VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 84 of 121
  • CVE-2026-11718Jun 18, 2026
    risk 0.00cvss epss 0.00

    An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an…

  • CVE-2026-11717Jun 18, 2026
    risk 0.00cvss epss 0.00

    An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an…

  • CVE-2026-47718May 28, 2026
    risk 0.00cvss epss 0.00

    ### Summary When `secureEnabled=true`, FUXA `1.3.0-2773` still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. ### Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read…

  • CVE-2026-46715May 22, 2026
    risk 0.00cvss epss 0.00

    ### Summary Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a session as fresh after verifying an OAuth account that belongs to a different user. If an attacker can operate an already-authenticated but stale victim session, they can complete OAuth…

  • CVE-2026-33248Mar 25, 2026
    risk 0.00cvss epss 0.00

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns…

  • CVE-2026-33246Mar 25, 2026
    risk 0.00cvss epss 0.00

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user…

  • CVE-2026-33665Mar 25, 2026
    risk 0.00cvss epss 0.00

    n8n is an open source workflow automation platform. Prior to versions 2.4.0 and 1.121.0, when LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated…

  • CVE-2026-33215Mar 24, 2026
    risk 0.00cvss epss 0.00

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and…

  • CVE-2026-33314Mar 24, 2026
    risk 0.00cvss epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the…

  • CVE-2026-33409Mar 24, 2026
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication…

  • CVE-2026-33473Mar 24, 2026
    risk 0.00cvss epss 0.00

    Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.

  • CVE-2026-32879Mar 23, 2026
    risk 0.00cvss epss 0.00

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification…

  • CVE-2026-33716Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token…

  • CVE-2026-33512Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so…

  • CVE-2026-32064Mar 21, 2026
    risk 0.00cvss epss 0.01

    OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to…

  • CVE-2026-32305Mar 20, 2026
    risk 0.00cvss epss 0.00

    Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across…

  • CVE-2026-32025Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform…

  • CVE-2026-32815Mar 19, 2026
    risk 0.00cvss epss 0.00

    SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel…

  • CVE-2026-32730Mar 18, 2026
    risk 0.00cvss epss 0.00

    ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password…

  • CVE-2026-33042Mar 18, 2026
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement.…