VYPR

CWE-294

Authentication Bypass by Capture-replay

BaseIncompleteLikelihood: High

Description

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-509 · CAPEC-555 · CAPEC-561 · CAPEC-60 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-701 · CAPEC-94

CVEs mapped to this weakness (89)

page 3 of 5
  • CVE-2026-45720higJun 5, 2026
    risk 0.38cvss epss 0.00

    ## Summary `SAML.getSession` (`internal/pkg/auth/interceptor/saml.go`) checks the `Used` flag on a `SAMLAssertion` resource and then marks it used in two separate state operations. Because the check and the update are not atomic, concurrent requests carrying the same…

  • CVE-2026-46538MedMay 27, 2026
    risk 0.38cvss 5.9epss 0.00

    Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that…

  • CVE-2026-37982MedMay 19, 2026
    risk 0.37cvss 6.8epss 0.00

    A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own…

  • CVE-2026-27855MedMar 27, 2026
    risk 0.37cvss 6.8epss 0.00

    Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as…

  • CVE-2025-6533MedJun 24, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA…

  • CVE-2026-35618MedApr 9, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of…

  • CVE-2018-16242MedSep 14, 2018
    risk 0.35cvss 5.3epss 0.01

    oBike relies on Hangzhou Luoping Smart Locker to lock bicycles, which allows attackers to bypass the locking mechanism by using Bluetooth Low Energy (BLE) to replay ciphertext based on a predictable nonce used in the locking protocol.

  • CVE-2018-14781MedAug 13, 2018
    risk 0.35cvss 5.3epss 0.01

    Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller…

  • CVE-2026-6420MedMay 6, 2026
    risk 0.34cvss 6.3epss 0.00

    A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation…

  • CVE-2026-24027MedFeb 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Crafted zones can lead to increased incoming network traffic.

  • CVE-2026-4583MedMar 23, 2026
    risk 0.33cvss 5.0epss 0.00

    A vulnerability was detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this issue is some unknown functionality of the component Bluetooth Handler. Performing a manipulation results in authentication bypass by capture-replay. The attack must originate from the…

  • CVE-2026-49322MedMay 29, 2026
    risk 0.28cvss 4.3epss 0.00

    Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN…

  • CVE-2026-7168MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.00

    Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:`…

  • CVE-2026-41351MedApr 23, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid…

  • CVE-2026-41337MedApr 23, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate…

  • CVE-2026-41000LowJun 11, 2026
    risk 0.24cvss 3.7epss 0.00

    Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics…

  • CVE-2026-9398LowMay 24, 2026
    risk 0.20cvss 3.1epss 0.00

    A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network.…

  • CVE-2026-41402MedApr 28, 2026
    risk 0.20cvss 4.2epss 0.00

    OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay…

  • CVE-2026-1743LowFeb 2, 2026
    risk 0.20cvss 3.1epss 0.00

    A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be…

  • CVE-2024-38823LowJun 13, 2025
    risk 0.18cvss 2.7epss 0.00

    Salt's request server is vulnerable to replay attacks when not using a TLS encrypted transport.