Common Weakness Enumeration

CWE-305

Allowed

Authentication Bypass by Primary Weakness

Abstraction: Base · Status: Draft

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

281 vulnerabilities reference this CWE, most recent first.

GHSA-75CM-X2W3-8MGF

Vulnerability from github – Published: 2026-05-15 03:30 – Updated: 2026-05-21 19:35
VLAI
Summary
MLflow: unauthenticated access to certain FastAPI routes
Details

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (--app-name basic-auth) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on /gateway/ routes, leaving other routes such as the Job API (/ajax-api/3.0/jobs/*) and the OpenTelemetry trace ingestion API (/v1/traces) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the _find_fastapi_validator() function fails to handle non-/gateway/ paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T19:35:52Z",
    "nvd_published_at": "2026-05-15T03:16:23Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.",
  "id": "GHSA-75cm-x2w3-8mgf",
  "modified": "2026-05-21T19:35:52Z",
  "published": "2026-05-15T03:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/bb62e773263c14e9ba4d1a82fe72d0de2442c6aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/5aeff5f0-49c7-4180-b5cb-c9a046f16756"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MLflow: unauthenticated access to certain FastAPI routes"
}

GHSA-777H-HPFJ-X7HV

Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-11-04 00:32
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A website may be able to access sensor information without user consent.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T23:15:29Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A website may be able to access sensor information without user consent.",
  "id": "GHSA-777h-hpfj-x7hv",
  "modified": "2025-11-04T00:32:26Z",
  "published": "2025-04-01T00:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31192"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122371"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122379"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/2"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/4"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JC6-P5M2-4PFV

Vulnerability from github – Published: 2024-09-05 12:31 – Updated: 2024-09-05 12:31
VLAI
Details

This vulnerability allows unauthenticated remote attackers to bypass authentication and gain APIs access of the Manager.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-05T11:15:12Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability allows unauthenticated remote attackers to bypass authentication and gain APIs access of the Manager.",
  "id": "GHSA-7jc6-p5m2-4pfv",
  "modified": "2024-09-05T12:31:16Z",
  "published": "2024-09-05T12:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5957"
    },
    {
      "type": "WEB",
      "url": "https://thrive.trellix.com/s/article/000013870"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7PQ9-RF9P-WCRF

Vulnerability from github – Published: 2025-09-29 20:40 – Updated: 2025-10-23 20:32
VLAI
Summary
go-f3 Vulnerable to Cached Justification Verification Bypass
Details

Description

A vulnerability exists in go-f3's justification verification caching mechanism where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by: 1. First submitting a valid message with a correct justification 2. Then reusing the same cached justification in contexts where it would normally be invalid

This occurs because the cached verification does not properly validate the relationship between the justification and the specific message context it's being used with.

Impact

  • Potential consensus integrity issues through invalid justification acceptance
  • Could affect network liveness if exploited systematically
  • May allow malicious actors to influence consensus decisions with invalid justifications
  • Requires significant power (350+ TiB due to power table rounding) to meaningfully exploit
  • It would also be difficult to exploit in a synchronised fashion, such that >1/3 of the network goes down at one time. This isn't a one-msg panic, where you can spam it and bring everyone down, because every node will have a different amount of memory andmany SPs also run redundant lotus nodes.

Patches

The fix was merged and released with go-f3 0.8.9. All node software (Lotus, Forest, Venus) are using a patched version of go-f3 with their updates for the nv27 network upgrade.

Workarounds

The are no immediate workarounds available. Nodes should upgrade to the patched version, which they will have done if participating in nv27 on Filecoin mainnet.

