CWE-294
Authentication Bypass by Capture-replay
Description
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-509 · CAPEC-555 · CAPEC-561 · CAPEC-60 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-701 · CAPEC-94
CVEs mapped to this weakness (89)
page 4 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2002-0054 | 0.02 | — | 0.22 | Mar 8, 2002 | SMTP service in (1) Microsoft Windows 2000 and (2) Internet Mail Connector (IMC) in Exchange Server 5.5 does not properly handle responses to NTLM authentication, which allows remote attackers to perform mail relaying via an SMTP AUTH command using null session credentials. | |||
| CVE-2026-54779 | 0.00 | — | — | Jun 19, 2026 | ### Impact When enabling DetectReplayedTokens, a token can be replayed and will be detected despite it being reused. ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds Provide your own implementation of `ITokenReplayCache` with the correct behavior. | |||
| CVE-2026-32053 | 0.00 | — | 0.00 | Mar 21, 2026 | OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or… | |||
| CVE-2026-28449 | 0.00 | — | 0.00 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound… | |||
| CVE-2026-28787 | — | 0.00 | — | 0.00 | Mar 6, 2026 | OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client… | ||
| CVE-2025-68671 | 0.00 | — | 0.00 | Jan 15, 2026 | lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network… | |||
| CVE-2025-64131 | 0.00 | — | 0.00 | Oct 29, 2025 | Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache, allowing attackers able to obtain information about the SAML authentication flow between a user's web browser and Jenkins to replay those requests, authenticating to Jenkins as that user. | |||
| CVE-2025-46815 | 0.00 | — | 0.00 | May 6, 2025 | The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a… | |||
| CVE-2024-8260 | — | 0.00 | — | 0.00 | Aug 30, 2024 | A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the… | ||
| CVE-2024-45244 | — | 0.00 | — | 0.01 | Aug 25, 2024 | Hyperledger Fabric through 3.0.0 and 2.5.x through 2.5.9 do not verify that a request has a timestamp within the expected time window. | ||
| CVE-2024-34065 | 0.00 | — | 0.01 | Jun 12, 2024 | Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass… | |||
| CVE-2024-29901 | — | 0.00 | — | 0.01 | Mar 29, 2024 | The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js. A user can reuse an expired session by controlling the `x-workos-session` header. The vulnerability is patched in v0.4.2. | ||
| CVE-2023-41890 | 0.00 | — | 0.01 | Sep 19, 2023 | Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a… | |||
| CVE-2022-47930 | — | 0.00 | — | 0.01 | Apr 21, 2023 | An issue was discovered in IO FinNet tss-lib before 2.0.0. The parameter ssid for defining a session id is not used through the MPC implementation, which makes replaying and spoofing of messages easier. In particular, the Schnorr proof of knowledge implemented in sch.go does not… | ||
| CVE-2023-27987 | — | 0.00 | — | 0.01 | Apr 10, 2023 | In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to… | ||
| CVE-2023-1886 | — | 0.00 | — | 0.01 | Apr 5, 2023 | Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | ||
| CVE-2023-1537 | — | 0.00 | — | 0.01 | Mar 21, 2023 | Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2022-42731 | — | 0.00 | — | 0.01 | Oct 11, 2022 | mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage. | ||
| CVE-2022-31158 | 0.00 | — | 0.01 | Jul 15, 2022 | LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the Nonce Claim Value was not being validated against the nonce value sent in the Authentication Request. Users should upgrade to version 5.0 to receive a… | |||
| CVE-2022-22936 | 0.00 | — | 0.01 | Mar 29, 2022 | An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be… |
- CVE-2002-0054Mar 8, 2002risk 0.02cvss —epss 0.22
SMTP service in (1) Microsoft Windows 2000 and (2) Internet Mail Connector (IMC) in Exchange Server 5.5 does not properly handle responses to NTLM authentication, which allows remote attackers to perform mail relaying via an SMTP AUTH command using null session credentials.
- CVE-2026-54779Jun 19, 2026risk 0.00cvss —epss —
### Impact When enabling DetectReplayedTokens, a token can be replayed and will be detected despite it being reused. ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds Provide your own implementation of `ITokenReplayCache` with the correct behavior.
- CVE-2026-32053Mar 21, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or…
- CVE-2026-28449Mar 19, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound…
- CVE-2026-28787Mar 6, 2026risk 0.00cvss —epss 0.00
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client…
- CVE-2025-68671Jan 15, 2026risk 0.00cvss —epss 0.00
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network…
- CVE-2025-64131Oct 29, 2025risk 0.00cvss —epss 0.00
Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache, allowing attackers able to obtain information about the SAML authentication flow between a user's web browser and Jenkins to replay those requests, authenticating to Jenkins as that user.
- CVE-2025-46815May 6, 2025risk 0.00cvss —epss 0.00
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a…
- CVE-2024-8260Aug 30, 2024risk 0.00cvss —epss 0.00
A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the…
- CVE-2024-45244Aug 25, 2024risk 0.00cvss —epss 0.01
Hyperledger Fabric through 3.0.0 and 2.5.x through 2.5.9 do not verify that a request has a timestamp within the expected time window.
- CVE-2024-34065Jun 12, 2024risk 0.00cvss —epss 0.01
Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass…
- CVE-2024-29901Mar 29, 2024risk 0.00cvss —epss 0.01
The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js. A user can reuse an expired session by controlling the `x-workos-session` header. The vulnerability is patched in v0.4.2.
- CVE-2023-41890Sep 19, 2023risk 0.00cvss —epss 0.01
Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a…
- CVE-2022-47930Apr 21, 2023risk 0.00cvss —epss 0.01
An issue was discovered in IO FinNet tss-lib before 2.0.0. The parameter ssid for defining a session id is not used through the MPC implementation, which makes replaying and spoofing of messages easier. In particular, the Schnorr proof of knowledge implemented in sch.go does not…
- CVE-2023-27987Apr 10, 2023risk 0.00cvss —epss 0.01
In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to…
- CVE-2023-1886Apr 5, 2023risk 0.00cvss —epss 0.01
Authentication Bypass by Capture-replay in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
- CVE-2023-1537Mar 21, 2023risk 0.00cvss —epss 0.01
Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2022-42731Oct 11, 2022risk 0.00cvss —epss 0.01
mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage.
- CVE-2022-31158Jul 15, 2022risk 0.00cvss —epss 0.01
LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the Nonce Claim Value was not being validated against the nonce value sent in the Authentication Request. Users should upgrade to version 5.0 to receive a…
- CVE-2022-22936Mar 29, 2022risk 0.00cvss —epss 0.01
An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. Job publishes and file server replies are susceptible to replay attacks, which can result in an attacker replaying job publishes causing minions to run old jobs. File server replies can also be…