{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/authentication-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32834"}],"_cs_exploited":false,"_cs_products":["Easy PayPal Events \u0026 Tickets plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","authentication bypass","vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Easy PayPal Events \u0026amp; Tickets plugin for WordPress, version 1.3 and earlier, contains a critical hardcoded authentication bypass vulnerability (CVE-2026-32834) within its QR code scanning functionality. This flaw allows unauthenticated remote attackers to bypass hash verification by supplying the string \u0026rsquo;test\u0026rsquo; as the hash parameter when accessing the \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e action. This bypass enables attackers to retrieve sensitive order details associated with any post ID, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The vulnerable plugin was officially closed on March 18, 2026, making it imperative to identify and mitigate any remaining installations to prevent potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using the Easy PayPal Events \u0026amp; Tickets plugin (version 1.3 or earlier).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ehash\u003c/code\u003e parameter set to the hardcoded value \u003ccode\u003etest\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epost_id\u003c/code\u003e parameter, either guessed or obtained through other means.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin bypasses authentication due to the hardcoded hash.\u003c/li\u003e\n\u003cli\u003eThe plugin processes the request and retrieves sensitive order details associated with the provided \u003ccode\u003epost_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers access to sensitive customer and transaction data associated with events and tickets managed through the Easy PayPal Events \u0026amp; Tickets plugin. The leaked information, including customer email addresses and PayPal transaction IDs, can be used for further malicious activities such as phishing campaigns, identity theft, and financial fraud. The number of affected WordPress sites is unknown, but any site using a vulnerable version of the plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Easy PayPal Events \u0026amp; Tickets Authentication Bypass Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e and the \u003ccode\u003ehash\u003c/code\u003e parameter set to \u003ccode\u003etest\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious data exfiltration following the identified exploitation attempts to mitigate potential damage.\u003c/li\u003e\n\u003cli\u003eIf the plugin is still installed, remove it immediately.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:27Z","date_published":"2026-05-04T18:16:27Z","id":"/briefs/2026-05-wordpress-paypal-auth-bypass/","summary":"An unauthenticated remote attacker can exploit a hardcoded authentication bypass vulnerability in the Easy PayPal Events \u0026 Tickets plugin for WordPress (versions 1.3 and earlier) by providing 'test' as the hash parameter, allowing retrieval of sensitive order details.","title":"WordPress Easy PayPal Events \u0026 Tickets Plugin Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-paypal-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Quarkus Vertx HTTP (\u003c 3.20.6.1)","Quarkus Vertx HTTP (\u003e= 3.21.0, \u003c 3.27.3.1)","Quarkus Vertx HTTP (\u003e= 3.30.0, \u003c 3.33.1.1)","Quarkus Vertx HTTP (\u003e= 3.34.0, \u003c 3.35.1.1)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA vulnerability exists in Quarkus Vertx HTTP versions \u0026lt; 3.20.6.1, \u0026gt;= 3.21.0 and \u0026lt; 3.27.3.1, \u0026gt;= 3.30.0 and \u0026lt; 3.33.1.1, and \u0026gt;= 3.34.0 and \u0026lt; 3.35.1.1. The vulnerability, designated as CVE-2026-39852, allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. By appending a semicolon (\u003ccode\u003e;\u003c/code\u003e) and arbitrary text to the request URL, attackers can gain unauthorized access to protected resources. This vulnerability stems from an inconsistency in path normalization: Quarkus\u0026rsquo;s security layer checks the raw URL path, while RESTEasy Reactive\u0026rsquo;s routing layer strips matrix parameters before matching endpoints. This means a request like \u003ccode\u003e/api/admin;anything\u003c/code\u003e can bypass authorization for \u003ccode\u003e/api/admin\u003c/code\u003e while still routing to the protected endpoint. This issue was discovered and verified by the GitHub Security Lab.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a protected endpoint, such as \u003ccode\u003e/api/admin\u003c/code\u003e, that requires authentication or specific privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the protected endpoint but appends a semicolon and arbitrary text, such as \u003ccode\u003e/api/admin;anything\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Quarkus Vertx HTTP server.\u003c/li\u003e\n\u003cli\u003eQuarkus\u0026rsquo;s security layer performs an authorization check on the raw URL path \u003ccode\u003e/api/admin;anything\u003c/code\u003e, which may not match the intended authorization rules for \u003ccode\u003e/api/admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRESTEasy Reactive\u0026rsquo;s routing layer strips the matrix parameters (\u003ccode\u003e;anything\u003c/code\u003e) from the URL, resulting in the endpoint \u003ccode\u003e/api/admin\u003c/code\u003e being matched.\u003c/li\u003e\n\u003cli\u003eThe request is routed to the protected endpoint \u003ccode\u003e/api/admin\u003c/code\u003e, bypassing the intended authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the protected resource or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions they would not normally be authorized to perform, such as accessing sensitive data or modifying system configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access to sensitive data, modification of system configurations, or other malicious activities. The vulnerability affects Quarkus Vertx HTTP applications that rely on path-based authorization policies. The number of affected applications is currently unknown, but any application using the vulnerable versions of Quarkus Vertx HTTP is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Quarkus Vertx HTTP to a patched version (\u0026gt;= 3.20.6.1, \u0026gt;= 3.27.3.1, \u0026gt;= 3.33.1.1, \u0026gt;= 3.35.1.1) to remediate CVE-2026-39852.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Quarkus Authorization Bypass Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing semicolons in the URL path to detect potential exploitation attempts using the \u003ccode\u003eMonitor Semicolons in URL Path\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:20:20Z","date_published":"2026-05-04T17:20:20Z","id":"/briefs/2026-05-quarkus-auth-bypass/","summary":"Quarkus Vertx HTTP versions \u003c 3.20.6.1, \u003e= 3.21.0 and \u003c 3.27.3.1, \u003e= 3.30.0 and \u003c 3.33.1.1, and \u003e= 3.34.0 and \u003c 3.35.1.1 are vulnerable to an authorization bypass where appending a semicolon and arbitrary text to the request URL allows unauthorized access to protected resources.","title":"Quarkus Vertx HTTP Authorization Bypass via Matrix Parameters","url":"https://feed.craftedsignal.io/briefs/2026-05-quarkus-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4670"},{"cvss":7.7,"id":"CVE-2026-5174"}],"_cs_exploited":true,"_cs_products":["MOVEit Automation","MOVEit Automation \u003c= 2025.1.4","MOVEit Automation \u003c= 2025.0.8","MOVEit Automation \u003c= 2024.1.7"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","privilege-escalation","cve-2026-4670","cve-2026-5174","webserver"],"_cs_type":"threat","_cs_vendors":["Progress Software"],"content_html":"\u003cp\u003eProgress MOVEit Automation is affected by a critical authentication bypass vulnerability, CVE-2026-4670, which has a CVSS score of 9.8. Successful exploitation allows an unauthenticated remote attacker to gain administrative access to the vulnerable service. Additionally, a high severity privilege escalation vulnerability, CVE-2026-5174, exists due to improper input validation. While there is no current evidence of active exploitation in the wild, the historical targeting of Managed File Transfer (MFT) solutions, such as the 2023 Cl0p ransomware campaigns targeting MOVEit Transfer, heightens the urgency of patching this vulnerability. The affected versions of MOVEit Automation include versions prior to 2024.0.0, versions 2024.0.0 before 2024.1.8, versions 2025.0.0 before 2025.0.9, and versions 2025.1.0 before 2025.1.5. Defenders should prioritize patching to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a specially crafted request to the MOVEit Automation server, exploiting CVE-2026-4670 (authentication bypass).\u003c/li\u003e\n\u003cli\u003eThe vulnerable MOVEit Automation software fails to properly validate the attacker\u0026rsquo;s identity, granting them unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the MOVEit Automation application with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages CVE-2026-5174 (improper input validation) to further escalate privileges within the application.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates sensitive file transfer workflows, potentially modifying file permissions or altering transfer schedules.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data stored within MOVEit Automation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could deploy malicious scripts or backdoors to maintain persistence and control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the MOVEit Automation server, potentially impacting connected systems and data integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4670 allows an unauthenticated attacker to gain administrative access to Progress MOVEit Automation servers. This can lead to the compromise of sensitive data, disruption of file transfer workflows, and potential deployment of ransomware or other malicious payloads. Given the history of MOVEit products being targeted, a successful attack could have widespread impact across various sectors that rely on MOVEit for secure file transfer, potentially affecting thousands of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all affected MOVEit Automation installations to versions 2025.1.5 or later, 2025.0.9 or later, or 2024.1.8 or later as recommended by Progress Software to remediate CVE-2026-4670 and CVE-2026-5174.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to MOVEit Automation, as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u0026ldquo;Detect MOVEit Automation Authentication Bypass Attempt\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-4670 based on web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T15:08:49Z","date_published":"2026-05-04T15:08:49Z","id":"/briefs/2026-05-moveit-auth-bypass/","summary":"A critical authentication bypass vulnerability (CVE-2026-4670) in Progress MOVEit Automation allows an unauthenticated remote attacker to gain administrative access, potentially leading to full control over the application and sensitive file transfer workflows.","title":"Critical Authentication Bypass Vulnerability in MOVEit Automation (CVE-2026-4670)","url":"https://feed.craftedsignal.io/briefs/2026-05-moveit-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6266"}],"_cs_exploited":false,"_cs_products":["AAP"],"_cs_severities":["high"],"_cs_tags":["cve-2026-6266","account-hijacking","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA vulnerability, tracked as CVE-2026-6266, exists in the AAP gateway. Specifically, the user auto-link strategy introduced in AAP 2.6 automatically links external Identity Provider (IDP) identities to existing AAP user accounts based on email matching without verifying email ownership. This vulnerability enables a remote attacker to potentially hijack a victim\u0026rsquo;s account and gain unauthorized access to other accounts, including administrative accounts. The attacker achieves this by manipulating the email address provided by the IDP during the auto-linking process. This poses a significant risk to organizations using AAP for identity management, potentially leading to data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target user account within the AAP gateway.\u003c/li\u003e\n\u003cli\u003eAttacker creates an account on a configured external Identity Provider (IDP).\u003c/li\u003e\n\u003cli\u003eAttacker configures the IDP account with the same email address as the target user in the AAP gateway.\u003c/li\u003e\n\u003cli\u003eThe target user attempts to authenticate to the AAP gateway using the configured IDP.\u003c/li\u003e\n\u003cli\u003eThe AAP gateway, running version 2.6 or later, automatically links the attacker-controlled IDP identity to the existing AAP user account based on email matching, without verifying ownership.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates to the AAP gateway using the attacker-controlled IDP account, gaining access to the target user\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eIf the hijacked account has administrative privileges, the attacker can escalate privileges and compromise the entire AAP gateway environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6266 can lead to unauthorized access to sensitive data and systems managed by the AAP gateway. This includes the potential compromise of administrative accounts, which could allow an attacker to gain full control over the AAP environment. The vulnerability impacts organizations using AAP 2.6 and later for identity management. The potential consequences include data breaches, service disruption, and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided in Red Hat Security Advisory RHSA-2026:13508 to remediate CVE-2026-6266.\u003c/li\u003e\n\u003cli\u003eMonitor AAP gateway logs for successful authentications from unexpected IDPs to detect potential account hijacking attempts. Deploy a Sigma rule to detect this behavior.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AAP accounts to mitigate the impact of successful account hijacking, even if the IDP is compromised.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:16:35Z","date_published":"2026-05-04T14:16:35Z","id":"/briefs/2026-05-aap-account-hijacking/","summary":"CVE-2026-6266 allows a remote attacker to hijack user accounts in AAP gateway by manipulating the IDP-provided email during the user auto-linking process, potentially gaining unauthorized access, including administrative privileges.","title":"AAP Gateway Account Hijacking Vulnerability (CVE-2026-6266)","url":"https://feed.craftedsignal.io/briefs/2026-05-aap-account-hijacking/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7710"}],"_cs_exploited":false,"_cs_products":["yudao-cloud \u003c= 3.8.0","Ruoyi-Vue-Pro"],"_cs_severities":["high"],"_cs_tags":["authentication bypass","cve-2026-7710","web application"],"_cs_type":"advisory","_cs_vendors":["YunaiV"],"content_html":"\u003cp\u003eCVE-2026-7710 is an authentication bypass vulnerability affecting YunaiV\u0026rsquo;s yudao-cloud, specifically versions up to 3.8.0. The vulnerability resides in the \u003ccode\u003edoFilterInternal\u003c/code\u003e function within the \u003ccode\u003eJwtAuthenticationTokenFilter.java\u003c/code\u003e file of the Ruoyi-Vue-Pro component. An attacker can exploit this vulnerability by manipulating the \u003ccode\u003emock-token\u003c/code\u003e argument, leading to improper authentication. This allows a remote attacker to potentially gain unauthorized access to the application. Public exploits are available, increasing the risk of exploitation. The vendor was notified but has not responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a YunaiV yudao-cloud instance running a vulnerable version (\u0026lt;= 3.8.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting an endpoint protected by authentication.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003emock-token\u003c/code\u003e argument designed to bypass the JWT authentication filter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eJwtAuthenticationTokenFilter.java\u003c/code\u003e component processes the request and improperly validates the manipulated \u003ccode\u003emock-token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the flawed authentication logic, the attacker is granted unauthorized access as an authenticated user.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to protected resources and functionalities within the application.\u003c/li\u003e\n\u003cli\u003eAttacker performs privileged actions such as data modification, account takeover, or further exploitation of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7710 allows attackers to bypass authentication and gain unauthorized access to YunaiV yudao-cloud applications. This can lead to the compromise of sensitive data, modification of application settings, and potentially full system takeover. Given the availability of public exploits, organizations using affected versions of yudao-cloud are at high risk. The CVSS v3.1 base score for this vulnerability is 7.3, indicating a high severity level.