Common Weakness Enumeration

CWE-307

Allowed

Improper Restriction of Excessive Authentication Attempts

Abstraction: Base · Status: Draft

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

900 vulnerabilities reference this CWE, most recent first.

GHSA-QPCC-RCR6-2CJ9

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-25T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.",
  "id": "GHSA-qpcc-rcr6-2cj9",
  "modified": "2022-05-13T01:33:36Z",
  "published": "2022-05-13T01:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19021"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106522"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRRF-XVCF-P64Q

Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:45
VLAI
Summary
usememos/memos vulnerable Improper Restriction of Excessive Authentication Attempts
Details

In usememos/memos 0.9.0 and prior, an attacker can delete other users' posts via post id, which can be done via brute force.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/usememos/memos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T19:53:10Z",
    "nvd_published_at": "2022-12-28T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In usememos/memos 0.9.0 and prior, an attacker can delete other users\u0027 posts via post id, which can be done via brute force.",
  "id": "GHSA-qrrf-xvcf-p64q",
  "modified": "2023-01-10T15:45:39Z",
  "published": "2022-12-28T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usememos/memos"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/5233f76f-016b-4c65-b019-2c5d27802a1b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "usememos/memos vulnerable Improper Restriction of Excessive Authentication Attempts "
}

GHSA-QVQX-7F9M-R2GQ

Vulnerability from github – Published: 2025-11-21 03:31 – Updated: 2025-12-23 03:30
VLAI
Details

EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-21T03:16:10Z",
    "severity": "CRITICAL"
  },
  "details": "EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user\u0027s password may be identified through a brute force attack.",
  "id": "GHSA-qvqx-7f9m-r2gq",
  "modified": "2025-12-23T03:30:18Z",
  "published": "2025-11-21T03:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64310"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU95021911"
    },
    {
      "type": "WEB",
      "url": "https://www.epson.co.uk/en_GB/faq/KA-02041/contents?loc=en-us"
    },
    {
      "type": "WEB",
      "url": "https://www.epson.jp/support/misc_t/251120_oshirase.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QW3C-Q5MW-R893

Vulnerability from github – Published: 2024-08-02 21:31 – Updated: 2024-08-07 18:30
VLAI
Details

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a local attacker to perform a Password Brute Forcing attack due to improper restriction of excessive authentication attempts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-02T20:17:00Z",
    "severity": "HIGH"
  },
  "details": "An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a local attacker to perform a Password Brute Forcing attack due to improper restriction of excessive authentication attempts.",
  "id": "GHSA-qw3c-q5mw-r893",
  "modified": "2024-08-07T18:30:41Z",
  "published": "2024-08-02T21:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38888"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/179892/Caterease-Software-SQL-Injection-Command-Injection-Bypass.html"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.273372"
    },
    {
      "type": "WEB",
      "url": "http://caterease.com"
    },
    {
      "type": "WEB",
      "url": "http://horizon.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWCH-JRH6-94WH

Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31
VLAI
Details

An improper restriction of excessive authentication attempts vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4 all versions, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer Cloud 7.6.2, FortiAnalyzer Cloud 7.4.1 through 7.4.7, FortiAnalyzer Cloud 7.2.1 through 7.2.10, FortiAnalyzer Cloud 7.0.1 through 7.0.14, FortiAnalyzer Cloud 6.4 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4 all versions, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiManager Cloud 7.6.2 through 7.6.3, FortiManager Cloud 7.4.1 through 7.4.7, FortiManager Cloud 7.2.1 through 7.2.10, FortiManager Cloud 7.0.1 through 7.0.14, FortiManager Cloud 6.4 all versions may allow an attacker to bypass bruteforce protections via exploitation of race conditions. The latter raises the complexity of practical exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-10T18:18:12Z",
    "severity": "LOW"
  },
  "details": "An improper restriction of excessive authentication attempts vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4 all versions, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer Cloud 7.6.2, FortiAnalyzer Cloud 7.4.1 through 7.4.7, FortiAnalyzer Cloud 7.2.1 through 7.2.10, FortiAnalyzer Cloud 7.0.1 through 7.0.14, FortiAnalyzer Cloud 6.4 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4 all versions, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiManager Cloud 7.6.2 through 7.6.3, FortiManager Cloud 7.4.1 through 7.4.7, FortiManager Cloud 7.2.1 through 7.2.10, FortiManager Cloud 7.0.1 through 7.0.14, FortiManager Cloud 6.4 all versions may allow an attacker to bypass bruteforce protections via exploitation of race conditions. The latter raises the complexity of practical exploitation.",
  "id": "GHSA-qwch-jrh6-94wh",
  "modified": "2026-03-10T18:31:19Z",
  "published": "2026-03-10T18:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22629"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-079"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4C2-GQ3J-7RPJ

Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-18 00:45
VLAI
Summary
Duplicate Advisory: OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vcx4-4qxg-mfp4. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2026.3.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-18T00:45:07Z",
    "nvd_published_at": "2026-04-09T22:16:31Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-vcx4-4qxg-mfp4. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.",
  "id": "GHSA-r4c2-gq3j-7rpj",
  "modified": "2026-04-18T00:45:07Z",
  "published": "2026-04-10T00:30:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35628"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret",
  "withdrawn": "2026-04-18T00:45:07Z"
}

GHSA-R4QC-5J5J-254J

Vulnerability from github – Published: 2022-05-17 02:58 – Updated: 2022-05-17 02:58
VLAI
Details

An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. An attacker can freely use brute force to determine parameters needed to bypass authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-13T21:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series \u0026 NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4.  An attacker can freely use brute force to determine parameters needed to bypass authentication.",
  "id": "GHSA-r4qc-5j5j-254j",
  "modified": "2022-05-17T02:58:46Z",
  "published": "2022-05-17T02:58:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9366"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/85965"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4V7-6WCG-GHJ5

Vulnerability from github – Published: 2026-06-25 18:18 – Updated: 2026-06-25 18:18
VLAI
Summary
FileBrowser: Missing Rate Limiting on Authentication Endpoint Enables Brute Force Attacks
Details

Summary

The /api/auth/login endpoint does not implement rate limiting, account lockout, or progressive backoff for repeated authentication failures. As a result, an attacker can perform unlimited login attempts against the endpoint. When combined with the username enumeration timing vulnerability, valid accounts can be identified and then brute-forced without restriction. The risk is further increased by a weak default password policy that only enforces a minimum length of five characters.

Details

The authentication endpoint /api/auth/login does not enforce any form of rate limiting, account lockout, or progressive backoff for repeated failed login attempts. Testing confirmed that the endpoint accepts an unlimited number of authentication attempts from the same client without delay or restriction.

This allows attackers to repeatedly attempt password guesses against valid usernames.

Secure authentication systems typically enforce request throttling, temporary account lockout, or progressive delays after repeated failed login attempts to mitigate brute-force attacks.

$ python rate-limit-probe.py
[*] Probing http://localhost/api/auth/login for rate limiting, lockout, and backoff behavior...
    Attempt  10: status=401, latency=0.0411s
    Attempt  20: status=401, latency=0.0411s
    Attempt  30: status=401, latency=0.0402s
    Attempt  40: status=401, latency=0.0420s
    Attempt  50: status=401, latency=0.0403s
    Attempt  60: status=401, latency=0.0423s
    Attempt  70: status=401, latency=0.0474s
    Attempt  80: status=401, latency=0.0417s
    Attempt  90: status=401, latency=0.0407s
    Attempt 100: status=401, latency=0.0407s

--- CONCRETE EVIDENCE ---
Attempts completed:        100
Total runtime:             4.17s
Average request rate:      23.98 req/sec
Unique status codes:       [401]
Average time (first 5):    0.0447s
Average time (last 5):     0.0408s
Latency delta:             -0.0038s
[RESULT] No HTTP 429 responses observed.
[RESULT] No progressive backoff detected: response timing remained effectively constant.

Additional Context

Password validation is implemented in backend/database/storage/bolt/user.go via checkPassword(), which only verifies that the supplied password length is greater than or equal to settings.Config.Auth.Methods.PasswordAuth.MinLength. In backend/common/settings/auth.go, the PasswordAuthConfig documents the default value of MinLength as 5. No additional complexity requirements, such as uppercase, lowercase, numeric, or special character checks, were identified in this code path.

PoC

The script below demonstrates the lack of rate limiting by performing a high volume automated authentication test. The script sends sequential login requests and monitors for HTTP 429 (Too Many Requests) status codes.

import requests
import time
import statistics

URL = "http://localhost/api/auth/login"
USERNAME = "admin"
PASSWORD = "wrong-password"
MAX_ATTEMPTS = 100
TIMEOUT = 10

latencies = []
statuses = []

print(f"[*] Probing {URL} for rate limiting, lockout, and backoff behavior...")

