VYPR

CWE-302

Authentication Bypass by Assumed-Immutable Data

BaseIncomplete

Description

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-13 · CAPEC-21 · CAPEC-274 · CAPEC-31 · CAPEC-39 · CAPEC-45 · CAPEC-77

CVEs mapped to this weakness (21)

page 1 of 2
  • CVE-2024-56404CriJan 24, 2025
    risk 0.64cvss 9.9epss 0.01

    In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only On-Premise installations are affected.

  • CVE-2023-4669CriSep 14, 2023
    risk 0.64cvss 9.8epss 0.01

    Authentication Bypass by Assumed-Immutable Data vulnerability in Exagate SYSGuard 3001 allows Authentication Bypass. This issue affects SYSGuard 3001: before 3.2.20.0.

  • CVE-2016-9482CriJul 13, 2018
    risk 0.64cvss 9.8epss 0.05

    Code generated by PHP FormMail Generator may allow a remote unauthenticated user to bypass authentication in the to access the administrator panel by navigating directly to /admin.php?mod=admin&func=panel

  • CVE-2024-12838HigDec 31, 2024
    risk 0.57cvss 8.8epss 0.01

    The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote attackers with regular privileges to send a crafted request to switch to the identity of any user, including administrators.

  • CVE-2025-8855HigNov 14, 2025
    risk 0.53cvss 8.1epss 0.00

    Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate…

  • CVE-2025-24876HigFeb 11, 2025
    risk 0.53cvss 8.1epss 0.00

    The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the…

  • CVE-2026-40285HigApr 17, 2026
    risk 0.50cvss 8.8epss 0.00

    WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the session-stored user identity via extract($_REQUEST) in…

  • CVE-2025-26522HigFeb 14, 2025
    risk 0.49cvss epss 0.00

    This vulnerability exists in RupeeWeb trading platform due to improper implementation of OTP validation mechanism in certain API endpoints. A remote attacker with valid credentials could exploit this vulnerability by manipulating API responses. Successful exploitation of this…

  • CVE-2024-3741HigApr 18, 2024
    risk 0.49cvss 7.5epss 0.00

    Electrolink transmitters are vulnerable to an authentication bypass vulnerability affecting the login cookie. An attacker can set an arbitrary value except 'NO' to the login cookie and have full system access.

  • CVE-2024-22179HigApr 18, 2024
    risk 0.49cvss 7.5epss 0.00

    The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account takeover and arbitrary password change.

  • CVE-2024-45370HigDec 1, 2025
    risk 0.47cvss 7.3epss 0.00

    An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability.

  • CVE-2026-39429HigApr 8, 2026
    risk 0.46cvss 8.2epss 0.00

    kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can…

  • CVE-2024-8475MedDec 17, 2024
    risk 0.42cvss 6.5epss 0.00

    Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables. This issue affects WiFiBurada: before 1.0.5.

  • CVE-2025-43992MedMay 11, 2026
    risk 0.36cvss 5.6epss 0.00

    Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by assumed-immutable data vulnerability in Geo replication. An unauthenticated attacker with remote access could potentially exploit this vulnerability,…

  • CVE-2026-34460MedJun 2, 2026
    risk 0.35cvss 5.4epss 0.00

    NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own…

  • CVE-2024-3462MedMay 14, 2024
    risk 0.35cvss 5.4epss 0.00

    Ant Media Server Community Edition in a default configuration is vulnerable to an improper HTTP header based authorization, leading to a possible use of non-administrative API calls reserved only for authorized users.  All versions up to 2.9.0 (tested) and possibly newer ones…

  • CVE-2026-28510MedMay 5, 2026
    risk 0.31cvss 5.9epss 0.00

    eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete…

  • CVE-2026-27840Feb 26, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque…

  • CVE-2024-43441Dec 24, 2024
    risk 0.00cvss epss 0.70

    Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.

  • CVE-2023-47127Nov 14, 2023
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can…