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade YunaiV yudao-cloud to a patched version that addresses CVE-2026-7710.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Malicious Mock Token Argument\u003c/code\u003e to identify exploitation attempts by monitoring web server logs for the presence of a \u003ccode\u003emock-token\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the server side to ensure that \u003ccode\u003emock-token\u003c/code\u003e values conform to expected patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T00:16:39Z","date_published":"2026-05-04T00:16:39Z","id":"/briefs/2026-05-yunai-auth-bypass/","summary":"YunaiV yudao-cloud up to version 3.8.0 is vulnerable to an authentication bypass (CVE-2026-7710) due to improper handling of the mock-token argument in the JwtAuthenticationTokenFilter.java file, allowing remote attackers to bypass authentication.","title":"YunaiV yudao-cloud Authentication Bypass Vulnerability (CVE-2026-7710)","url":"https://feed.craftedsignal.io/briefs/2026-05-yunai-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7630"}],"_cs_exploited":true,"_cs_products":["InnoShop (\u003c= 0.7.8)"],"_cs_severities":["high"],"_cs_tags":["cve","authentication bypass","web application"],"_cs_type":"threat","_cs_vendors":["innocommerce"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-7630, affects innocommerce InnoShop versions up to 0.7.8. The vulnerability resides in the \u003ccode\u003eInstallServiceProvider::boot\u003c/code\u003e function within the \u003ccode\u003einnopacks/install/src/InstallServiceProvider.php\u003c/code\u003e file, which governs the installation endpoint. Successful exploitation allows remote attackers to bypass authentication mechanisms, potentially leading to complete system compromise. Publicly available exploits exist, increasing the risk of active exploitation. It is crucial for administrators to apply the provided patch (identifier: \u003ccode\u003e45758e4ec22451ab944ae2ae826b1e70f6450dc9\u003c/code\u003e) immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an InnoShop instance running a vulnerable version (\u0026lt;= 0.7.8).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the installation endpoint (\u003ccode\u003einnopacks/install/src/InstallServiceProvider.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request exploits the improper authentication in the \u003ccode\u003eInstallServiceProvider::boot\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eAuthentication checks are bypassed due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the installation process.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code or configurations during the installation phase.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with elevated privileges, granting the attacker control over the InnoShop instance.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a persistent backdoor for future access and potential data exfiltration or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7630 allows unauthenticated remote attackers to compromise InnoShop installations. This can lead to complete control of the web server, potentially affecting sensitive customer data, financial information, and intellectual property.  Given the ease of exploitation and publicly available exploits, unpatched InnoShop instances are at high risk of compromise.  The number of affected installations is currently unknown, but the widespread use of InnoShop in e-commerce makes this a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the patch identified by \u003ccode\u003e45758e4ec22451ab944ae2ae826b1e70f6450dc9\u003c/code\u003e to remediate the improper authentication vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect InnoShop Installation Endpoint Access\u0026rdquo; to identify unauthorized access attempts to the installation endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003einnopacks/install/src/InstallServiceProvider.php\u003c/code\u003e path, based on \u0026ldquo;Detect InnoShop Installation Endpoint Access\u0026rdquo; to identify post-exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T14:16:18Z","date_published":"2026-05-02T14:16:18Z","id":"/briefs/2026-05-innoshop-auth-bypass/","summary":"InnoShop version 0.7.8 and earlier contains an improper authentication vulnerability in the InstallServiceProvider::boot function (CVE-2026-7630) that allows remote attackers to bypass authentication and gain unauthorized access to the installation endpoint.","title":"InnoShop Improper Authentication Vulnerability (CVE-2026-7630)","url":"https://feed.craftedsignal.io/briefs/2026-05-innoshop-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7458"}],"_cs_exploited":false,"_cs_products":["User Verification by PickPlugins plugin for WordPress \u003c= 2.0.46"],"_cs_severities":["critical"],"_cs_tags":["wordpress","authentication bypass","cve-2026-7458"],"_cs_type":"threat","_cs_vendors":["PickPlugins"],"content_html":"\u003cp\u003eThe User Verification by PickPlugins plugin, a popular WordPress plugin, contains a critical authentication bypass vulnerability (CVE-2026-7458) affecting all versions up to and including 2.0.46. The flaw resides within the \u003ccode\u003euser_verification_form_wrap_process_otpLogin\u003c/code\u003e function, where a loose PHP comparison operator is used to validate OTP codes. This weakness allows unauthenticated attackers to bypass the OTP verification process and log in as any user with a verified email address, potentially gaining administrative access. Successful exploitation requires the attacker to submit the string \u0026ldquo;true\u0026rdquo; as the OTP value. This vulnerability poses a significant risk to WordPress sites using the affected plugin, potentially leading to complete site compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the User Verification by PickPlugins plugin (\u0026lt;= 2.0.46).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the OTP login form provided by the plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker enters the email address of a target user, such as an administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the OTP request and instead of a numerical code, submits the string \u0026ldquo;true\u0026rdquo; as the OTP value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003euser_verification_form_wrap_process_otpLogin\u003c/code\u003e function processes the submitted OTP. Due to the loose PHP comparison (e.g., \u003ccode\u003e==\u003c/code\u003e instead of \u003ccode\u003e===\u003c/code\u003e), the string \u0026ldquo;true\u0026rdquo; evaluates to \u003ccode\u003etrue\u003c/code\u003e, bypassing the intended OTP validation.\u003c/li\u003e\n\u003cli\u003eThe plugin incorrectly authenticates the attacker as the targeted user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the targeted user\u0026rsquo;s account, potentially gaining administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions such as modifying website content, installing malicious plugins, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7458 allows unauthenticated attackers to bypass the OTP verification mechanism and gain unauthorized access to any user account with a verified email address on a vulnerable WordPress site. This can lead to complete compromise of the affected WordPress site, enabling attackers to modify content, inject malicious code, steal sensitive data, or use the site for malicious purposes. Given the plugin\u0026rsquo;s popularity, this vulnerability could impact a large number of WordPress websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the User Verification by PickPlugins plugin to the latest version (greater than 2.0.46) to patch CVE-2026-7458.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for unusual login attempts or the presence of \u0026ldquo;true\u0026rdquo; as OTP values to identify potential exploitation attempts. Deploy the \u003ccode\u003eDetect Successful Authentication Bypass via True OTP\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and sanitization for OTP codes to prevent similar bypass vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:01Z","date_published":"2026-05-02T05:16:01Z","id":"/briefs/2026-05-wordpress-auth-bypass/","summary":"The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in versions up to 2.0.46 due to a loose PHP comparison, allowing unauthenticated attackers to log in as any verified user by submitting a 'true' OTP value.","title":"WordPress User Verification Plugin Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7567"}],"_cs_exploited":false,"_cs_products":["Temporary Login plugin"],"_cs_severities":["critical"],"_cs_tags":["authentication bypass","wordpress","plugin vulnerability","cve-2026-7567","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-7567 is an authentication bypass vulnerability that affects the Temporary Login plugin for WordPress, specifically versions up to and including 1.0.0. The vulnerability stems from a failure to properly validate the \u0026rsquo;temp-login-token\u0026rsquo; GET parameter within the \u003ccode\u003emaybe_login_temporary_user()\u003c/code\u003e function. By supplying an array as the value for this parameter, attackers can circumvent the intended \u003ccode\u003eempty()\u003c/code\u003e check. This leads to the \u003ccode\u003esanitize_key()\u003c/code\u003e function returning an empty string, which is then used in a database query to fetch users. WordPress ignores empty \u003ccode\u003emeta_value\u003c/code\u003e parameters, causing the query to return all users with the \u003ccode\u003e_temporary_login_token\u003c/code\u003e meta key. Consequently, an unauthenticated attacker can effectively authenticate as any user with an active temporary login session by sending a single, maliciously crafted GET request. This poses a severe risk to website security, as it allows unauthorized access to user accounts and potentially sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Temporary Login plugin (version \u0026lt;= 1.0.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GET request targeting the WordPress site\u0026rsquo;s login endpoint, including the \u0026rsquo;temp-login-token\u0026rsquo; parameter as an array (e.g., \u003ccode\u003etemp-login-token[]=\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server receives the GET request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emaybe_login_temporary_user()\u003c/code\u003e function processes the request.\u003c/li\u003e\n\u003cli\u003eDue to improper input validation, the \u003ccode\u003eempty()\u003c/code\u003e check is bypassed when the \u0026rsquo;temp-login-token\u0026rsquo; parameter is an array.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esanitize_key()\u003c/code\u003e processes the array and returns an empty string as the meta_value.\u003c/li\u003e\n\u003cli\u003eWordPress executes a database query using the empty meta_value, effectively retrieving all users with active temporary login tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker is granted unauthorized access to the account of a targeted temporary user, bypassing normal authentication procedures.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7567 allows unauthenticated attackers to bypass login restrictions and gain unauthorized access to WordPress user accounts utilizing the vulnerable Temporary Login plugin. The severity is high, as it allows complete compromise of user accounts without requiring any valid credentials. The impact includes potential data theft, account takeover, website defacement, and other malicious activities, depending on the privileges of the compromised user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the available patch or upgrade the Temporary Login plugin to a version greater than 1.0.0 to remediate CVE-2026-7567.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Temporary Login Authentication Bypass Attempt\u003c/code\u003e to detect exploitation attempts by monitoring HTTP requests with array-based \u003ccode\u003etemp-login-token\u003c/code\u003e parameters in the query string.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the web server to reject requests containing array-based parameters where scalar strings are expected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T10:15:58Z","date_published":"2026-05-01T10:15:58Z","id":"/briefs/2024-01-wordpress-temp-login-auth-bypass/","summary":"The Temporary Login plugin for WordPress versions up to 1.0.0 is vulnerable to authentication bypass due to improper input validation, allowing unauthenticated attackers to log in as arbitrary temporary users by sending a specially crafted GET request.","title":"WordPress Temporary Login Plugin Authentication Bypass (CVE-2026-7567)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-temp-login-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41940"}],"_cs_exploited":true,"_cs_products":["cPanel \u0026 WHM"],"_cs_severities":["critical"],"_cs_tags":["authentication bypass","cPanel","web hosting","vulnerability"],"_cs_type":"threat","_cs_vendors":["cPanel"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, CVE-2026-41940, affects all versions of cPanel \u0026amp; WHM. This vulnerability allows unauthenticated remote attackers to gain administrative access to affected systems due to improper handling of session data. Public technical analyses and proof-of-concept code are available, significantly lowering the barrier to exploitation. There are indications that the vulnerability has been actively exploited in the wild, potentially as a zero-day. cPanel \u0026amp; WHM is commonly exposed to the internet and manages hosting environments, making it an attractive target for attackers seeking control over hosting infrastructures and numerous websites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a cPanel \u0026amp; WHM server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the cPanel \u0026amp; WHM login endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request manipulates session creation and processing by injecting controlled data into the session files.\u003c/li\u003e\n\u003cli\u003eThis injected data alters authentication-related attributes within the session, bypassing the normal authentication flow.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully establishes a session that is treated as fully authenticated without providing valid credentials.\u003c/li\u003e\n\u003cli\u003eWith administrative privileges, the attacker gains full control over the cPanel server.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses hosted websites and databases, potentially compromising sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through backdoors or additional user accounts, ensuring continued access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41940 allows attackers to gain complete control over cPanel \u0026amp; WHM servers. This can lead to the compromise of hosted websites, databases, and sensitive customer data. Given the central role of cPanel in hosting environments, this vulnerability can result in large-scale compromise affecting multiple customers and services. The widespread use of cPanel \u0026amp; WHM makes this a high-impact vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by cPanel to address CVE-2026-41940 immediately after thorough testing to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eImplement increased monitoring and detection capabilities to identify suspicious activity related to CVE-2026-41940 as recommended by CCB.\u003c/li\u003e\n\u003cli\u003eReview web server logs for unusual patterns or requests targeting cPanel login endpoints to detect potential exploitation attempts. Create a Sigma rule based on webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor for unauthorized changes to user accounts or the creation of new administrative accounts on cPanel servers. Create a Sigma rule based on process creation logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:16:14Z","date_published":"2026-04-30T12:16:14Z","id":"/briefs/2026-05-cpanel-auth-bypass/","summary":"CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel \u0026 WHM, allowing unauthenticated remote attackers to gain administrative access by manipulating session data.","title":"Critical Authentication Bypass Vulnerability in cPanel \u0026 WHM (CVE-2026-41940)","url":"https://feed.craftedsignal.io/briefs/2026-05-cpanel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2025-10571"}],"_cs_exploited":false,"_cs_products":["Edgenius Management Portal 3.2.0.0","Edgenius Management Portal 3.2.1.1","Ability Edgenius 3.2.2.0"],"_cs_severities":["critical"],"_cs_tags":["abb","edgenius","authentication bypass","CVE-2025-10571","critical infrastructure"],"_cs_type":"advisory","_cs_vendors":["ABB"],"content_html":"\u003cp\u003eABB Edgenius Management Portal versions 3.2.0.0 and 3.2.1.1 are vulnerable to an authentication bypass (CVE-2025-10571). An attacker who has gained network access to a vulnerable Edgenius deployment can send a specially crafted message to the system node, bypassing authentication controls. Successful exploitation allows an attacker to install and run arbitrary code, uninstall applications, and modify the configuration of installed applications. ABB reported this vulnerability to CISA. ABB has released version 3.2.2.0 to address the vulnerability. As a mitigation, ABB advises customers to disable the Edgenius Management Portal until the upgrade can be applied.