start_total = time.time()

for i in range(1, MAX_ATTEMPTS + 1):
    start = time.perf_counter()

    resp = requests.post(
        URL,
        params={"username": USERNAME, "recaptcha": ""},
        headers={"X-Password": PASSWORD},
        timeout=TIMEOUT
    )

    duration = time.perf_counter() - start
    latencies.append(duration)
    statuses.append(resp.status_code)

    if resp.status_code == 429:
        print(f"[!] Rate limit detected at attempt {i} (HTTP 429)")
        break

    if i % 10 == 0:
        print(f"    Attempt {i:3}: status={resp.status_code}, latency={duration:.4f}s")

end_total = time.time()
attempts_completed = len(latencies)

print("\n--- CONCRETE EVIDENCE ---")

first_five_avg = statistics.mean(latencies[:5]) if attempts_completed >= 5 else statistics.mean(latencies)
last_five_avg = statistics.mean(latencies[-5:]) if attempts_completed >= 5 else statistics.mean(latencies)
latency_delta = last_five_avg - first_five_avg

print(f"Attempts completed:        {attempts_completed}")
print(f"Total runtime:             {end_total - start_total:.2f}s")
print(f"Average request rate:      {attempts_completed / (end_total - start_total):.2f} req/sec")
print(f"Unique status codes:       {sorted(set(statuses))}")
print(f"Average time (first 5):    {first_five_avg:.4f}s")
print(f"Average time (last 5):     {last_five_avg:.4f}s")
print(f"Latency delta:             {latency_delta:+.4f}s")

if 429 not in statuses:
    print("[RESULT] No HTTP 429 responses observed.")

if abs(latency_delta) < 0.05:
    print("[RESULT] No progressive backoff detected: response timing remained effectively constant.")
else:
    print("[RESULT] Latency variation detected: investigate possible throttling or environmental noise.")

Impact

An attacker can perform unlimited authentication attempts against valid usernames. When combined with the username enumeration timing vulnerability, this enables targeted brute-force attacks against user accounts and increases the likelihood of credential compromise.

