Auth Bypass
91 entries
Every Auth Bypass entry VulnWatch has indexed, sorted by publication date.
Subscribe to this tag's RSS feed
Parse Server: Pre-authentication denial of service via client version header regex backtracking
### Impact An unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynom...
CVE-2026-47101: LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored witho...
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
## Summary `mcp-server-kubernetes` exposes three environment variables (`ALLOW_ONLY_READONLY_TOOLS`, `ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS`, `ALLOWED_TOOLS`) documented as access controls for restricting...
wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None
## Summary GHSA-mhc8-p3jx-84mm (CVE-2026-43948) reported that wger's `reset_user_password` and `gym_permissions_user_edit` views in `wger/gym/views/user.py` performed a gym-scope authorization check...
CVE-2026-24207: NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A succes
NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of p...
CVE-2026-24206: NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A succes
NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to escalation of privileges, denia...
Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching
## AI Disclosure I used an LLM to help review the source code, reason about attack surface, and help draft and refine this report. I manually validated the finding by reproducing it locally, conf...
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
This report is not about a normal textual prefix-expansion case. The issue here is that the authorization layer and the `/config` traversal layer do **not agree on what object the path refers to**....
CVE-2026-41949: Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document acro...
CVE-2026-41947: Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to s
Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant owne...
CVE-2026-45365: Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an i
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions...
CVE-2026-44556: Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwa...
CVE-2026-44555: Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g.,...
MLflow: unauthenticated access to certain FastAPI routes
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and...
CVE-2026-2652: A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and...
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
### Summary The tool update endpoint (`POST /api/v1/tools/id/{id}/update`) is missing the `workspace.tools` permission check that is present on the tool create endpoint. This allows a user who has be...
Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]
### Summary An internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user t...
Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints
### Summary Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from `/api/v1/messages`, requests using the `Authorization: Bearer sk-...` he...
CVE-2026-42463: SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cr
SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) and Authorization Bypass v...
CVE-2026-44470: The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows...
Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server
## Summary If you have the MCP Server ID, you can connect to the MCP server even if you don't have permissions to the server. The MCP gateway endpoint `/mcp-connect/{mcp_id}` does not enforce Access...
CVE-2026-41614: Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
CVE-2026-41100: Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.
Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.
CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
### Impact The CloudNativePG metrics exporter opens its PostgreSQL connection as the `postgres` superuser via the pod-local Unix socket, then demotes the session with `SET ROLE pg_monitor`. `SET ROLE...
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
### Summary PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access `/agents` and trigger the configured `a...