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the network where the Edgenius Management Portal is deployed.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable ABB Edgenius Management Portal instance (versions 3.2.0.0 or 3.2.1.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious message designed to exploit the authentication bypass vulnerability (CVE-2025-10571).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the specially crafted message to the system node of the Edgenius Management Portal.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Edgenius Management Portal improperly processes the crafted message, bypassing authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the bypassed authentication to install and execute arbitrary code on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uninstalls applications, further compromising the system\u0026rsquo;s functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the configuration of installed applications to maintain persistence and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain full control over the ABB Edgenius Management Portal. The attacker can install malicious software, uninstall critical applications, and modify configurations, leading to significant disruption of industrial processes, data theft, or further lateral movement within the OT network. Affected sectors include critical manufacturing and information technology, with deployments worldwide.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to ABB Ability Edgenius version 3.2.2.0 to remediate CVE-2025-10571, as this version contains the vendor fix.\u003c/li\u003e\n\u003cli\u003eUntil the upgrade is applied, disable the Edgenius Management Portal to mitigate the vulnerability as recommended by ABB.\u003c/li\u003e\n\u003cli\u003eMinimize network exposure for all control system devices by ensuring they are not accessible from the internet, as suggested by CISA.\u003c/li\u003e\n\u003cli\u003eLocate control system networks and remote devices behind firewalls, isolating them from business networks per CISA recommendations.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect ABB Edgenius Management Portal Exploitation Attempt\u0026rdquo; to identify potential exploitation attempts based on network traffic patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:00:00Z","date_published":"2026-04-30T12:00:00Z","id":"/briefs/2026-04-abb-edgenius-auth-bypass/","summary":"An authentication bypass vulnerability in ABB Edgenius Management Portal versions 3.2.0.0 and 3.2.1.1 allows attackers to execute arbitrary code and modify application configurations by sending a specially crafted message to the system node.","title":"ABB Edgenius Management Portal Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-abb-edgenius-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-14510"}],"_cs_exploited":false,"_cs_products":["OPTIMAX 6.1","OPTIMAX 6.2","OPTIMAX 6.3","OPTIMAX 6.4","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["authentication bypass","ics","vulnerability"],"_cs_type":"advisory","_cs_vendors":["ABB","Microsoft"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-14510, affects ABB Ability OPTIMAX versions that utilize Azure Active Directory (Azure AD) for Single-Sign On (SSO) authentication. This flaw stems from an incorrect implementation of the authentication algorithm, potentially allowing attackers to bypass the Azure AD authentication mechanism and gain unauthorized access to the OPTIMAX system. The affected versions include ABB Ability OPTIMAX 6.1 and 6.2 (all versions), 6.3 versions prior to 6.3.1-251120, and 6.4 versions prior to 6.4.1-251120. Successful exploitation could lead to significant disruption in energy, water, and wastewater sectors. The vulnerability was reported to CISA by ABB PSIRT.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an ABB Ability OPTIMAX installation using Azure AD SSO with a vulnerable version (6.1, 6.2, 6.3 \u0026lt; 6.3.1-251120, or 6.4 \u0026lt; 6.4.1-251120).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious authentication request, exploiting the incorrect implementation of the authentication algorithm (CWE-303).\u003c/li\u003e\n\u003cli\u003eThe crafted request bypasses the expected Azure AD authentication checks within OPTIMAX.\u003c/li\u003e\n\u003cli\u003eOPTIMAX incorrectly validates the attacker\u0026rsquo;s session, granting them access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their unauthorized access to gain control over OPTIMAX functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker can then modify control parameters, manipulate data, or disrupt operations within the connected industrial processes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-14510 enables unauthorized access to ABB Ability OPTIMAX systems, potentially leading to severe consequences in critical infrastructure sectors such as energy, water, and wastewater. An attacker could manipulate industrial processes, disrupt critical services, or cause significant financial and operational damage. Given the widespread deployment of ABB Ability OPTIMAX systems globally, a successful campaign exploiting this vulnerability could have far-reaching impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update ABB Ability OPTIMAX to fixed versions (6.3.1-251120 and later) to remediate CVE-2025-14510.\u003c/li\u003e\n\u003cli\u003eRefer to ABB PSIRT security advisory 9AKK108472A1331 for detailed mitigation steps and recommendations.\u003c/li\u003e\n\u003cli\u003eMinimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet, as per CISA\u0026rsquo;s recommended practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:00:00Z","date_published":"2026-04-30T12:00:00Z","id":"/briefs/2026-04-optimax-auth-bypass/","summary":"CVE-2025-14510 allows an attacker to bypass Azure Active Directory Single-Sign On authentication in vulnerable ABB Ability OPTIMAX versions, potentially granting unauthorized access to critical infrastructure systems.","title":"ABB Ability OPTIMAX Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-optimax-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41940"}],"_cs_exploited":false,"_cs_products":["WHM","cPanel"],"_cs_severities":["critical"],"_cs_tags":["cpanel","whm","authentication-bypass","CVE-2026-41940","webserver"],"_cs_type":"advisory","_cs_vendors":["cPanel"],"content_html":"\u003cp\u003eOn April 28, 2026, a critical authentication bypass vulnerability (CVE-2026-41940) was disclosed affecting cPanel and WHM. This vulnerability impacts versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The vulnerability exists within the login flow, allowing unauthenticated remote attackers to bypass authentication and gain unauthorized access to the control panel. Successful exploitation grants attackers complete control over the affected cPanel and WHM instances, potentially leading to data theft, server compromise, and further malicious activities. This vulnerability poses a significant risk to web hosting providers and their customers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the cPanel/WHM login page, exploiting the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerable cPanel/WHM version fails to properly validate the request, allowing the attacker to bypass the login process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the cPanel/WHM interface.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates the server to identify valuable files, directories, and database configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised cPanel/WHM access to upload malicious scripts or binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker executes uploaded payloads to establish persistent access, such as a web shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to perform arbitrary commands on the server, including escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, defaces websites, or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41940 can lead to complete compromise of cPanel and WHM servers. This can result in data breaches, website defacement, and denial-of-service attacks. The vulnerability affects a wide range of cPanel and WHM installations, potentially impacting thousands of web hosting providers and their customers. The high CVSS score (9.8) reflects the severity of the risk and the ease with which it can be exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade cPanel and WHM installations to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, or later to patch CVE-2026-41940.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity and unauthorized access attempts to the cPanel/WHM interface by deploying the Sigma rule \u003ccode\u003eDetectCpanelAuthBypassAccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit access to cPanel/WHM administrative interfaces and monitor the user activity by deploying the Sigma rule \u003ccode\u003eDetectCpanelAccountManipulation\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T16:16:25Z","date_published":"2026-04-29T16:16:25Z","id":"/briefs/2026-04-cpanel-auth-bypass/","summary":"An authentication bypass vulnerability in cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 allows unauthenticated remote attackers to gain unauthorized access to the control panel.","title":"cPanel and WHM Authentication Bypass Vulnerability (CVE-2026-41940)","url":"https://feed.craftedsignal.io/briefs/2026-04-cpanel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40976"},{"cvss":7,"id":"CVE-2026-40973"},{"cvss":7.5,"id":"CVE-2026-40972"}],"_cs_exploited":false,"_cs_products":["Spring Boot"],"_cs_severities":["critical"],"_cs_tags":["spring-boot","vulnerability","rce","authentication-bypass","session-hijacking"],"_cs_type":"advisory","_cs_vendors":["Spring"],"content_html":"\u003cp\u003eA set of critical vulnerabilities has been discovered in Spring Boot, a widely used Java framework for building web applications and backend services. These vulnerabilities, including CVE-2026-40976 (CVSS 9.1), CVE-2026-40973 (CVSS 7.0), and CVE-2026-40972 (CVSS 7.5), pose a significant threat to organizations using affected versions (specifically versions before 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33). Successful exploitation could lead to unauthorized access, session hijacking, and remote code execution, impacting the confidentiality, integrity, and availability of critical business systems. The initial advisory was released by CCB Belgium on April 28, 2026, urging immediate patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (CVE-2026-40976 - Authentication Bypass):\u003c/strong\u003e An attacker sends a crafted HTTP request to a vulnerable Spring Boot application endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Default Configuration:\u003c/strong\u003e If the application is servlet-based, relies on the default Spring Security filter chain, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health, the default web security configuration fails to enforce authorization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access:\u003c/strong\u003e Due to the authorization bypass, the attacker gains unauthorized access to all application endpoints without proper authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession Hijacking (CVE-2026-40973):\u003c/strong\u003e A local attacker exploits the vulnerability to take control of the ApplicationTemp directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution (CVE-2026-40973):\u003c/strong\u003e Once in control of the ApplicationTemp directory, the attacker can potentially execute arbitrary code within the context of the application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTiming Attack (CVE-2026-40972):\u003c/strong\u003e An attacker on the same network conducts a timing attack against the DevTools remote secret.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution (CVE-2026-40972):\u003c/strong\u003e By successfully exploiting the timing attack, the attacker can potentially achieve remote code execution on the vulnerable server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker gains full control of the system, allowing for data exfiltration, system compromise, and operational downtime.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these Spring Boot vulnerabilities can lead to significant damage, including unauthorized access to sensitive data, complete system compromise, and extended operational downtime. The potential number of victims is vast, considering the widespread use of Spring Boot in various sectors including finance, healthcare, and e-commerce. If an attacker successfully exploits these vulnerabilities, they could steal sensitive customer data, disrupt critical business operations, or deploy ransomware, resulting in significant financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Spring Boot applications to the latest versions (\u0026gt;=4.0.6, \u0026gt;=3.5.14, \u0026gt;=3.4.16, \u0026gt;=3.3.19, \u0026gt;=2.7.33) to address CVE-2026-40976, CVE-2026-40973, and CVE-2026-40972.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Access to Actuator Endpoints\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-40976 by monitoring access to sensitive actuator endpoints.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any related suspicious activity as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any potentially compromised systems following the patching process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-spring-boot-vulns/","summary":"Multiple vulnerabilities in Spring Boot, including CVE-2026-40976, CVE-2026-40973, and CVE-2026-40972, can allow attackers to bypass authorization, hijack sessions, or achieve remote code execution, potentially leading to data breaches and system compromise.","title":"Multiple Vulnerabilities in Spring Boot Allow Authorization Bypass and Potential RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-spring-boot-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7022"}],"_cs_exploited":false,"_cs_products":["sre"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","CVE-2026-7022"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA security vulnerability, CVE-2026-7022, has been identified in SmythOS sre versions up to 0.0.15. The vulnerability resides in the AgentRuntime function within the packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts file, specifically affecting the HTTP Header Handler. By manipulating the X-DEBUG-RUN and X-DEBUG-INJ arguments within HTTP headers, an attacker can bypass authentication mechanisms. This vulnerability is remotely exploitable and has a publicly available exploit, posing a significant risk to systems running vulnerable versions of SmythOS sre. The vendor was notified but did not respond.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a SmythOS sre instance running version 0.0.15 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the AgentRuntime function.\u003c/li\u003e\n\u003cli\u003eThe attacker includes specially crafted X-DEBUG-RUN and/or X-DEBUG-INJ headers in the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable AgentRuntime function improperly processes these headers.\u003c/li\u003e\n\u003cli\u003eThe system bypasses authentication checks due to the manipulated header values.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to protected resources or functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker performs privileged actions or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7022 allows an attacker to bypass authentication, potentially leading to complete system compromise. This could result in unauthorized access to sensitive data, modification of system configurations, or disruption of services. Given the public availability of the exploit, vulnerable systems are at high risk of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to the \u003ccode\u003eAgentRuntime\u003c/code\u003e function within \u003ccode\u003epackages/core/src/subsystems/AgentManager/AgentRuntime.class.ts\u003c/code\u003e to prevent manipulation of \u003ccode\u003eX-DEBUG-RUN\u003c/code\u003e and \u003ccode\u003eX-DEBUG-INJ\u003c/code\u003e headers (CVE-2026-7022).