Account-Takeover

An authentication logic flaw in Cap-go versions prior to 12.128.2 allows attackers to register an account with a victim's unverified email address, then enable two-factor authentication on this pre-registered account to gain full control, read/modify data, enforce organization-level policies, and deny the legitimate user access.

Cap-go versions prior to 12.128.2 are susceptible to an authentication bypass vulnerability (CVE-2026-56073) in OTP verification that allows attackers to manipulate server responses to falsely mark verification successful, leading to unauthorized 2FA enablement and subsequent account takeover.

CVE-2026-7459 is an authenticated account takeover vulnerability in the Simple History WordPress plugin where a subscriber-level user can read password reset emails and escalate privileges to an administrator account.

This correlation identifies when a user exceeds a risk threshold based on multiple suspicious Okta activities by aggregating risk events from 'Suspicious Okta Activity,' 'Okta Account Takeover,' and 'Okta MFA Exhaustion' analytic stories, highlighting potentially compromised user accounts exhibiting multiple TTPs that could lead to unauthorized access, privilege escalation, or persistence.

A public exploit is available for WordPress Temporary Login Plugin version 1.0.0, which demonstrates an authentication bypass vulnerability that can lead to account takeover, increasing the risk for unpatched systems.

An authentication bypass vulnerability in phpMyFAQ allows an unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts, by sending a PUT request with a valid username and associated email address to /api/user/password/update, resulting in complete account takeover.

HAXcms is vulnerable to stored XSS and exposes authentication tokens in the `/system/api/connectionSettings` endpoint, allowing an attacker to perform cross-tenant account takeover by injecting malicious JavaScript to steal the `jwt`, `user_token`, `site_token`, and `appstore_token`.

A session fixation vulnerability in Keycloak's /login-actions/restart endpoint allows an unauthenticated attacker to hijack a user's session by crafting a malicious link that resets the authentication flow, potentially leading to account takeover.

Home Assistant Community Store (HACS) 1.10.0 is vulnerable to a path traversal, allowing unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint, leading to potential account takeover.

AVideo's Meet plugin contains an authorization bypass vulnerability in the `uploadRecordedVideo.json.php` endpoint that derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin.

ApostropheCMS is vulnerable to account takeover due to a weak password recovery mechanism; the password reset flow constructs the reset URL using `req.hostname`, derived from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured, enabling account takeover if the victim clicks a malicious password reset link.

Strapi versions prior to 5.37.0 are vulnerable to an unauthenticated boolean-oracle attack against private fields on the joined `admin_users` table, including the `resetPasswordToken` field, via the 'where' query parameter on publicly accessible content-types; extracting an admin reset token via this oracle makes full administrative account takeover possible without authentication.

SillyTavern versions 1.17.0 and earlier are vulnerable to an authentication bypass (CVE-2026-44649) via HTTP header injection, where the application accepts Remote-User and X-Authentik-Username headers for SSO without proper validation, allowing attackers to impersonate any user, including administrators, if SSO is enabled.

A vulnerability in wger version 2.5 and earlier allows an attacker with `gym.manage_gym` permission and `gym=None` to reset the password of any other `gym=None` user, disclosing the new password in plaintext and allowing account takeover.

The rule identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP, potentially indicating account takeover or use of stolen credentials from a new location.

A critical vulnerability (CVE-2026-42354) exists in Sentry's SAML SSO implementation that allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance, affecting self-hosted users with multiple organizations configured if a malicious user has permissions to modify SSO settings, while Sentry SaaS was patched in April and self-hosted users are advised to upgrade to version 26.4.1 or higher.

A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook versions 7.0.0 through 7.5.5 and JupyterLab versions up to 4.5.6 allows attackers to steal authentication tokens by tricking users into interacting with malicious notebook files, leading to complete account takeover via the Jupyter REST API.

A critical vulnerability in Sentry's SAML SSO implementation allows account takeover by exploiting improper authentication when multiple organizations are configured, affecting versions 21.12.0 to 26.2.0 and requiring a malicious SAML Identity Provider and knowledge of the victim's email address.

FastGPT versions prior to 4.14.9.5 are vulnerable to NoSQL injection in the password change endpoint, allowing authenticated attackers to bypass password verification and perform account takeover.

CVE-2026-38529 is a Broken Object-Level Authorization (BOLA) vulnerability in Webkul Krayin CRM v2.2.x that allows authenticated attackers to reset user passwords and take over accounts.

CVE-2026-5128 exposes sensitive Steam account data via the /users API endpoint and logs in ArthurFiorette steam-trader 2.1.1, allowing account takeover.

A Windows account, usually a service account, exhibiting a sudden shift in logon type patterns may indicate account compromise and lateral movement.

AzuraCast is vulnerable to password reset poisoning due to unconditionally trusting the X-Forwarded-Host header, allowing an attacker to inject a malicious host into the password reset URL, exfiltrate the reset token, reset the victim's password, and disable 2FA, leading to account takeover.

Note Mark is vulnerable to a JWT secret weakness that allows for full account takeover via token forgery by accepting secrets as short as 1 byte, enabling attackers to crack the signing secret offline and forge valid JWTs for any user.

The `budibase:auth` cookie in Budibase is set without the `httpOnly` flag, enabling attackers with XSS to steal JWTs and gain persistent access to user accounts.