulnerability from github – Published: 2025-03-03 20:09 – Updated: 2025-03-03 20:09This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "OPCFoundation.NetStandard.Opc.Ua.Bindings.Https"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.374.158"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-42513"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-03T20:09:54Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.",
"id": "GHSA-4rcc-7pg7-f57f",
"modified": "2025-03-03T20:09:55Z",
"published": "2025-03-03T20:09:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OPCFoundation/UA-.NETStandard/security/advisories/GHSA-4rcc-7pg7-f57f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42513"
},
{
"type": "WEB",
"url": "https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2024-42513.pdf"
},
{
"type": "PACKAGE",
"url": "https://github.com/OPCFoundation/UA-.NETStandard"
},
{
"type": "WEB",
"url": "https://github.com/OPCFoundation/UA-.NETStandard/tree/1.5.374.158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Security Update for the OPC UA .NET Standard Stack"
}
GHSA-4V7J-4MVR-5975
Vulnerability from github – Published: 2026-07-13 09:31 – Updated: 2026-07-13 09:31Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680
{
"affected": [],
"aliases": [
"CVE-2026-9571"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T09:16:25Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token grant endpoint.. Mattermost Advisory ID: MMSA-2026-00680",
"id": "GHSA-4v7j-4mvr-5975",
"modified": "2026-07-13T09:31:43Z",
"published": "2026-07-13T09:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9571"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4V8W-GG5J-PH37
Vulnerability from github – Published: 2025-11-03 17:07 – Updated: 2026-03-06 00:14Due to an incorrect use of loose (==) instead of strict (===) comparison in the authentication code, PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.
Impact
On MantisBT instances configured to use the MD5 login method, user accounts having a password hash evaluating to zero (i.e. matching regex ^0+[Ee][0-9]+$) are vulnerable, allowing an attacker knowing the victim's username to login without knowledge of their actual password, using any other password having a hash evaluating to zero, for example comito5 (0e579603064547166083907005281618).
No password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack.
Patches
- https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2
Workarounds
Check the database for vulnerable accounts, and change those users' passwords, e.g. for MySQL:
SELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$'
References
- https://mantisbt.org/bugs/view.php?id=35967
Credits
Thanks to Harry Sintonen / Reversec for discovering and reporting the issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mantisbt/mantisbt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.27.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47776"
],
"database_specific": {
"cwe_ids": [
"CWE-305",
"CWE-697"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-03T17:07:36Z",
"nvd_published_at": "2025-11-04T21:15:37Z",
"severity": "HIGH"
},
"details": "Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.\n\n[1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782\n\n### Impact\nOn MantisBT instances configured to use the *MD5* login method, user accounts having a password hash evaluating to zero (i.e. matching regex `^0+[Ee][0-9]+$`) are vulnerable, allowing an attacker knowing the victim\u0027s username to login without knowledge of their actual password, using any other password having a hash evaluating to zero, for example `comito5` (0e579603064547166083907005281618). \n\nNo password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack.\n\n### Patches\n* https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2\n\n### Workarounds\nCheck the database for vulnerable accounts, and change those users\u0027 passwords, e.g. for MySQL:\n```sql\nSELECT username, email FROM mantis_user_table WHERE password REGEXP \u0027^0+[Ee][0-9]+$\u0027\n```\n\n### References\n- https://mantisbt.org/bugs/view.php?id=35967\n\n### Credits\nThanks to Harry Sintonen / Reversec for discovering and reporting the issue.",
"id": "GHSA-4v8w-gg5j-ph37",
"modified": "2026-03-06T00:14:39Z",
"published": "2025-11-03T17:07:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47776"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2"
},
{
"type": "PACKAGE",
"url": "https://github.com/mantisbt/mantisbt"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=35967"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling"
}
GHSA-537F-GXGM-3JJQ
Vulnerability from github – Published: 2025-05-13 21:34 – Updated: 2025-05-13 21:34Impact
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.
Patches
Upgrade to v0.10.0 or greater. This vulnerability is not present in versions of OpenPubkey after v0.9.0.
References
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openpubkey/openpubkey"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3757"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-13T21:34:03Z",
"nvd_published_at": "2025-05-13T17:16:04Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nVersions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.\n\n### Patches\n\nUpgrade to v0.10.0 or greater. This vulnerability is not present in versions of OpenPubkey after v0.9.0. \n\n### References\n\n[CVE-2025-3757 ](https://www.cve.org/CVERecord?id=CVE-2025-3757)",
"id": "GHSA-537f-gxgm-3jjq",
"modified": "2025-05-13T21:34:03Z",
"published": "2025-05-13T21:34:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3757"
},
{
"type": "PACKAGE",
"url": "https://github.com/openpubkey/openpubkey"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "OpenPubkey Vulnerable to Authentication Bypass"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.