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts targeting the vulnerable \u003ccode\u003eAgentRuntime\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests containing suspicious \u003ccode\u003eX-DEBUG-RUN\u003c/code\u003e and \u003ccode\u003eX-DEBUG-INJ\u003c/code\u003e headers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T06:16:02Z","date_published":"2026-04-26T06:16:02Z","id":"/briefs/2026-04-smythos-auth-bypass/","summary":"A remote improper authentication vulnerability exists in SmythOS sre up to version 0.0.15, allowing attackers to bypass authentication by manipulating the X-DEBUG-RUN/X-DEBUG-INJ arguments in the HTTP Header Handler component.","title":"SmythOS sre Authentication Bypass Vulnerability (CVE-2026-7022)","url":"https://feed.craftedsignal.io/briefs/2026-04-smythos-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-33018"},{"cvss":7.1,"id":"CVE-2026-33020"},{"id":"CVE-2026-41144"}],"_cs_exploited":false,"_cs_products":["ASA","Secure Firewall Threat Defense","IOS","IOS XE","IOS XR"],"_cs_severities":["critical"],"_cs_tags":["cisco","vulnerability","rce","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).\u003c/li\u003e\n\u003cli\u003eAttacker exploits a vulnerability allowing authentication bypass.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication bypass, the attacker gains unauthorized access to the device.\u003c/li\u003e\n\u003cli\u003eAttacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe code executes with administrator privileges, granting the attacker full control over the device.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised device as a pivot point to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eAttacker compromises additional systems and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsult Cisco\u0026rsquo;s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T05:43:56Z","date_published":"2026-04-24T05:43:56Z","id":"/briefs/2024-07-cisco-multiple-vulns/","summary":"Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.","title":"Multiple Vulnerabilities in Cisco Products Allow for Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openvpn-auth-oauth2"],"_cs_severities":["critical"],"_cs_tags":["openvpn","authentication-bypass","vpn"],"_cs_type":"advisory","_cs_vendors":["jkroepke"],"content_html":"\u003cp\u003eOpenVPN-auth-oauth2, a plugin for OpenVPN, is susceptible to an authentication bypass vulnerability in versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode. This flaw allows unauthenticated VPN access for clients that do not support WebAuth/SSO. Specifically, standard OpenVPN clients like the Linux CLI \u003ccode\u003eopenvpn\u003c/code\u003e, which do not advertise WebAuth/SSO support (\u003ccode\u003eIV_SSO=webauth\u003c/code\u003e), can bypass OIDC authentication and gain full network access. The default management-interface mode is not affected. Successful exploitation grants unauthorized access to the internal network behind the VPN. This vulnerability is addressed in version 1.27.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenVPN server running openvpn-auth-oauth2 in experimental plugin mode (versions 1.26.3 - 1.27.2).\u003c/li\u003e\n\u003cli\u003eAttacker uses a standard OpenVPN client (e.g., Linux \u003ccode\u003eopenvpn\u003c/code\u003e CLI) that does not support WebAuth/SSO.\u003c/li\u003e\n\u003cli\u003eThe client initiates a connection to the OpenVPN server, bypassing the expected WebAuth/SSO flow.\u003c/li\u003e\n\u003cli\u003eThe openvpn-auth-oauth2 plugin attempts to deny the client by writing \u0026ldquo;0\u0026rdquo; to the \u003ccode\u003eauth_control_file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe plugin incorrectly returns \u003ccode\u003eOPENVPN_PLUGIN_FUNC_SUCCESS\u003c/code\u003e to the OpenVPN server.\u003c/li\u003e\n\u003cli\u003eOpenVPN interprets the \u003ccode\u003eFUNC_SUCCESS\u003c/code\u003e return code as successful authentication, ignoring the \u0026ldquo;0\u0026rdquo; in the \u003ccode\u003eauth_control_file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe OpenVPN server grants the unauthenticated client full access to the internal network behind the VPN.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to internal resources and performs malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers full access to the internal network behind the OpenVPN server. This could lead to data breaches, lateral movement within the network, and potential compromise of sensitive systems. The vulnerability affects any deployment using the experimental plugin mode with vulnerable versions. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to openvpn-auth-oauth2 version 1.27.3 to apply the fix described in commit \u003ca href=\"https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2\"\u003e\u003ccode\u003e36f69a6\u003c/code\u003e\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, switch to the standalone management client mode (the default, non-plugin deployment) as a workaround.\u003c/li\u003e\n\u003cli\u003eMonitor OpenVPN server logs for connection attempts from clients that do not support WebAuth/SSO (identified by missing \u003ccode\u003eIV_SSO=webauth\u003c/code\u003e in the logs) and correlate with network access activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T14:29:22Z","date_published":"2026-04-22T14:29:22Z","id":"/briefs/2026-04-openvpn-auth-bypass/","summary":"A critical authentication bypass vulnerability exists in openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode; clients that do not support WebAuth/SSO are incorrectly granted VPN access without completing OIDC authentication.","title":"OpenVPN-auth-oauth2 Authentication Bypass in Plugin Mode","url":"https://feed.craftedsignal.io/briefs/2026-04-openvpn-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-24177"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vulnerability","authentication-bypass","nvidia"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-24177 details a security flaw within the NVIDIA KAI Scheduler. This vulnerability stems from a lack of proper authentication mechanisms for critical API endpoints. An attacker exploiting this flaw could potentially bypass authorization checks and gain unauthorized access to sensitive functionalities. Successful exploitation leads to information disclosure. The affected product is NVIDIA KAI Scheduler. As of April 2026, exploitation in the wild has not been confirmed, but the potential impact warrants immediate attention from security teams. This vulnerability allows an attacker with network access to the KAI Scheduler to retrieve sensitive information without proper authorization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an exposed NVIDIA KAI Scheduler instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an API endpoint lacking authentication (CWE-306).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the request to the KAI Scheduler.\u003c/li\u003e\n\u003cli\u003eDue to the missing authentication check, the KAI Scheduler processes the request without verifying the attacker\u0026rsquo;s identity.\u003c/li\u003e\n\u003cli\u003eThe KAI Scheduler returns sensitive information to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the disclosed information for further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the disclosed information to access other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-24177 enables an attacker to bypass authentication and access sensitive information managed by the NVIDIA KAI Scheduler. The type of information exposed depends on the specific API endpoint accessed, and could include configuration data, user credentials, or internal system details. The NIST advisory assigns a CVSS v3.1 base score of 7.7 (HIGH), highlighting the significant risk of information disclosure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to NVIDIA KAI Scheduler API endpoints (webserver category, product linux/windows).\u003c/li\u003e\n\u003cli\u003eInspect network traffic for unauthorized access to NVIDIA KAI Scheduler API endpoints (network_connection category).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect potential exploitation attempts against NVIDIA KAI Scheduler.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-nvidia-kai-auth-bypass/","summary":"CVE-2026-24177 describes an authentication bypass vulnerability in NVIDIA KAI Scheduler that could allow unauthorized access to API endpoints, leading to information disclosure.","title":"NVIDIA KAI Scheduler Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-nvidia-kai-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2024-27198"},{"cvss":7.3,"id":"CVE-2024-27199"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["teamcity","vulnerability","authentication bypass","path traversal","supply-chain"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eJetBrains TeamCity, a CI/CD software platform, is vulnerable to CVE-2024-27198, an authentication bypass, and CVE-2024-27199, a path traversal vulnerability. These flaws affect TeamCity versions prior to 2023.11.4. Initially, there was no observed active exploitation. However, by March 7, 2024, widespread exploitation was detected following the public availability of proof-of-concept code. Attackers are actively exploiting these vulnerabilities to create new user accounts on publicly exposed, unpatched TeamCity instances. A substantial number of compromised servers are utilized as production machines for software building and deployment. These attacks have the potential to lead to supply-chain compromises by exposing sensitive information. CISA added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog on April 20, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to a vulnerable TeamCity server, exploiting CVE-2024-27198 to bypass authentication.\u003c/li\u003e\n\u003cli\u003eOnce authenticated (or bypassing authentication), the attacker leverages CVE-2024-27199, a path traversal vulnerability, to access sensitive files and directories on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker reads configuration files containing credentials for other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker creates new administrative user accounts on the TeamCity server to ensure persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies build configurations to inject malicious code into software builds.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the software supply chain by injecting malicious code into build artifacts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen credentials to access deployment environments and deploy compromised builds.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform administrative actions on affected TeamCity servers, leading to a compromise of confidentiality, integrity, and availability of data and infrastructure. The compromise of TeamCity servers used for software building and deployment can result in supply-chain attacks, as these servers often contain sensitive information, such as credentials for deployment environments. A substantial portion of compromised TeamCity servers are utilized as production machines for software building and deployment processes, increasing the scope and impact of potential supply chain attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all JetBrains TeamCity servers to version 2023.11.4 or later to remediate CVE-2024-27198 and CVE-2024-27199 (Reference: \u003ca href=\"https://www.jetbrains.com/privacy-security/issues-fixed/)\"\u003ehttps://www.jetbrains.com/privacy-security/issues-fixed/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect TeamCity Authentication Bypass Attempt\u0026rdquo; to your SIEM to detect exploitation attempts of CVE-2024-27198.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and increase monitoring to detect suspicious activity related to path traversal attempts indicative of CVE-2024-27199 exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new user accounts within TeamCity, especially administrative accounts, which could indicate successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T10:00:00Z","date_published":"2026-04-22T10:00:00Z","id":"/briefs/2026-04-jetbrains-teamcity-vulns/","summary":"Unpatched JetBrains TeamCity servers are being actively exploited via an authentication bypass (CVE-2024-27198) and path traversal vulnerability (CVE-2024-27199), allowing attackers to perform administrative actions and potentially conduct supply-chain attacks.","title":"JetBrains TeamCity Authentication Bypass and Path Traversal Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-04-jetbrains-teamcity-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6635"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6635","authentication bypass","web application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw, identified as CVE-2026-6635, has been discovered in rowboatlabs rowboat, specifically in versions up to and including 0.1.67. This vulnerability resides within the \u003ccode\u003etool_call\u003c/code\u003e function located in the \u003ccode\u003eapps/experimental/tools_webhook/app.py\u003c/code\u003e file of the \u003ccode\u003etools_webhook\u003c/code\u003e component.  The vulnerability stems from the improper handling of the \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument, which can be manipulated by a remote attacker to bypass authentication mechanisms. This flaw allows attackers to potentially gain unauthorized access and execute arbitrary actions within the application. Public exploits are available, increasing the urgency for mitigation. The vendor was notified but has not responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of rowboatlabs rowboat version 0.1.67 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003etool_call\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker manipulates the \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument with a crafted payload designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003etool_call\u003c/code\u003e function fails to properly validate the manipulated \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe application grants the attacker unauthorized access based on the bypassed authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access to execute actions normally restricted to authenticated users.\u003c/li\u003e\n\u003cli\u003eDepending on the application\u0026rsquo;s functionality, this could involve data exfiltration, modification, or execution of arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6635 can lead to complete compromise of the rowboatlabs rowboat application. Attackers can gain unauthorized access to sensitive data, modify application settings, or even execute arbitrary code on the server. Due to the ease of exploitation with public exploits available, all instances of vulnerable rowboat versions are at immediate risk. The specific impact depends on the application\u0026rsquo;s role and the data it handles, but potential consequences include data breaches, service disruption, and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation to \u003ccode\u003eX-Tools-JWE\u003c/code\u003e argument using \u003ccode\u003etool_call\u003c/code\u003e function within \u003ccode\u003eapps/experimental/tools_webhook/app.py\u003c/code\u003e to prevent improper authentication (CVE-2026-6635).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Rowboat Authentication Bypass Attempt via X-Tools-JWE Manipulation\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests targeting the \u003ccode\u003etool_call\u003c/code\u003e function with unusual \u003ccode\u003eX-Tools-JWE\u003c/code\u003e values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T12:16:09Z","date_published":"2026-04-20T12:16:09Z","id":"/briefs/2026-04-rowboat-auth-bypass/","summary":"An improper authentication vulnerability in rowboatlabs rowboat \u003c=0.1.67 allows remote attackers to bypass authentication by manipulating the X-Tools-JWE argument in the tool_call function, potentially leading to unauthorized access and control.","title":"Rowboatlabs Rowboat Improper Authentication Vulnerability (CVE-2026-6635)","url":"https://feed.craftedsignal.io/briefs/2026-04-rowboat-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6577"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6577","djangoblog","authentication-bypass","gps-injection","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6577 is an authentication bypass vulnerability affecting liangliangyy DjangoBlog versions up to 2.1.0.0. The vulnerability exists within an unknown function of the \u003ccode\u003eowntracks/views.py\u003c/code\u003e file related to the \u003ccode\u003elogtracks\u003c/code\u003e endpoint. Due to missing authentication, a remote attacker can inject arbitrary GPS data without proper authorization. This can lead to manipulation of location data, unauthorized access to location-based features, and potentially further compromise of the application. A public exploit for this vulnerability is available, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using DjangoBlog, potentially impacting data integrity and confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a DjangoBlog instance running a vulnerable version (\u0026lt;= 2.1.0.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/owntracks/views.py\u003c/code\u003e \u003ccode\u003elogtracks\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request injects arbitrary GPS data, bypassing the authentication mechanisms.