CWE-290
Authentication Bypass by Spoofing
BaseIncomplete
Description
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-21 · CAPEC-22 · CAPEC-459 · CAPEC-461 · CAPEC-473 · CAPEC-476 · CAPEC-59 · CAPEC-60 · CAPEC-667 · CAPEC-94
CVEs mapped to this weakness (154)
page 5 of 8| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-46356 | Med | 0.45 | — | 0.00 | May 14, 2026 | Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer. | |
| CVE-2025-34065 | Med | 0.45 | — | 0.00 | Jul 1, 2025 | An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls. | |
| CVE-2025-34053 | Med | 0.45 | — | 0.00 | Jul 1, 2025 | An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices’ streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints. | |
| CVE-2025-22271 | Med | 0.45 | — | 0.00 | Feb 28, 2025 | The application or its infrastructure allows for IP address spoofing by providing its own value in the "X-Forwarded-For" header. Thus, the action logging mechanism in the application loses accountability This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer. | |
| CVE-2026-44118 | Hig | 0.44 | 7.8 | 0.00 | May 6, 2026 | OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata. | |
| CVE-2026-32229 | Med | 0.44 | 6.8 | 0.00 | Mar 11, 2026 | In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled | |
| CVE-2024-36557 | Med | 0.43 | 6.6 | 0.00 | Feb 6, 2025 | The device ID is based on IMEI in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b. If a malicious user changes the IMEI to the IMEI of a unit they registered in the mobile app, it is possible to hijack the device and control it from the app. | |
| CVE-2026-40460 | Med | 0.42 | 6.5 | 0.00 | May 13, 2026 | When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |
| CVE-2026-7422 | Med | 0.42 | 6.5 | 0.00 | Apr 29, 2026 | Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint. To mitigate this issue, users should upgrade to the fixed version when available. | |
| CVE-2026-4728 | Med | 0.42 | 6.5 | 0.00 | Mar 24, 2026 | Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. | |
| CVE-2025-10530 | Med | 0.42 | 6.5 | 0.00 | Sep 16, 2025 | Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 143 and Thunderbird 143. | |
| CVE-2025-50454 | Med | 0.42 | 6.5 | 0.00 | Aug 5, 2025 | An Authentication Bypass vulnerability in Blue Access' Cobalt X1 thru 02.000.187 allows an unauthorized attacker to log into the application as an administrator without valid credentials. | |
| CVE-2025-49004 | Hig | 0.42 | 7.5 | 0.01 | Jun 9, 2025 | Caido is a web security auditing toolkit. Prior to version 0.48.0, due to the lack of protection for DNS rebinding, Caido can be loaded on an attacker-controlled domain. This allows a malicious website to hijack the authentication flow of Caido and achieve code execution. A malicious website loaded in the browser can hijack the locally running Caido instance and achieve remote command execution during the initial setup. Even if the Caido instance is already configured, an attacker can initiate the authentication flow by performing DNS rebinding. In this case, the victim needs to authorize the request on dashboard.caido.io. Users should upgrade to version 0.48.0 to receive a patch. | |
| CVE-2025-30110 | Med | 0.42 | 6.5 | 0.00 | Mar 18, 2025 | On IROAD X5 devices, a Bypass of Device Pairing can occur via MAC Address Spoofing. The dashcam's pairing mechanism relies solely on MAC address verification, allowing an attacker to bypass authentication by spoofing an already-paired MAC address that can be captured via an ARP scan. | |
| CVE-2024-39337 | Med | 0.42 | 6.5 | 0.00 | Jun 24, 2024 | Click Studios Passwordstate Core before 9.8 build 9858 allows Authentication Bypass. | |
| CVE-2024-36588 | Med | 0.42 | 6.5 | 0.00 | Jun 13, 2024 | An issue in Annonshop.app DecentralizeJustice/ anonymousLocker commit 2b2b4 allows attackers to send messages erroneously attributed to arbitrary users via a crafted HTTP request. | |
| CVE-2017-12096 | Med | 0.42 | 6.5 | 0.00 | Nov 7, 2017 | An exploitable vulnerability exists in the WiFi management of Circle with Disney. A crafted Access Point with the same name as the legitimate one can be used to make Circle connect to an untrusted network. An attacker needs to setup an Access Point reachable by the device and to send a series of spoofed "deauth" packets to trigger this vulnerability. | |
| CVE-2026-6762 | Med | 0.41 | 6.3 | 0.00 | Apr 21, 2026 | Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | |
| CVE-2024-38807 | Med | 0.41 | 6.3 | 0.00 | Aug 23, 2024 | Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another. | |
| CVE-2024-31802 | Med | 0.41 | 6.3 | 0.00 | Jun 27, 2024 | DESIGNA ABACUS v.18 and before allows an attacker to bypass the payment process via a crafted QR code. |