Auth Bypass
91 entries
Every Auth Bypass entry VulnWatch has indexed, sorted by publication date.
Subscribe to this tag's RSS feed
@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument
## Summary A command injection vulnerability exists in `@cyclonedx/cyclonedx-npm` when the CLI is invoked with the `--workspace ` option while the environment variable `npm_execpath` is unset or empty...
AgenticMail: Cross-agent task authorization bypass in AgenticMail API
## Summary A low-privileged authenticated AgenticMail agent can enumerate another agent's pending/claimed tasks by supplying the target agent name to `GET /api/agenticmail/tasks/pending?assignee=`. T...
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation
## Summary The `multiedit` tool in `src/praisonai/praisonai/tools/multiedit.py` allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected...
npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation
## Summary The published npm package `praisonai` exports an `MCPSecurity` helper described in source as: ```text MCP Security - Authentication, authorization, and rate limiting Provides security pol...
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
# Unauthenticated PraisonAI UI MCP connect endpoint executes attacker-chosen local commands ## Summary PraisonAI v4.6.48 exposes the PraisonAIUI MCP client management API through the default UI host...
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints
# PraisonAI `AgentTeam.launch()` exposes unauthenticated remote agent invocation endpoints ## Summary PraisonAI's documented Python `AgentTeam.launch()` / `Agents.launch()` HTTP server starts extern...
Docker MCP Gateway: Argument injection via OCI image label YAML
## Summary A maliciously crafted OCI image label can inject arbitrary arguments into the `docker run` command line constructed by the MCP Gateway. An attacker who controls an image that the victim re...
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
## Summary Several direct, index-addressed Ollama proxy routes accept a caller-supplied `url_idx` path parameter and use it as a raw index into the admin-configured `OLLAMA_BASE_URLS` list. Access co...
Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration
## Summary Open WebUI has a Broken Object Level Authorization (BOLA) vulnerability in the builtin `search_knowledge_files` tool. When native function calling is enabled and the selected model has no...
LiteLLM: Authentication Bypass via Host Header Injection
### Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route f...
Caddy: Windows `file_server` path authorization bypass via encoded backslash
### Summary On Windows, Caddy `path` matchers treat `/private\secret.txt` as outside `/private/*`, but `file_server` later resolves the same request path as `private\secret.txt` on disk. An unauthen...
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution
### Summary The Docker API server let a request control where LLM calls were sent and which environment variable an LLM token resolved from. Both could be abused to exfiltrate server-held secrets. Th...
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
### Summary Multiple security vulnerabilities in the Crawl4AI Docker API server affecting endpoints for crawling, markdown/LLM extraction, screenshots, PDFs, webhooks, monitoring, JavaScript executio...
vLLM: OpenAI auth bypass
### Summary A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API `AuthenticationMiddleware`, which was discovered during @...
vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
### Summary An `assert`-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious Hugg...
CVE-2026-11624: The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming conne
The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had...
CVE-2026-47138: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-kno...
CVE-2026-47250: mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool in mcp-server-kubernetes passes user-supplied flags directl...
CVE-2026-46519: mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS...
CVE-2025-54509: Improper access control for register interface in the input-output memory management unit (IOMMU) could allow a privileg
Improper access control for register interface in the input-output memory management unit (IOMMU) could allow a privileged attacker to cause non-coherent accesses by the AMD secure processor (ASP) pot...
CVE-2026-11500: A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the f
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Ke...
MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
### Summary The `kubectl_generic` tool in `mcp-server-kubernetes` passes user-supplied flags directly to kubectl without any allowlist, enabling a **privilege escalation attack** within Kubernetes env...
praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}
## Summary **Type:** Authorization bypass enabling workspace metadata + settings tampering. The `PATCH /workspaces/{workspace_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (...
@agenticmail/mcp Missing Authentication for Critical Function
# AgenticMail MCP HTTP authorization bypass ## Summary `@agenticmail/mcp` exposes a Streamable HTTP transport when started with `--http` or `MCP_HTTP=1`. In that mode, the `/mcp` endpoint accepts re...
nono: Sandbox escape on Linux via D-Bus: `systemd-run --user`
### Summary The nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket. T...