Credits

The bug was reported by @lgprbs via our bug bounty program. Thank you for the contributions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filecoin-project/go-f3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-29T20:40:02Z",
    "nvd_published_at": "2025-09-29T23:15:32Z",
    "severity": "MODERATE"
  },
  "details": "### Description\nA vulnerability exists in go-f3\u0027s justification verification caching mechanism where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by:\n1. First submitting a valid message with a correct justification\n2. Then reusing the same cached justification in contexts where it would normally be invalid\n\nThis occurs because the cached verification does not properly validate the relationship between the justification and the specific message context it\u0027s being used with.\n\n### Impact\n- Potential consensus integrity issues through invalid justification acceptance\n- Could affect network liveness if exploited systematically\n- May allow malicious actors to influence consensus decisions with invalid justifications\n- Requires significant power (350+ TiB due to power table rounding) to meaningfully exploit\n- It would also be difficult to exploit in a synchronised fashion, such that \u003e1/3 of the network goes down at one time.  This isn\u0027t a one-msg panic, where you can spam it and bring everyone down, because every node will have a different amount of memory andmany SPs also run redundant lotus nodes.  \n\n### Patches\nThe fix was merged and released with go-f3 0.8.9. All node software (Lotus, Forest, Venus) are using a patched version of go-f3 with their updates for the nv27 network upgrade.\n\n### Workarounds\nThe are no immediate workarounds available. Nodes should upgrade to the patched version, which they will have done if participating in nv27 on Filecoin mainnet.\n\n### Credits\nThe bug was reported by @lgprbs via our bug bounty program. Thank you for the contributions.",
  "id": "GHSA-7pq9-rf9p-wcrf",
  "modified": "2025-10-23T20:32:35Z",
  "published": "2025-09-29T20:40:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filecoin-project/go-f3/security/advisories/GHSA-7pq9-rf9p-wcrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59941"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filecoin-project/go-f3/commit/76fff18cf07b21baccf537024bdb2fb41f75f6e2#diff-e1f646cea41790e1642e4e649c9e3c526344736d67222201703e1c29c23e9625"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filecoin-project/go-f3"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3989"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go-f3 Vulnerable to Cached Justification Verification Bypass"
}

GHSA-7Q8X-6CWC-CX3J

Vulnerability from github – Published: 2023-08-03 00:30 – Updated: 2024-04-04 06:30
VLAI
Details

ROC800-Series RTU devices are vulnerable to an authentication bypass, which could allow an attacker to gain unauthorized access to data or control of the device and cause a denial-of-service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-02T23:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "ROC800-Series RTU devices are vulnerable to an authentication bypass, which could allow an attacker to gain unauthorized access to data or control of the device and cause a denial-of-service condition.",
  "id": "GHSA-7q8x-6cwc-cx3j",
  "modified": "2024-04-04T06:30:06Z",
  "published": "2023-08-03T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1935"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-206-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WWR-H8CM-9JF7

Vulnerability from github – Published: 2025-02-10 21:31 – Updated: 2025-03-03 20:08
VLAI
Summary
Duplicate Advisory: Authentication Bypass by Spoofing in OPC UA .NET Standard Stack
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-4rcc-7pg7-f57f. This link is maintained to preserve external references.

Original Description

Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OPCFoundation.NetStandard.Opc.Ua"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.374.158"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-305"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-10T22:57:35Z",
    "nvd_published_at": "2025-02-10T19:15:38Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4rcc-7pg7-f57f. This link is maintained to preserve external references.\n\n## Original Description\nVulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.",
  "id": "GHSA-7wwr-h8cm-9jf7",
  "modified": "2025-03-03T20:08:30Z",
  "published": "2025-02-10T21:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42513"
    },
    {
      "type": "WEB",
      "url": "https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2024-42513.pdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OPCFoundation/UA-.NETStandard"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OPCFoundation/UA-.NETStandard/tree/1.5.374.158"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Authentication Bypass by Spoofing in OPC UA .NET Standard Stack",
  "withdrawn": "2025-03-03T20:08:30Z"
}

GHSA-7XWP-2CPP-P8R7

Vulnerability from github – Published: 2025-07-16 14:09 – Updated: 2025-07-29 23:17
VLAI
Summary
File Browser’s insecure JWT handling can lead to session replay attacks after logout
Details

Summary

File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. Please refer to the CWE's listed in this report for further reference and system standards. In summary, the main issue is:

  • Tokens remain valid after logout (session replay attacks)

