VYPR

CWE-290

Authentication Bypass by Spoofing

BaseIncomplete

Description

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-21 · CAPEC-22 · CAPEC-459 · CAPEC-461 · CAPEC-473 · CAPEC-476 · CAPEC-59 · CAPEC-60 · CAPEC-667 · CAPEC-94

CVEs mapped to this weakness (280)

page 11 of 14
  • CVE-2026-33621MedMar 26, 2026
    risk 0.24cvss 4.8epss 0.00

    PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.7` through `v0.8.4` contain incomplete request-throttling protections for auth-checkable endpoints. In `v0.7.7` through `v0.8.3`, a fully implemented…

  • CVE-2025-66270MedDec 5, 2025
    risk 0.24cvss 4.7epss 0.00

    The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

  • CVE-2024-45453LowSep 23, 2024
    risk 0.24cvss 3.7epss 0.00

    Authentication Bypass by Spoofing vulnerability in Peter Hardy-vanDoorn Maintenance Redirect jf3-maintenance-mode.This issue affects Maintenance Redirect: from n/a through <= 2.0.1.

  • CVE-2024-43944LowAug 29, 2024
    risk 0.24cvss 3.7epss 0.00

    Authentication Bypass by Spoofing vulnerability in ilyasine Maintenance & Coming Soon Redirect Animation maintenance-coming-soon-redirect-animation allows Identity Spoofing.This issue affects Maintenance & Coming Soon Redirect Animation: from n/a through <= 2.3.3.

  • CVE-2023-49741LowJun 4, 2024
    risk 0.24cvss 3.7epss 0.00

    Authentication Bypass by Spoofing vulnerability in wpdevart Coming soon and Maintenance mode allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coming soon and Maintenance mode: from n/a through 3.7.3.

  • CVE-2023-47769LowJun 4, 2024
    risk 0.24cvss 3.7epss 0.00

    Authentication Bypass by Spoofing vulnerability in WP Maintenance allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Maintenance: from n/a through 6.1.3.

  • CVE-2024-32708LowMay 17, 2024
    risk 0.24cvss 3.7epss 0.00

    Authentication Bypass by Spoofing vulnerability in helderk Maintenance Mode allows Functionality Bypass.This issue affects Maintenance Mode: from n/a through 3.0.1.

  • CVE-2024-30480LowMay 17, 2024
    risk 0.24cvss 3.7epss 0.00

    Authentication Bypass by Spoofing vulnerability in Pippin Williamson CGC Maintenance Mode allows Functionality Bypass.This issue affects CGC Maintenance Mode: from n/a through 1.2.

  • CVE-2024-22139LowMay 17, 2024
    risk 0.24cvss 3.7epss 0.00

    Authentication Bypass by Spoofing vulnerability in Filipe Seabra WordPress Manutenção allows Functionality Bypass.This issue affects WordPress Manutenção: from n/a through 1.0.6.

  • CVE-2025-13015LowNov 11, 2025
    risk 0.22cvss 3.4epss 0.00

    Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30.

  • CVE-2023-0657LowNov 17, 2024
    risk 0.22cvss 3.4epss 0.00

    A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

  • CVE-2026-39419LowApr 14, 2026
    risk 0.13cvss 3.1epss 0.00

    MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then…

  • CVE-2021-29441Apr 27, 2021
    risk 0.06cvss epss 0.75

    Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This…

  • CVE-2026-56357Jun 22, 2026
    risk 0.00cvss epss 0.00

    n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data,…

  • CVE-2026-54308Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Impact The `MicrosoftAgent365Trigger` and `StripeTrigger` node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. ## Patches…

  • CVE-2026-47381Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary A user in one workspace could exercise another workspace's integration through the `testConnection` endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. ### Details…

  • CVE-2026-48016Jun 4, 2026
    risk 0.00cvss epss 0.00

    ## Summary The Shopware Store API endpoint `/store-api/handle-payment` contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign…

  • CVE-2026-45056Jun 4, 2026
    risk 0.00cvss epss 0.00

    ### Impact The `matrix-sdk-crypto` crate before 0.16.1 is missing a check for the sender's user ID when decrypting an Olm-encrypted to-device message containing the `sender_device_keys` property. This could be exploited to spoof the sender of an encrypted to-device message,…

  • CVE-2026-44476Jun 4, 2026
    risk 0.00cvss epss 0.00

    ### Impact The `DynamicClientRegistrationController#register` action hard-codes `confidential: false` when creating applications (dynamic_client_registration_controller.rb:18-25), yet the response includes a client_secret and advertises `token_endpoint_auth_methods_supported:…

  • CVE-2026-33223Mar 25, 2026
    risk 0.00cvss epss 0.00

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from…