\u003c/li\u003e\n\u003cli\u003eThe DjangoBlog application processes the crafted request without proper authentication checks.\u003c/li\u003e\n\u003cli\u003eThe injected GPS data is stored and associated with a user or device, potentially overwriting legitimate data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to location-based features or data due to the injected GPS coordinates.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised location data to perform further malicious activities, such as tracking user movements or manipulating location-based services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6577 allows attackers to inject arbitrary GPS data into vulnerable DjangoBlog instances. This can lead to the manipulation of user location data, potentially impacting location-based services and features. An attacker can track user movements, access restricted resources based on location, or even impersonate legitimate users. Given the availability of a public exploit, unpatched DjangoBlog instances are at high risk of compromise, potentially affecting hundreds of deployments. The lack of vendor response exacerbates the risk, as no official patch or mitigation is available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious GPS Data Injection\u003c/code\u003e to your SIEM to identify exploitation attempts targeting the \u003ccode\u003elogtracks\u003c/code\u003e endpoint (logsource: webserver).\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/owntracks/views.py\u003c/code\u003e with unusual parameters or patterns, potentially indicating malicious GPS data injection (logsource: webserver).\u003c/li\u003e\n\u003cli\u003eMonitor application logs for any anomalies related to GPS data processing or location-based services, which might be signs of successful exploitation (logsource: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T20:16:28Z","date_published":"2026-04-19T20:16:28Z","id":"/briefs/2026-04-djangoblog-auth-bypass/","summary":"A critical authentication bypass vulnerability in liangliangyy DjangoBlog up to version 2.1.0.0 (CVE-2026-6577) allows remote attackers to inject arbitrary GPS data without authentication via the logtracks endpoint, potentially leading to data manipulation and unauthorized access.","title":"liangliangyy DjangoBlog Authentication Bypass Vulnerability (CVE-2026-6577)","url":"https://feed.craftedsignal.io/briefs/2026-04-djangoblog-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-40351"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["NoSQL injection","authentication bypass","CVE-2026-40351","FastGPT"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFastGPT is an AI Agent building platform. Versions prior to 4.14.9.5 are susceptible to a critical NoSQL injection vulnerability (CVE-2026-40351) affecting the password-based login endpoint. The vulnerability stems from the use of TypeScript type assertion without runtime validation, enabling unauthenticated attackers to inject MongoDB query operators within the password field. This bypasses the intended password check, granting the attacker the ability to authenticate as any user, including the root administrator. Successful exploitation leads to complete control over the FastGPT instance and its associated data. This vulnerability was addressed in FastGPT version 4.14.9.5. All users of FastGPT versions prior to 4.14.9.5 are vulnerable to this attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable FastGPT instance running a version prior to 4.14.9.5.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the password-based login endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request body, the attacker places a MongoDB query operator object (e.g., \u003ccode\u003e{\u0026quot;$ne\u0026quot;: \u0026quot;\u0026quot;}\u003c/code\u003e) in the password field, bypassing the standard password check.\u003c/li\u003e\n\u003cli\u003eThe vulnerable FastGPT application processes the malicious request without proper validation.\u003c/li\u003e\n\u003cli\u003eThe MongoDB query operator is executed, bypassing the authentication mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker is granted unauthorized access to the FastGPT application, assuming the identity of an arbitrary user, including the root administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their administrative privileges to access sensitive data, modify configurations, or perform other malicious actions within the FastGPT instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40351 allows an unauthenticated attacker to gain complete control over a FastGPT instance. This can lead to unauthorized access to sensitive AI agent configurations, user data, and other critical information. The impact includes data breaches, service disruption, and potential compromise of downstream systems that rely on the FastGPT platform. Given the critical nature of AI agent building platforms, the compromise of a FastGPT instance can have far-reaching consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all FastGPT instances to version 4.14.9.5 or later to patch CVE-2026-40351.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FastGPT NoSQL Injection Attempt\u003c/code\u003e to identify potential exploitation attempts targeting the login endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to the login endpoint, specifically looking for MongoDB query operators within the password field as detected by rule \u003ccode\u003eDetect FastGPT NoSQL Injection Attempt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and restrict network access to the FastGPT instance to only authorized users and systems to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-fastgpt-nosql-injection/","summary":"FastGPT versions before 4.14.9.5 are vulnerable to NoSQL injection, allowing unauthenticated attackers to bypass authentication and gain administrative access.","title":"FastGPT NoSQL Injection Vulnerability (CVE-2026-40351)","url":"https://feed.craftedsignal.io/briefs/2026-04-fastgpt-nosql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40461"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-40461","authentication-bypass","iot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-40461 describes a vulnerability affecting Anviz CX2 Lite and CX7 devices. The vulnerability allows unauthenticated attackers to send POST requests that modify debug settings on the devices. A successful exploit can enable features like SSH, which are normally restricted. This unauthorized configuration change could be leveraged to gain unauthorized access to the device and potentially the network it is connected to, allowing for further malicious activity. The vulnerability was disclosed in April 2026 and poses a significant risk to organizations using the affected Anviz devices for access control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Anviz CX2 Lite or CX7 device on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to the device\u0026rsquo;s web interface.\u003c/li\u003e\n\u003cli\u003eThe POST request targets a specific endpoint responsible for modifying debug settings.\u003c/li\u003e\n\u003cli\u003eThe request includes parameters that enable debug features, such as SSH.\u003c/li\u003e\n\u003cli\u003eThe device improperly processes the request without requiring authentication, modifying the debug settings accordingly.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly enabled SSH service to gain shell access to the device.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to escalate privileges, move laterally within the network, or exfiltrate sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40461 allows an attacker to modify device settings, potentially enabling unauthorized access and control over Anviz CX2 Lite and CX7 devices. This can lead to a compromise of the physical security system and potentially the entire network. The impact includes unauthorized entry, data breaches, and disruption of operations. The number of affected devices and organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for POST requests targeting Anviz CX2 Lite and CX7 devices attempting to modify debug settings. Deploy the Sigma rule \u003ccode\u003eDetect Anviz Debug Setting Modification\u003c/code\u003e to identify such activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate Anviz devices from critical network resources to limit the impact of a potential compromise.\u003c/li\u003e\n\u003cli\u003eConsult the vendor\u0026rsquo;s website (\u003ca href=\"https://www.anviz.com/contact-us.html\"\u003ehttps://www.anviz.com/contact-us.html\u003c/a\u003e) and CISA advisory (\u003ca href=\"https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03\"\u003ehttps://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03\u003c/a\u003e) for any available patches or mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T20:16:36Z","date_published":"2026-04-17T20:16:36Z","id":"/briefs/2026-04-anviz-auth-bypass/","summary":"Anviz CX2 Lite and CX7 devices are vulnerable to unauthenticated POST requests that allow modification of debug settings such as enabling SSH, leading to unauthorized state changes and potential compromise.","title":"Anviz CX2 Lite and CX7 Unauthenticated Debug Setting Modification","url":"https://feed.craftedsignal.io/briefs/2026-04-anviz-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40525"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-40525","authentication-bypass","openviking","api"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenViking, a bot management framework, contains a critical authentication bypass vulnerability (CVE-2026-40525) affecting versions prior to commit c7bb167. Specifically, the VikingBot OpenAPI HTTP route surface fails to enforce authentication when the \u003ccode\u003eapi_key\u003c/code\u003e configuration value is either unset or configured as an empty string. This vulnerability enables remote attackers with network access to the exposed OpenViking service to bypass authentication controls and execute privileged bot-control functionalities. This includes submitting attacker-controlled prompts, creating or manipulating bot sessions, and gaining unauthorized access to downstream tools, integrations, secrets, and sensitive data that the bot has access to. Given the potential for broad impact and ease of exploitation, this vulnerability poses a significant risk to organizations using vulnerable versions of OpenViking.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenViking instance with an exposed VikingBot OpenAPI endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker checks the \u003ccode\u003eapi_key\u003c/code\u003e configuration on the target, either through misconfiguration or default settings, it\u0026rsquo;s found to be unset or empty.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request to the VikingBot OpenAPI endpoint, omitting the required \u003ccode\u003eX-API-Key\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eDue to the authentication bypass, the vulnerable OpenViking instance processes the attacker\u0026rsquo;s request without proper authentication.\u003c/li\u003e\n\u003cli\u003eAttacker utilizes the exposed bot-control functionalities to submit malicious prompts.\u003c/li\u003e\n\u003cli\u003eAttacker creates or hijacks bot sessions, leveraging the compromised session to access downstream systems.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the bot\u0026rsquo;s permissions to access internal tools, integrations, and secrets, potentially escalating privileges.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive data or compromises downstream systems accessible to the bot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40525 allows attackers to completely bypass authentication controls and gain full access to bot control functionalities within the OpenViking framework. This could lead to unauthorized access to sensitive data, compromise of downstream systems and integrations, and potential financial loss. The CVSS v3.1 base score for this vulnerability is 9.1, highlighting its critical severity and the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade OpenViking to a version containing commit c7bb167 or later to patch CVE-2026-40525.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, configure a strong, unique \u003ccode\u003eapi_key\u003c/code\u003e value within the OpenViking configuration to mitigate the authentication bypass.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;OpenViking Authentication Bypass Attempt\u0026rdquo; to detect unauthorized requests to the VikingBot API endpoint lacking the \u003ccode\u003eX-API-Key\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to the VikingBot OpenAPI endpoint without the \u003ccode\u003eX-API-Key\u003c/code\u003e header to identify potential exploitation attempts using the \u0026ldquo;OpenViking API requests without API Key\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview access logs for downstream systems connected to OpenViking for any unauthorized activity originating from the OpenViking server following potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T19:16:39Z","date_published":"2026-04-17T19:16:39Z","id":"/briefs/2024-02-openviking-auth-bypass/","summary":"OpenViking versions prior to commit c7bb167 are vulnerable to an authentication bypass that allows remote attackers to invoke privileged bot-control functionality without authentication when the api_key configuration is unset or empty, potentially leading to unauthorized access to downstream systems and data.","title":"OpenViking Authentication Bypass Vulnerability (CVE-2026-40525)","url":"https://feed.craftedsignal.io/briefs/2024-02-openviking-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["paperclip","authentication-bypass","api-vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePaperclip, a software application, contains multiple API endpoints that lack proper authentication checks, even when the application is configured in \u0026ldquo;authenticated\u0026rdquo; mode. This vulnerability allows unauthenticated access to sensitive information and functionality. Observed in versions prior to 2026.416.0, the issue impacts the confidentiality and integrity of the application. An attacker can exploit these vulnerabilities to gather reconnaissance information about the deployment, access heartbeat run issues, retrieve agent instructions, and potentially bypass authentication mechanisms via unauthenticated CLI challenge creation. The disclosed information includes API structure, authentication mechanisms, and internal workflows, which can be leveraged for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/health\u003c/code\u003e to obtain deployment mode, exposure setting, auth status, version, and feature flags.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/skills/index\u003c/code\u003e to retrieve a list of available skill endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/skills/paperclip\u003c/code\u003e to leak the agent heartbeat procedure, API endpoints, parameters, authentication mechanisms, and agent coordination protocols.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated GET request to \u003ccode\u003e/api/heartbeat-runs/:runId/issues\u003c/code\u003e, attempting to access issue data for a heartbeat run by guessing or obtaining a valid \u003ccode\u003erunId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to \u003ccode\u003e/api/cli-auth/challenges\u003c/code\u003e with a JSON payload containing a command to create a CLI authentication challenge and obtain a \u003ccode\u003eboardApiToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the leaked information to map the internal API structure and plan further attacks or unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the \u003ccode\u003eboardApiToken\u003c/code\u003e obtained in step 5, combined with open registration (if enabled), to persistently generate API keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in significant data exposure, including heartbeat run issues, agent instructions, and internal API structure. An attacker can fingerprint the deployment and map the entire internal API for reconnaissance purposes. Successful exploitation of the unauthenticated CLI challenge creation allows for authentication bypass, potentially leading to a full remote code execution chain. The vulnerability affects organizations using Paperclip versions prior to 2026.416.0. A successful attack can compromise sensitive data, facilitate unauthorized access, and lead to further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch to upgrade Paperclip to version 2026.416.0 or later, which addresses the unauthenticated API access vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003e/api/heartbeat-runs/:runId/issues\u003c/code\u003e endpoint in \u003ccode\u003eserver/src/routes/activity.ts\u003c/code\u003e using \u003ccode\u003eassertCompanyAccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003e/api/cli-auth/challenges\u003c/code\u003e endpoint in \u003ccode\u003eserver/src/routes/access.ts\u003c/code\u003e using \u003ccode\u003eassertBoard\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement authentication checks for the \u003ccode\u003e/api/skills/index\u003c/code\u003e and \u003ccode\u003e/api/skills/:skillName\u003c/code\u003e endpoints in \u003ccode\u003eserver/src/routes/access.