Please let me know if you need any additional information or clarification. I'm happy to assist with testing or validating a fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gtsteffaniak/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260522161427-fa5abc8c67f3a"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T18:18:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `/api/auth/login` endpoint does not implement rate limiting, account lockout, or progressive backoff for repeated authentication failures. As a result, an attacker can perform unlimited login attempts against the endpoint. When combined with the username enumeration timing vulnerability, valid accounts can be identified and then brute-forced without restriction. The risk is further increased by a weak default password policy that only enforces a minimum length of five characters.\n\n\n### Details\nThe authentication endpoint `/api/auth/login` does not enforce any form of rate limiting, account lockout, or progressive backoff for repeated failed login attempts. Testing confirmed that the endpoint accepts an unlimited number of authentication attempts from the same client without delay or restriction.\n\nThis allows attackers to repeatedly attempt password guesses against valid usernames.\n\nSecure authentication systems typically enforce request throttling, temporary account lockout, or progressive delays after repeated failed login attempts to mitigate brute-force attacks.\n```\n$ python rate-limit-probe.py\n[*] Probing http://localhost/api/auth/login for rate limiting, lockout, and backoff behavior...\n    Attempt  10: status=401, latency=0.0411s\n    Attempt  20: status=401, latency=0.0411s\n    Attempt  30: status=401, latency=0.0402s\n    Attempt  40: status=401, latency=0.0420s\n    Attempt  50: status=401, latency=0.0403s\n    Attempt  60: status=401, latency=0.0423s\n    Attempt  70: status=401, latency=0.0474s\n    Attempt  80: status=401, latency=0.0417s\n    Attempt  90: status=401, latency=0.0407s\n    Attempt 100: status=401, latency=0.0407s\n\n--- CONCRETE EVIDENCE ---\nAttempts completed:        100\nTotal runtime:             4.17s\nAverage request rate:      23.98 req/sec\nUnique status codes:       [401]\nAverage time (first 5):    0.0447s\nAverage time (last 5):     0.0408s\nLatency delta:             -0.0038s\n[RESULT] No HTTP 429 responses observed.\n[RESULT] No progressive backoff detected: response timing remained effectively constant.\n```\n#### Additional Context\nPassword validation is implemented in `backend/database/storage/bolt/user.go` via `checkPassword()`, which only verifies that the supplied password length is greater than or equal to settings.Config.Auth.Methods.PasswordAuth.MinLength. In `backend/common/settings/auth.go`, the PasswordAuthConfig documents the default value of MinLength as 5. No additional complexity requirements, such as uppercase, lowercase, numeric, or special character checks, were identified in this code path.\n\n### PoC\nThe script below demonstrates the lack of rate limiting by performing a high volume automated authentication test.  The script sends sequential login requests and monitors for HTTP 429 (Too Many Requests) status codes. \n\n```\nimport requests\nimport time\nimport statistics\n\nURL = \"http://localhost/api/auth/login\"\nUSERNAME = \"admin\"\nPASSWORD = \"wrong-password\"\nMAX_ATTEMPTS = 100\nTIMEOUT = 10\n\nlatencies = []\nstatuses = []\n\nprint(f\"[*] Probing {URL} for rate limiting, lockout, and backoff behavior...\")\n\nstart_total = time.time()\n\nfor i in range(1, MAX_ATTEMPTS + 1):\n    start = time.perf_counter()\n\n    resp = requests.post(\n        URL,\n        params={\"username\": USERNAME, \"recaptcha\": \"\"},\n        headers={\"X-Password\": PASSWORD},\n        timeout=TIMEOUT\n    )\n\n    duration = time.perf_counter() - start\n    latencies.append(duration)\n    statuses.append(resp.status_code)\n\n    if resp.status_code == 429:\n        print(f\"[!] Rate limit detected at attempt {i} (HTTP 429)\")\n        break\n\n    if i % 10 == 0:\n        print(f\"    Attempt {i:3}: status={resp.status_code}, latency={duration:.4f}s\")\n\nend_total = time.time()\nattempts_completed = len(latencies)\n\nprint(\"\\n--- CONCRETE EVIDENCE ---\")\n\nfirst_five_avg = statistics.mean(latencies[:5]) if attempts_completed \u003e= 5 else statistics.mean(latencies)\nlast_five_avg = statistics.mean(latencies[-5:]) if attempts_completed \u003e= 5 else statistics.mean(latencies)\nlatency_delta = last_five_avg - first_five_avg\n\nprint(f\"Attempts completed:        {attempts_completed}\")\nprint(f\"Total runtime:             {end_total - start_total:.2f}s\")\nprint(f\"Average request rate:      {attempts_completed / (end_total - start_total):.2f} req/sec\")\nprint(f\"Unique status codes:       {sorted(set(statuses))}\")\nprint(f\"Average time (first 5):    {first_five_avg:.4f}s\")\nprint(f\"Average time (last 5):     {last_five_avg:.4f}s\")\nprint(f\"Latency delta:             {latency_delta:+.4f}s\")\n\nif 429 not in statuses:\n    print(\"[RESULT] No HTTP 429 responses observed.\")\n\nif abs(latency_delta) \u003c 0.05:\n    print(\"[RESULT] No progressive backoff detected: response timing remained effectively constant.\")\nelse:\n    print(\"[RESULT] Latency variation detected: investigate possible throttling or environmental noise.\")\n```                                  \n\n### Impact\nAn attacker can perform unlimited authentication attempts against valid usernames. When combined with the username enumeration timing vulnerability, this enables targeted brute-force attacks against user accounts and increases the likelihood of credential compromise.\n\n\n\nPlease let me know if you need any additional information or clarification.\nI\u0027m happy to assist with testing or validating a fix.",
  "id": "GHSA-r4v7-6wcg-ghj5",
  "modified": "2026-06-25T18:18:12Z",
  "published": "2026-06-25T18:18:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r4v7-6wcg-ghj5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/pull/2485"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gtsteffaniak/filebrowser/commit/fa5abc8c67f3a66ce76e358a3c57981750c76a23"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gtsteffaniak/filebrowser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FileBrowser: Missing Rate Limiting on Authentication Endpoint Enables Brute Force Attacks"
}

GHSA-R564-8356-Q3FH

Vulnerability from github – Published: 2025-06-12 15:31 – Updated: 2026-01-26 21:30
VLAI
Details

The FTP server’s login mechanism does not restrict authentication attempts, allowing an attacker to brute-force user passwords and potentially compromising the FTP server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-12T15:15:39Z",
    "severity": "MODERATE"
  },
  "details": "The FTP server\u2019s login mechanism does not restrict authentication attempts, allowing an attacker to brute-force user passwords and potentially compromising the FTP server.",
  "id": "GHSA-r564-8356-q3fh",
  "modified": "2026-01-26T21:30:30Z",
  "published": "2025-06-12T15:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49195"
    },
    {
      "type": "WEB",
      "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R73W-7GWW-PR94

Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2026-06-01 15:30
VLAI
Details

Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4 could allow a remote attacker to brute-force user credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-10T16:15:52Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4\ncould allow a remote attacker to brute-force user credentials.",
  "id": "GHSA-r73w-7gww-pr94",
  "modified": "2026-06-01T15:30:31Z",
  "published": "2023-07-10T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35697"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Common protection mechanisms include:
  • Disconnecting the user after a small number of failed attempts
  • Implementing a timeout
  • Locking out a targeted account
  • Requiring a computational task on the user's part.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-565: Password Spraying

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.