VYPR

CWE-288

Authentication Bypass Using an Alternate Path or Channel

BaseIncomplete

Description

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-127 · CAPEC-665

CVEs mapped to this weakness (336)

page 2 of 17
  • CVE-2026-40621CriMay 13, 2026
    risk 0.64cvss 9.8epss 0.00

    ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.

  • CVE-2026-40630CriApr 24, 2026
    risk 0.64cvss 9.8epss 0.01

    A vulnerability in  SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism…

  • CVE-2026-6771CriApr 21, 2026
    risk 0.64cvss 9.8epss 0.00

    Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

  • CVE-2026-6768CriApr 21, 2026
    risk 0.64cvss 9.8epss 0.00

    Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

  • CVE-2026-6760CriApr 21, 2026
    risk 0.64cvss 9.8epss 0.00

    Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

  • CVE-2026-3461CriApr 15, 2026
    risk 0.64cvss 9.8epss 0.00

    The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the `express_pay_product_page_pay_for_order()` function logging users in based solely on a user-supplied billing email address…

  • CVE-2026-31271CriApr 7, 2026
    risk 0.64cvss 9.8epss 0.01

    megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthenticated attackers to create super administrator accounts by directly accessing…

  • CVE-2026-30079CriApr 7, 2026
    risk 0.64cvss 9.8epss 0.01

    In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is…

  • CVE-2026-31151CriApr 6, 2026
    risk 0.64cvss 9.8epss 0.00

    An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources.

  • CVE-2026-29139CriApr 2, 2026
    risk 0.64cvss 9.8epss 0.00

    SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password.

  • CVE-2026-27049CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobica Core: from n/a through <= 1.4.2.

  • CVE-2026-25035CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.

  • CVE-2026-4700CriMar 24, 2026
    risk 0.64cvss 9.8epss 0.00

    Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

  • CVE-2026-27842CriMar 11, 2026
    risk 0.64cvss 9.8epss 0.01

    Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration.

  • CVE-2026-27389CriMar 5, 2026
    risk 0.64cvss 9.8epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Authentication Abuse.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.1.

  • CVE-2026-2628CriMar 3, 2026
    risk 0.64cvss 9.8epss 0.01

    The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users,…

  • CVE-2026-2791CriFeb 24, 2026
    risk 0.64cvss 9.8epss 0.00

    Mitigation bypass in the Networking: Cache component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

  • CVE-2026-2784CriFeb 24, 2026
    risk 0.64cvss 9.8epss 0.00

    Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

  • CVE-2026-2775CriFeb 24, 2026
    risk 0.64cvss 9.8epss 0.01

    Mitigation bypass in the DOM: HTML Parser component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

  • CVE-2025-21589CriJan 27, 2026
    risk 0.64cvss 9.8epss 0.01

    An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allows a network-based attacker to bypass authentication and take administrative control of the device. This issue affects Session Smart Router:  * from…