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReduce the information exposed by the \u003ccode\u003e/api/health\u003c/code\u003e endpoint by removing sensitive data such as \u003ccode\u003edeploymentMode\u003c/code\u003e, \u003ccode\u003edeploymentExposure\u003c/code\u003e, and \u003ccode\u003eversion\u003c/code\u003e or by requiring authentication via \u003ccode\u003eassertBoard\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Paperclip Unauthenticated Health Endpoint Access\u0026rdquo; to identify unauthorized access attempts to the \u003ccode\u003e/api/health\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-paperclip-auth-bypass/","summary":"Paperclip application suffers from multiple unauthenticated API access vulnerabilities allowing attackers to access sensitive data, gather reconnaissance, and potentially bypass authentication.","title":"Paperclip Unauthenticated API Access Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-paperclip-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-6290"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["velociraptor","authentication bypass","privilege escalation","cve-2026-6290"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eVelociraptor, a powerful open-source endpoint detection and response (EDR) framework, is vulnerable to an authentication bypass issue affecting versions prior to 0.76.3. The vulnerability, identified as CVE-2026-6290, resides within the \u003ccode\u003equery()\u003c/code\u003e plugin.  A user with valid credentials and access to one organization within Velociraptor can leverage the \u003ccode\u003equery()\u003c/code\u003e plugin from a notebook cell to execute VQL (Velociraptor Query Language) queries against other organizations, irrespective of their explicit permissions in those other organizations. This occurs because the plugin improperly uses the user\u0026rsquo;s current ACL token for all queries, effectively granting the user the same level of access across all organizations as they have in their primary organization. This vulnerability allows for potentially broad data exfiltration and privilege escalation within a Velociraptor deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for a user account within one organization in a vulnerable Velociraptor instance (version \u0026lt; 0.76.3).\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Velociraptor GUI.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new notebook or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eWithin a notebook cell, the attacker uses the \u003ccode\u003equery()\u003c/code\u003e plugin with a crafted VQL query designed to access data from a different organization. For example, using \u003ccode\u003eSELECT * FROM org_id='TARGET_ORG'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Velociraptor server processes the query using the attacker\u0026rsquo;s existing ACL token, bypassing the organization\u0026rsquo;s access controls.\u003c/li\u003e\n\u003cli\u003eThe server returns data from the target organization to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the retrieved data, potentially gaining access to sensitive information or identifying further targets within the compromised Velociraptor instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the information gathered to perform actions in other organizations, based on the permissions of their initial account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6290 could allow an attacker to gain unauthorized access to sensitive data stored within different organizations managed by the same Velociraptor instance.  This could lead to the exfiltration of confidential information, potential privilege escalation within targeted organizations, and a compromise of the overall security posture of the affected environment. The severity is compounded by the fact that it\u0026rsquo;s a logic error within a security product, making it harder to detect and remediate without patching. The CVSS v3.1 score is 8.0 HIGH, indicating a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all Velociraptor installations to version 0.76.3 or later to patch CVE-2026-6290.\u003c/li\u003e\n\u003cli\u003ePrioritize reviewing Velociraptor user accounts and their assigned organizational access to identify potentially compromised accounts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect anomalous use of the \u003ccode\u003equery()\u003c/code\u003e plugin that targets different organizations than the user\u0026rsquo;s primary organization.\u003c/li\u003e\n\u003cli\u003eMonitor Velociraptor server logs for any unexpected access patterns or data retrieval attempts originating from the \u003ccode\u003equery()\u003c/code\u003e plugin.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T18:17:25Z","date_published":"2026-04-15T18:17:25Z","id":"/briefs/2026-04-velociraptor-auth-bypass/","summary":"Velociraptor versions prior to 0.76.3 contain an authentication bypass vulnerability in the query() plugin, allowing authenticated users to access data from other organizations within the Velociraptor deployment, potentially leading to unauthorized data access and privilege escalation.","title":"Velociraptor Authentication Bypass via query() Plugin","url":"https://feed.craftedsignal.io/briefs/2026-04-velociraptor-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["oauth2-proxy","authentication-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOAuth2 Proxy is vulnerable to an authentication bypass (CVE-2026-34457) when configured with \u003ccode\u003eauth_request\u003c/code\u003e-style integration (e.g., nginx \u003ccode\u003eauth_request\u003c/code\u003e) and either the \u003ccode\u003e--ping-user-agent\u003c/code\u003e option is set or \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e is enabled. This flaw allows an unauthenticated remote attacker to gain unauthorized access to protected upstream resources. The vulnerability exists because OAuth2 Proxy incorrectly treats requests with the configured health check \u003ccode\u003eUser-Agent\u003c/code\u003e value as legitimate health checks, irrespective of the requested path. This bypasses the normal login flow, granting access without proper authentication. Versions prior to v7.15.2 are affected, alongside versions \u0026lt;= 3.2.0. Defenders must take immediate action to remediate affected deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OAuth2 Proxy deployment utilizing \u003ccode\u003eauth_request\u003c/code\u003e and either \u003ccode\u003e--ping-user-agent\u003c/code\u003e or \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker determines the configured \u003ccode\u003e--ping-user-agent\u003c/code\u003e value or identifies that \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e is enabled (default User-Agent: GoogleHC/1.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP request to a protected resource, setting the \u003ccode\u003eUser-Agent\u003c/code\u003e header to the configured \u003ccode\u003e--ping-user-agent\u003c/code\u003e value (or \u0026ldquo;GoogleHC/1.0\u0026rdquo; if \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e is enabled).\u003c/li\u003e\n\u003cli\u003eThe reverse proxy (e.g., Nginx) forwards the request to the OAuth2 Proxy\u0026rsquo;s \u003ccode\u003e/oauth2/auth\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy incorrectly interprets the request as a health check due to the matching \u003ccode\u003eUser-Agent\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eOAuth2 Proxy responds to the reverse proxy with a 200 OK status, indicating successful authentication.\u003c/li\u003e\n\u003cli\u003eThe reverse proxy, believing the authentication was successful, forwards the attacker\u0026rsquo;s request to the protected upstream resource.\u003c/li\u003e\n\u003cli\u003eAttacker successfully accesses the protected resource without authenticating, achieving unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in complete authentication bypass, granting attackers unauthorized access to sensitive resources protected by OAuth2 Proxy. The number of affected deployments is unknown, but any organization using OAuth2 Proxy with the specified configurations is potentially at risk. This can lead to data breaches, service disruption, and other severe security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OAuth2 Proxy version \u003ccode\u003ev7.15.2\u003c/code\u003e or later to patch CVE-2026-34457.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003e--gcp-healthchecks\u003c/code\u003e flag if it is enabled.\u003c/li\u003e\n\u003cli\u003eRemove any configured \u003ccode\u003e--ping-user-agent\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eImplement reverse proxy configurations, such as the provided Nginx example, to prevent forwarding client-controlled \u003ccode\u003eUser-Agent\u003c/code\u003e headers to the OAuth2 Proxy \u003ccode\u003e/oauth2/auth\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;OAuth2 Proxy Authentication Bypass Attempt\u0026rdquo; to detect malicious requests exploiting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-oauth2-bypass/","summary":"A critical authentication bypass vulnerability (CVE-2026-34457) exists in OAuth2 Proxy when used with `auth_request`-style integration and either `--ping-user-agent` is set or `--gcp-healthchecks` is enabled, allowing unauthenticated access to protected resources.","title":"OAuth2 Proxy Authentication Bypass via User-Agent Header","url":"https://feed.craftedsignal.io/briefs/2026-04-oauth2-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-33892"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-33892","authentication-bypass","industrial-control-system","edge-management"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, CVE-2026-33892, affects Industrial Edge Management Pro V1 (versions \u0026gt;= V1.7.6 and \u0026lt; V1.15.17), Industrial Edge Management Pro V2 (versions \u0026gt;= V2.0.0 and \u0026lt; V2.1.1), and Industrial Edge Management Virtual (versions \u0026gt;= V2.2.0 and \u0026lt; V2.8.0). The flaw stems from a failure to properly enforce user authentication on remote connections to managed devices. An unauthenticated attacker can exploit this vulnerability to circumvent authentication mechanisms and impersonate a legitimate user, potentially gaining unauthorized access to and control over the affected devices. Successful exploitation requires the attacker to discover the header and port used for remote connections and that the remote connection feature is enabled on the targeted device. While exploitation grants access to the device, it\u0026rsquo;s important to note that security features implemented directly on the device itself, such as application-specific authentication, remain unaffected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Industrial Edge Management Pro or Virtual instance.\u003c/li\u003e\n\u003cli\u003eThe attacker probes the target system to identify the header and port used for remote connections to managed devices. This may involve network scanning or analyzing network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2026-33892 by crafting a malicious request that bypasses authentication, impersonating a legitimate user. This request is sent to the identified port using the specific header.\u003c/li\u003e\n\u003cli\u003eThe vulnerable system accepts the unauthenticated request due to the improper enforcement of user authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a tunnel to the targeted managed device.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the managed device, potentially allowing them to execute commands or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the tunneled connection to further compromise the device or network.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s final objective depends on their motives, potentially involving data exfiltration, disruption of services, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33892 can lead to complete compromise of Industrial Edge Management systems and the managed devices connected to them. This could enable attackers to disrupt critical industrial processes, steal sensitive data, or launch further attacks within the affected network. The lack of proper authentication enforcement allows an attacker to impersonate legitimate users, granting them elevated privileges and potentially unrestricted access to the compromised system and devices. The severity of the impact depends on the criticality of the managed devices and the data they handle.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Industrial Edge Management Pro V1 to a version \u0026gt;= V1.15.17, Pro V2 to a version \u0026gt;= V2.1.1, and Virtual to a version \u0026gt;= V2.8.0 to patch CVE-2026-33892, as outlined in the product\u0026rsquo;s security advisory.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious connections to Industrial Edge Management systems on non-standard ports, using the provided network_connection Sigma rule to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate Industrial Edge Management systems and managed devices from other parts of the network, limiting the potential impact of a successful exploit.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong authentication policies on the managed devices themselves to mitigate the risk of unauthorized access even if the Industrial Edge Management system is compromised.\u003c/li\u003e\n\u003cli\u003eEnable and review logs from Industrial Edge Management systems, focusing on authentication attempts and remote connection activity, to detect and respond to suspicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T09:16:36Z","date_published":"2026-04-14T09:16:36Z","id":"/briefs/2026-04-industrial-edge-auth-bypass/","summary":"CVE-2026-33892 allows an unauthenticated remote attacker to bypass authentication and impersonate a legitimate user in affected Industrial Edge Management Pro and Virtual versions by exploiting improper enforcement of user authentication on remote connections to devices, potentially enabling unauthorized access and control.","title":"Industrial Edge Management Authentication Bypass Vulnerability (CVE-2026-33892)","url":"https://feed.craftedsignal.io/briefs/2026-04-industrial-edge-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-24032"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sinec-nms","authentication-bypass","cve-2026-24032","siemens"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, identified as CVE-2026-24032, affects SINEC NMS (Network Management System) versions prior to V4.0 SP3 with UMC (Unified Management Center). This weakness stems from insufficient validation of user identity within the UMC component, a central piece of the SINEC NMS architecture. Successful exploitation could allow a remote, unauthenticated attacker to bypass security measures and gain unauthorized access to the SINEC NMS application. Siemens has released a security advisory (SSA-801704) addressing this vulnerability. This poses a significant risk to organizations relying on SINEC NMS for network management, potentially leading to data breaches, system compromise, and denial-of-service attacks. The vulnerability was reported through the Zero Day Initiative (ZDI-CAN-27564).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable SINEC NMS instance running a version prior to V4.0 SP3 with UMC.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request that exploits the insufficient user identity validation in the UMC component.\u003c/li\u003e\n\u003cli\u003eThis request is sent to the SINEC NMS server, targeting the UMC component\u0026rsquo;s authentication process.\u003c/li\u003e\n\u003cli\u003eThe UMC component fails to properly validate the user\u0026rsquo;s identity due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses the authentication mechanism, gaining unauthorized access.\u003c/li\u003e\n\u003cli\u003eWith unauthorized access, the attacker can access sensitive data within the SINEC NMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker may then leverage their access to modify configurations, add malicious users, or disrupt network operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-24032 allows an unauthenticated remote attacker to gain complete unauthorized access to the SINEC NMS application. This could lead to the compromise of sensitive network configuration data, allowing the attacker to reconfigure managed network devices, monitor network traffic, and potentially disrupt critical infrastructure. Given the broad use of SINEC NMS in industrial control systems (ICS) and critical infrastructure, a successful attack could have significant consequences, including financial losses, operational downtime, and even physical damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade SINEC NMS to version V4.0 SP3 with UMC or later to patch CVE-2026-24032 as referenced in the Siemens advisory \u003ca href=\"https://cert-portal.siemens.com/productcert/html/ssa-801704.html\"\u003ehttps://cert-portal.siemens.com/productcert/html/ssa-801704.html\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity and unexpected requests targeting the UMC component.