In this report, I used docker as the documentation instruct:

docker run \
    -v filebrowser_data:/srv \
    -v filebrowser_database:/database \
    -v filebrowser_config:/config \
    -p 8080:80 \
    filebrowser/filebrowser

Details

Issue: Tokens remain valid after logout (session replay attacks)

After logging in and receiving a JWT token, the user can explicitly "log out." However, this action does not invalidate the issued JWT. Any captured token can be replayed post-logout until it expires naturally. The backend does not track active sessions or invalidate existing tokens on logout. Login request:

POST /api/login HTTP/1.1
Host: machine.local:8090
Content-Length: 69

{"username":"admin","password":"password-here","recaptcha":""}

The check found in the code https://github.com/filebrowser/filebrowser/blob/master/http/auth.go is not enough. There is no server-side blacklist or token invalidation on logout. Token renewal and validity only depends on expiry and user store timestamps:

expired := !tk.VerifyExpiresAt(time.Now().Add(time.Hour), true)
updated := tk.IssuedAt != nil && tk.IssuedAt.Unix() < d.store.Users.LastUpdate(tk.User.ID)

PoC

Issue: Tokens remain valid after logout (session replay attacks)

  • Login and capture the generate JWT. Eg. the http request:
POST /api/login HTTP/1.1
Host: machine.local:8090
Content-Length: 69

{"username":"admin","password":"password-here","recaptcha":""}
  • Logout in the dashboard. And then try to use the old generated JWT to access any authenticated endpoint eg:
GET /api/resources HTTP/1.1
Host: machine.local:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
X-Auth: Old-JWT-token-here
Content-Length: 173
Accept: */*
Referer: http://machine.local:8090/files/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Content-Length: 26

Connection: keep-alive

Impact

  • A valid JWT remains active after user logout.
  • If stolen, tokens persist access indefinitely until expiry.
  • Violates OWASP Top 10 A2:2021 - Broken Authentication.

Recommendations

  • Read all CWE's attached in this report
  • Invalidate JWTs on logout via session store / token blacklist.
  • Reduce JWT ExpiresAt where possible or use short-lived + refresh tokens.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.39.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.39.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305",
      "CWE-384",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-16T14:09:28Z",
    "nvd_published_at": "2025-07-15T18:15:24Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nFile Browser\u2019s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. Please refer to the CWE\u0027s listed in this report for further reference and system standards. In summary, the main issue is:\n\n- Tokens remain valid after logout (session replay attacks)\n\nIn this report, I used docker as the documentation instruct:\n\n```\ndocker run \\\n    -v filebrowser_data:/srv \\\n    -v filebrowser_database:/database \\\n    -v filebrowser_config:/config \\\n    -p 8080:80 \\\n    filebrowser/filebrowser\n```\n\n### Details\n\n**Issue: Tokens remain valid after logout (session replay attacks)**\n\nAfter logging in and receiving a JWT token, the user can explicitly \"log out.\" However, this action does not invalidate the issued JWT. Any captured token can be replayed post-logout until it expires naturally. The backend does not track active sessions or invalidate existing tokens on logout. Login request:\n\n```\nPOST /api/login HTTP/1.1\nHost: machine.local:8090\nContent-Length: 69\n\n{\"username\":\"admin\",\"password\":\"password-here\",\"recaptcha\":\"\"}\n```\n\nThe check found in the code `https://github.com/filebrowser/filebrowser/blob/master/http/auth.go` is not enough. There is no server-side blacklist or token invalidation on logout. Token renewal and validity only depends on expiry and user store timestamps:\n\n```\nexpired := !tk.VerifyExpiresAt(time.Now().Add(time.Hour), true)\nupdated := tk.IssuedAt != nil \u0026\u0026 tk.IssuedAt.Unix() \u003c d.store.Users.LastUpdate(tk.User.ID)\n```\n\n### PoC\n\n**Issue: Tokens remain valid after logout (session replay attacks)**\n\n- Login and capture the generate JWT. Eg. the http request:\n\n```\nPOST /api/login HTTP/1.1\nHost: machine.local:8090\nContent-Length: 69\n\n{\"username\":\"admin\",\"password\":\"password-here\",\"recaptcha\":\"\"}\n```\n\n- Logout in the dashboard. And then try to use the old generated JWT to access any authenticated endpoint eg:\n\n```\nGET /api/resources HTTP/1.1\nHost: machine.local:8090\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\nX-Auth: Old-JWT-token-here\nContent-Length: 173\nAccept: */*\nReferer: http://machine.local:8090/files/\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-US,en;q=0.9\nContent-Length: 26\n\nConnection: keep-alive\n```\n\n### Impact\n\n- A valid JWT remains active after user logout.\n- If stolen, tokens persist access indefinitely until expiry.\n- Violates OWASP Top 10 A2:2021 - Broken Authentication.\n\n### Recommendations\n\n- Read all CWE\u0027s attached in this report\n- Invalidate JWTs on logout via session store / token blacklist.\n- Reduce JWT ExpiresAt where possible or use short-lived + refresh tokens.",
  "id": "GHSA-7xwp-2cpp-p8r7",
  "modified": "2025-07-29T23:17:56Z",
  "published": "2025-07-16T14:09:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53826"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/issues/5216"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "File Browser\u2019s insecure JWT handling can lead to session replay attacks after logout"
}