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T09:16:34Z","date_published":"2026-04-14T09:16:34Z","id":"/briefs/2026-04-sinecnms-auth-bypass/","summary":"An authentication bypass vulnerability (CVE-2026-24032) exists in SINEC NMS versions prior to V4.0 SP3 due to insufficient user identity validation in the UMC component, allowing unauthenticated remote attackers to gain unauthorized access.","title":"SINEC NMS Authentication Bypass Vulnerability (CVE-2026-24032)","url":"https://feed.craftedsignal.io/briefs/2026-04-sinecnms-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["minio","authentication-bypass","object-storage"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMinIO is susceptible to two authentication bypass vulnerabilities affecting all deployments up to AIStor RELEASE.2026-04-11T03-20-12Z. The vulnerability lies within the \u003ccode\u003eSTREAMING-UNSIGNED-PAYLOAD-TRAILER\u003c/code\u003e code path. An attacker possessing a valid access key (including the default \u003ccode\u003eminioadmin\u003c/code\u003e or any key with WRITE permissions) can exploit these flaws to write arbitrary objects to any bucket. This bypass eliminates the need for the secret key or a valid cryptographic signature. One vulnerability involves missing signature verification in \u003ccode\u003ePutObjectExtractHandler\u003c/code\u003e, while the other bypasses signature verification using query-string credentials. These issues stem from the introduction of \u003ccode\u003eauthTypeStreamingUnsignedTrailer\u003c/code\u003e support in commit 76913a9fd, specifically impacting releases from RELEASE.2023-05-18T00-05-36Z onwards.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid MinIO access key, either through default credentials or compromised accounts.\u003c/li\u003e\n\u003cli\u003eFor vulnerability 1, the attacker crafts a PUT request with \u003ccode\u003eX-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER\u003c/code\u003e, \u003ccode\u003eX-Amz-Meta-Snowball-Auto-Extract: true\u003c/code\u003e, and an \u003ccode\u003eAuthorization\u003c/code\u003e header containing the valid access key but a fabricated signature.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the MinIO server\u0026rsquo;s \u003ccode\u003ePutObjectExtractHandler\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the missing signature verification in the \u003ccode\u003ePutObjectExtractHandler\u003c/code\u003e, the request proceeds without proper authentication.\u003c/li\u003e\n\u003cli\u003eThe server extracts the access key and checks IAM permissions via \u003ccode\u003eisPutActionAllowed\u003c/code\u003e, but the fabricated signature is not validated.\u003c/li\u003e\n\u003cli\u003eThe server accepts the request, and the attacker-controlled payload is extracted into the target bucket.\u003c/li\u003e\n\u003cli\u003eFor vulnerability 2, the attacker crafts a PUT or PUT Part request omitting the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe attacker includes authentication credentials (access key) exclusively via the \u003ccode\u003eX-Amz-Credential\u003c/code\u003e query parameter. Since the \u003ccode\u003eAuthorization\u003c/code\u003e header is missing, signature verification is skipped, and the request proceeds with the permissions of the impersonated access key, allowing the attacker to write arbitrary objects.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows unauthorized users to modify objects within MinIO storage buckets, potentially leading to data breaches, service disruptions, or the injection of malicious content. Any MinIO deployment is affected, creating a widespread risk for organizations relying on MinIO for their storage infrastructure. The CVSS v4.0 score of 8.8 (High) highlights the severity and potential impact of these vulnerabilities. The number of victims depends on the adoption rate of vulnerable MinIO versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to MinIO AIStor version \u003ccode\u003eRELEASE.2026-04-11T03-20-12Z\u003c/code\u003e or later, as indicated in the \u003ca href=\"https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/\"\u003eMinIO AIStor documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement a block at the load balancer or reverse proxy to reject any requests containing \u003ccode\u003eX-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER\u003c/code\u003e, as mentioned in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MinIO Unsigned Payload Trailer\u003c/code\u003e to identify exploitation attempts based on the presence of the vulnerable header.\u003c/li\u003e\n\u003cli\u003eReview and restrict WRITE permissions (\u003ccode\u003es3:PutObject\u003c/code\u003e) to trusted principals to reduce the attack surface as described in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T00:05:52Z","date_published":"2026-04-14T00:05:52Z","id":"/briefs/2026-04-minio-auth-bypass/","summary":"Two authentication bypass vulnerabilities in MinIO allow writing arbitrary objects to any bucket with only a valid access key, without the secret key or valid signature, impacting all MinIO deployments.","title":"MinIO Unauthenticated Object Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-minio-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6129"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-6129","authentication-bypass","chatgpt-on-wechat"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, CVE-2026-6129, has been identified in zhayujie chatgpt-on-wechat CowAgent versions up to 2.0.4. This flaw resides within the Agent Mode Service component and enables unauthenticated remote attackers to execute unauthorized actions by manipulating requests. The vulnerability stems from missing authentication checks, allowing malicious actors to potentially gain unauthorized access and control over affected systems. Exploit code is publicly available, increasing the risk of widespread exploitation. The vendor has been notified, but has not yet responded to the report.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of zhayujie chatgpt-on-wechat CowAgent running version 2.0.4 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request targeting the Agent Mode Service.\u003c/li\u003e\n\u003cli\u003eThe malicious request bypasses authentication checks due to the missing authentication vulnerability (CVE-2026-6129).\u003c/li\u003e\n\u003cli\u003eThe Agent Mode Service processes the crafted request without proper authorization.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to sensitive functions and data within the application.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the gained access to execute arbitrary commands or manipulate application settings.\u003c/li\u003e\n\u003cli\u003eAttacker potentially escalates privileges within the application.\u003c/li\u003e\n\u003cli\u003eAttacker achieves full control over the affected chatgpt-on-wechat CowAgent instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6129 can lead to complete compromise of the chatgpt-on-wechat CowAgent instance. This includes unauthorized access to user data, modification of application settings, and potentially remote code execution. The lack of authentication allows attackers to perform administrative actions without legitimate credentials. The impact is significant, especially if the affected instance handles sensitive information or is integrated with critical systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates for zhayujie chatgpt-on-wechat CowAgent immediately to remediate CVE-2026-6129.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the Agent Mode Service to identify potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect ChatGPT WeChat CowAgent Authentication Bypass Attempt\u003c/code\u003e to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication mechanisms for all application endpoints, especially those handling sensitive data or administrative functions.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the chatgpt-on-wechat CowAgent instance to only authorized users and systems.\u003c/li\u003e\n\u003cli\u003eReview and audit the application\u0026rsquo;s codebase to identify and address any other potential security vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T20:16:19Z","date_published":"2026-04-12T20:16:19Z","id":"/briefs/2026-04-chatgpt-wechat-auth-bypass/","summary":"CVE-2026-6129 is a critical vulnerability in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4, allowing remote attackers to bypass authentication via manipulation of the Agent Mode Service.","title":"zhayujie chatgpt-on-wechat CowAgent Authentication Bypass (CVE-2026-6129)","url":"https://feed.craftedsignal.io/briefs/2026-04-chatgpt-wechat-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6126"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-6126","authentication-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-6126, has been discovered in zhayujie chatgpt-on-wechat CowAgent version 2.0.4. This flaw resides within an unspecified function of the Administrative HTTP Endpoint component. Successful exploitation of this vulnerability allows remote attackers to bypass authentication mechanisms, potentially leading to unauthorized access and control over the affected system. The vulnerability is due to missing authentication checks on a critical function. Publicly available exploits exist, increasing the likelihood of exploitation. The project maintainers were notified; however, there has been no response at the time of this writing. This poses a significant risk to any deployment of chatgpt-on-wechat CowAgent 2.0.4 accessible over a network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable instance of zhayujie chatgpt-on-wechat CowAgent 2.0.4.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the Administrative HTTP Endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious request bypasses authentication due to the missing authentication vulnerability (CVE-2026-6126).\u003c/li\u003e\n\u003cli\u003eThe request executes an unauthorized administrative function.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to sensitive data or configuration.\u003c/li\u003e\n\u003cli\u003eAttacker deploys a persistent backdoor for long-term access.\u003c/li\u003e\n\u003cli\u003eAttacker uses the backdoor to pivot to other systems or networks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6126 can lead to complete compromise of the chatgpt-on-wechat CowAgent instance. This may enable attackers to access sensitive data, modify configurations, or disrupt services. Given that the application integrates with WeChat, a successful attack might expose sensitive user data or allow the attacker to conduct further attacks via the compromised instance. Due to the ease of exploitation and public availability of exploit code, the risk is considered high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates for zhayujie chatgpt-on-wechat CowAgent to address CVE-2026-6126 as soon as they are released.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the Administrative HTTP Endpoint using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised CowAgent instance.\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) with rules to detect and block exploit attempts targeting CVE-2026-6126.\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of the chatgpt-on-wechat CowAgent deployment to identify and remediate potential vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T11:16:16Z","date_published":"2026-04-12T11:16:16Z","id":"/briefs/2026-04-cowagent-auth-bypass/","summary":"CVE-2026-6126 is an unauthenticated remote code execution vulnerability in zhayujie chatgpt-on-wechat CowAgent 2.0.4 due to missing authentication in the Administrative HTTP Endpoint.","title":"zhayujie chatgpt-on-wechat CowAgent Authentication Bypass Vulnerability (CVE-2026-6126)","url":"https://feed.craftedsignal.io/briefs/2026-04-cowagent-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-39976"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-39976","laravel","oauth2","authentication bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLaravel Passport, an OAuth2 server implementation for Laravel, is vulnerable to an authentication bypass (CVE-2026-39976) in versions 13.0.0 up to, but not including, 13.7.1. The vulnerability stems from the \u003ccode\u003eleague/oauth2-server\u003c/code\u003e library, where the JWT \u003ccode\u003esub\u003c/code\u003e claim is set to the client identifier for \u003ccode\u003eclient_credentials\u003c/code\u003e tokens, as there is no associated user. Subsequently, the token guard uses this client identifier to retrieve user information via \u003ccode\u003eretrieveById()\u003c/code\u003e without proper validation, potentially resolving and authenticating an unrelated, real user. This means any machine-to-machine token can inadvertently authenticate as an actual user within the Laravel application. The vulnerability is resolved in Laravel Passport version 13.7.1. This allows attackers to perform actions with the privileges of the authenticated user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid \u003ccode\u003eclient_credentials\u003c/code\u003e token issued by Laravel Passport (versions 13.0.0 - 13.7.0). This could be a token intended for machine-to-machine communication.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to a protected endpoint of the Laravel application, including the \u003ccode\u003eclient_credentials\u003c/code\u003e token in the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe Laravel Passport token guard extracts the JWT \u003ccode\u003esub\u003c/code\u003e claim from the token. In vulnerable versions, this \u003ccode\u003esub\u003c/code\u003e claim contains the client identifier.\u003c/li\u003e\n\u003cli\u003eThe token guard calls \u003ccode\u003eretrieveById()\u003c/code\u003e using the client identifier from the \u003ccode\u003esub\u003c/code\u003e claim as the user ID.\u003c/li\u003e\n\u003cli\u003eDue to the lack of validation, \u003ccode\u003eretrieveById()\u003c/code\u003e queries the user database, potentially finding a user whose ID matches the client identifier.\u003c/li\u003e\n\u003cli\u003eIf a user with the matching ID is found, the application authenticates the request as that user, granting the attacker their privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access resources and perform actions as the authenticated user.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the user\u0026rsquo;s privileges to compromise data or perform unauthorized actions within the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39976 allows attackers to bypass authentication and gain unauthorized access to user accounts in Laravel applications using affected versions of Laravel Passport. This can lead to data breaches, privilege escalation, and other malicious activities, depending on the privileges of the compromised user accounts. The severity of the impact depends on the application\u0026rsquo;s functionality and the sensitivity of the data it handles. Potentially all applications using Laravel Passport for authentication are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Laravel Passport to version 13.7.1 or later to patch CVE-2026-39976.\u003c/li\u003e\n\u003cli\u003eImplement additional validation within the application\u0026rsquo;s authentication logic to verify that the user ID extracted from the JWT \u003ccode\u003esub\u003c/code\u003e claim corresponds to a valid user, especially when using \u003ccode\u003eclient_credentials\u003c/code\u003e tokens.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for unexpected authentication events or API requests originating from machine-to-machine tokens that are being authenticated as users. The \u003ccode\u003ewebserver\u003c/code\u003e log source can be used for this monitoring.