GHSA-8CR3-VPXX-92CX

Vulnerability from github – Published: 2026-03-05 21:30 – Updated: 2026-03-06 22:32
VLAI
Summary
Keycloak SAML Broken has Authentication Bypass by Primary Weakness
Details

A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.

A fix is available at https://github.com/keycloak/keycloak/releases/tag/26.5.5.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-broker-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.1.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-3047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T22:32:21Z",
    "nvd_published_at": "2026-03-05T19:16:18Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single Sign-On (SSO) session. This allows a remote attacker to gain unauthorized access to other enabled clients without re-authentication, effectively bypassing security restrictions.\n\nA fix is available at https://github.com/keycloak/keycloak/releases/tag/26.5.5.",
  "id": "GHSA-8cr3-vpxx-92cx",
  "modified": "2026-03-06T22:32:21Z",
  "published": "2026-03-05T21:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3047"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3925"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3926"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3947"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3948"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-3047"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441966"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/releases/tag/26.5.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak SAML Broken has Authentication Bypass by Primary Weakness"
}

GHSA-8PP7-JPCF-F887

Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:06
VLAI
Details

SonicWall GMS and Analytics CAS Web Services application use static values for authentication without proper checks leading to authentication bypass vulnerability. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T03:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "SonicWall GMS and Analytics CAS Web Services application use static values for authentication without proper checks leading to authentication bypass vulnerability. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.\n\n",
  "id": "GHSA-8pp7-jpcf-f887",
  "modified": "2024-04-04T06:06:21Z",
  "published": "2023-07-13T03:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34137"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010"
    },
    {
      "type": "WEB",
      "url": "https://www.sonicwall.com/support/notices/230710150218060"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8VCM-P6G6-XJQP

Vulnerability from github – Published: 2024-10-16 18:31 – Updated: 2024-10-16 18:31
VLAI
Details

A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to modify the configuration or reboot an affected device.

This vulnerability is due to the HTTP server allowing state changes in GET requests. An attacker could exploit this vulnerability by sending a malicious request to the web-based management interface on an affected device. A successful exploit could allow the attacker to make limited modifications to the configuration or reboot the device, resulting in a denial of service (DoS) condition. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-16T17:15:15Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to modify the configuration or reboot an affected device.\n\nThis vulnerability is due to the HTTP server allowing state changes in GET requests. An attacker could exploit this vulnerability by sending a malicious request to the web-based management interface on an affected device. A successful exploit could allow the attacker to make limited modifications to the configuration or reboot the device, resulting in a denial of service (DoS) condition.\u0026nbsp;",
  "id": "GHSA-8vcm-p6g6-xjqp",
  "modified": "2024-10-16T18:31:47Z",
  "published": "2024-10-16T18:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20463"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.