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect requests to protected endpoints with \u003ccode\u003eclient_credentials\u003c/code\u003e tokens that are incorrectly authenticated as users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T17:16:31Z","date_published":"2026-04-09T17:16:31Z","id":"/briefs/2026-04-laravel-auth-bypass/","summary":"Laravel Passport versions 13.0.0 before 13.7.1 contain an authentication bypass vulnerability (CVE-2026-39976) where machine-to-machine tokens can authenticate as a real user due to improper validation of the JWT sub claim.","title":"Laravel Passport Authentication Bypass Vulnerability (CVE-2026-39976)","url":"https://feed.craftedsignal.io/briefs/2026-04-laravel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["litellm","authentication-bypass","credential-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLiteLLM versions prior to 1.83.0 are vulnerable to an authentication bypass vulnerability. User passwords are stored as unsalted SHA-256 hashes, a weak cryptographic practice that makes them susceptible to rainbow table attacks. Furthermore, these password hashes are exposed through several API endpoints, including \u003ccode\u003e/user/info\u003c/code\u003e, \u003ccode\u003e/user/update\u003c/code\u003e, and \u003ccode\u003e/spend/users\u003c/code\u003e, allowing any authenticated user to retrieve them. The \u003ccode\u003e/v2/login\u003c/code\u003e endpoint also accepts the raw SHA-256 hash as a valid password without proper re-hashing. This combination of vulnerabilities allows an attacker with low-level access to escalate privileges by obtaining another user\u0026rsquo;s password hash and using it to directly log in as that user. Defenders should upgrade to version 1.83.0 or later to mitigate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to LiteLLM and authenticates as a low-privilege user.\u003c/li\u003e\n\u003cli\u003eAttacker sends a request to \u003ccode\u003e/user/info\u003c/code\u003e to retrieve the password hash of another user.\u003c/li\u003e\n\u003cli\u003eThe API responds with the target user\u0026rsquo;s SHA-256 password hash.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request to the \u003ccode\u003e/v2/login\u003c/code\u003e endpoint using the stolen SHA-256 hash as the password.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/v2/login\u003c/code\u003e endpoint accepts the raw SHA-256 hash without re-hashing.\u003c/li\u003e\n\u003cli\u003eThe server authenticates the attacker as the target user.\u003c/li\u003e\n\u003cli\u003eAttacker now has the privileges of the target user, potentially gaining access to sensitive data or administrative functions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to unauthorized access and privilege escalation within the LiteLLM application. An attacker can impersonate other users, including administrators, potentially leading to data breaches, system compromise, and unauthorized modifications. The number of victims depends on the deployment size, but any LiteLLM instance running a version prior to 1.83.0 is vulnerable. Sectors utilizing LiteLLM are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version 1.83.0 or later to patch the vulnerability (reference: Patches section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LiteLLM User Info Hash Access\u0026rdquo; to monitor for unauthorized access to user password hashes via the \u003ccode\u003e/user/info\u003c/code\u003e endpoint (reference: rule: \u0026ldquo;Detect LiteLLM User Info Hash Access\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LiteLLM Login with SHA256 Hash\u0026rdquo; to detect login attempts using SHA256 hashes (reference: rule: \u0026ldquo;Detect LiteLLM Login with SHA256 Hash\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T00:04:12Z","date_published":"2026-04-08T00:04:12Z","id":"/briefs/2024-01-09-litellm-auth-bypass/","summary":"LiteLLM versions before 1.83.0 stored user passwords as unsalted SHA-256 hashes and exposed these hashes through multiple API endpoints, enabling an authenticated user to retrieve another user's password hash and use it to log in as that user due to the /v2/login endpoint accepting the raw SHA-256 hash without re-hashing, leading to potential privilege escalation.","title":"LiteLLM Authentication Bypass via Password Hash Exposure and Pass-the-Hash","url":"https://feed.craftedsignal.io/briefs/2024-01-09-litellm-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5676"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-5676","authentication-bypass","totolink"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5676 is an authentication bypass vulnerability affecting Totolink A8000R routers with firmware version 5.9c.681_B20180413. The vulnerability resides in the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file, specifically within the \u003ccode\u003esetLanguageCfg\u003c/code\u003e function. By manipulating the \u003ccode\u003elangType\u003c/code\u003e argument, an attacker can bypass authentication checks, potentially gaining unauthorized access to sensitive router functionalities. This vulnerability can be exploited remotely without requiring any prior authentication. A public exploit is available, increasing the likelihood of exploitation. Defenders should prioritize detection and patching of this vulnerability to prevent unauthorized access and control of affected devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Totolink A8000R router running firmware 5.9c.681_B20180413.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request targets the \u003ccode\u003esetLanguageCfg\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe request includes a manipulated \u003ccode\u003elangType\u003c/code\u003e argument designed to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esetLanguageCfg\u003c/code\u003e function processes the request without proper authentication checks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to router configuration settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies sensitive settings such as DNS, routing rules, or firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control of the router, potentially using it for malicious purposes like eavesdropping, traffic redirection, or botnet activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5676 allows a remote, unauthenticated attacker to gain full control of the affected Totolink A8000R router. This can lead to a variety of malicious activities, including unauthorized access to the local network, data theft, DNS hijacking, and the use of the router as part of a botnet. The potential number of affected devices is substantial, as the A8000R model is widely used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect malicious HTTP requests targeting the vulnerable \u003ccode\u003esetLanguageCfg\u003c/code\u003e function (see \u0026ldquo;Detect Totolink A8000R Authentication Bypass Attempt\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with unusual \u003ccode\u003elangType\u003c/code\u003e parameters (see \u0026ldquo;Detect Totolink A8000R Authentication Bypass Attempt\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eUpgrade the firmware of Totolink A8000R routers to a patched version that addresses CVE-2026-5676 (consult the vendor\u0026rsquo;s website for updates).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router on other devices on the network.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T19:16:30Z","date_published":"2026-04-06T19:16:30Z","id":"/briefs/2026-04-totolink-auth-bypass/","summary":"A remote, unauthenticated attacker can bypass authentication on Totolink A8000R routers running firmware version 5.9c.681_B20180413 by manipulating the `langType` argument in the `setLanguageCfg` function of the `/cgi-bin/cstecgi.cgi` file.","title":"Totolink A8000R Authentication Bypass Vulnerability (CVE-2026-5676)","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3524"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["mattermost","authentication-bypass","legal-hold"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Mattermost Legal Hold plugin, in versions 1.1.4 and earlier, contains an authentication bypass vulnerability (CVE-2026-3524) that can be exploited by authenticated attackers. The vulnerability lies in the ServeHTTP function, where a failed authorization check does not properly halt request processing. This flaw allows attackers to craft malicious API requests to the plugin\u0026rsquo;s endpoints, enabling them to access, create, download, and delete legal hold data without proper authorization. The vulnerability is identified by Mattermost Advisory ID MMSA-2026-00621 and poses a significant risk to organizations using the affected plugin versions, potentially leading to data breaches and compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Mattermost server with valid user credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious API request targeting the Legal Hold plugin\u0026rsquo;s endpoints.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Mattermost server.\u003c/li\u003e\n\u003cli\u003eThe ServeHTTP function in the Legal Hold plugin processes the request.\u003c/li\u003e\n\u003cli\u003eAuthorization check fails due to insufficient privileges or incorrect parameters.\u003c/li\u003e\n\u003cli\u003eInstead of halting request processing, the plugin continues to execute the request.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to legal hold data or performs unauthorized actions (create, download, delete).\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates or manipulates sensitive legal hold information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3524) allows authenticated attackers to bypass authorization controls within the Mattermost Legal Hold plugin. This can result in unauthorized access, creation, modification, or deletion of sensitive legal hold data. The vulnerability affects versions 1.1.4 and earlier of the plugin. Organizations using the affected versions are at risk of data breaches, compliance violations, and reputational damage. A CVSS v3.1 score of 8.8 indicates a high level of severity due to the potential for significant data compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Mattermost Legal Hold plugin to a version later than 1.1.4 to remediate CVE-2026-3524.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect exploitation attempts targeting the vulnerable Legal Hold plugin endpoints (see rules section).\u003c/li\u003e\n\u003cli\u003eMonitor Mattermost server logs for unusual API requests to the Legal Hold plugin, specifically those resulting in unexpected data access or modification, as a potential sign of exploitation (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T13:17:18Z","date_published":"2026-04-06T13:17:18Z","id":"/briefs/2026-04-mattermost-legal-hold-auth-bypass/","summary":"Mattermost Legal Hold plugin versions 1.1.4 and earlier allow authenticated attackers to bypass authorization checks, enabling unauthorized access and modification of legal hold data via crafted API requests.","title":"Mattermost Legal Hold Plugin Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-mattermost-legal-hold-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5632"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-5632","authentication-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, CVE-2026-5632, has been identified in assafelovic\u0026rsquo;s gpt-researcher up to version 3.4.3. The vulnerability resides within the HTTP REST API Endpoint component. A remote attacker can exploit this flaw by manipulating requests, effectively bypassing authentication mechanisms. This issue allows unauthorized access to functionalities that should be protected. A proof-of-concept exploit is publicly available, increasing the risk of exploitation. Despite being reported through issue #1695, the project maintainers have not yet provided a patch or mitigation. The vulnerability poses a significant threat to systems running affected versions of gpt-researcher, potentially leading to data breaches, unauthorized modifications, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable gpt-researcher instance running version 3.4.3 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the vulnerable HTTP REST API Endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request manipulates authentication parameters, exploiting the authentication bypass vulnerability (CVE-2026-5632).\u003c/li\u003e\n\u003cli\u003eThe application fails to properly validate the request due to the missing authentication check.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to restricted functionalities and data.\u003c/li\u003e\n\u003cli\u003eAttacker performs unauthorized actions, such as retrieving sensitive information, modifying data, or executing arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges within the application to further compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5632 allows an unauthenticated attacker to perform actions as if they were a legitimate user. The impact includes unauthorized access to sensitive data, modification of system settings, or even complete system compromise. Given the nature of gpt-researcher, this could lead to the exposure of research data, API keys, or other confidential information. As a publicly known exploit exists, the risk is elevated for deployments that have not yet been patched or mitigated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for assafelovic gpt-researcher to address CVE-2026-5632.\u003c/li\u003e\n\u003cli\u003eIf a patch is not yet available, implement temporary mitigations such as access control restrictions or input validation on the HTTP REST API Endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the HTTP REST API Endpoint to identify potential exploitation attempts; deploy the Sigma rule \u0026ldquo;Detect GPT Researcher Authentication Bypass Attempt\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful exploit.\u003c/li\u003e\n\u003cli\u003eReview and harden authentication and authorization mechanisms within the gpt-researcher application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T07:16:02Z","date_published":"2026-04-06T07:16:02Z","id":"/briefs/2026-04-gpt-researcher-auth-bypass/","summary":"CVE-2026-5632 is an authentication bypass vulnerability in assafelovic gpt-researcher up to version 3.4.3, affecting the HTTP REST API Endpoint and allowing remote attackers to perform actions without proper authorization.","title":"GPT Researcher Authentication Bypass Vulnerability (CVE-2026-5632)","url":"https://feed.craftedsignal.io/briefs/2026-04-gpt-researcher-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5616"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["jeecgboot","authentication-bypass","ai-chat-module"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability has been identified in JeecgBoot, a low-code development platform, affecting versions 3.9.0 and 3.9.1. The vulnerability resides within the AI Chat Module, specifically impacting the \u003ccode\u003ejeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java\u003c/code\u003e file. An attacker can exploit this flaw remotely to bypass authentication mechanisms, potentially gaining unauthorized access to sensitive functionalities or data. The identified patch is \u003ccode\u003eb7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59\u003c/code\u003e. The project has addressed the issue with a commit that will be included in the next official release, urging users to apply the patch.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a JeecgBoot instance running versions 3.9.0 or 3.9.1 with the AI Chat Module enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable \u003ccode\u003eJeecgBizToolsProvider.java\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThis request exploits the authentication bypass vulnerability, likely by manipulating specific parameters or headers.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly validate the attacker\u0026rsquo;s identity due to the missing authentication check.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the AI Chat Module\u0026rsquo;s functionalities.\u003c/li\u003e\n\u003cli\u003eDepending on the module\u0026rsquo;s capabilities, the attacker could potentially access user data or execute arbitrary code within the context of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised AI Chat Module to escalate privileges within the JeecgBoot application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to gain unauthorized access to the AI Chat Module in vulnerable JeecgBoot instances. The impact could range from data breaches and unauthorized access to sensitive information to complete system compromise, depending on the permissions and functionality exposed through the AI Chat Module. While the number of affected instances is currently unknown, JeecgBoot\u0026rsquo;s popularity suggests a potentially widespread risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch \u003ccode\u003eb7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59\u003c/code\u003e to the vulnerable \u003ccode\u003eJeecgBizToolsProvider.java\u003c/code\u003e file immediately.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the AI Chat Module endpoints, specifically \u003ccode\u003eJeecgBizToolsProvider.java\u003c/code\u003e, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eUpgrade to the next official release of JeecgBoot containing the fix for CVE-2026-5616 once it becomes available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T04:16:13Z","date_published":"2026-04-06T04:16:13Z","id":"/briefs/2026-04-jeecgboot-auth-bypass/","summary":"JeecgBoot versions 3.9.0 and 3.9.1 are vulnerable to a remote unauthenticated bypass in the AI Chat Module, specifically affecting the JeecgBizToolsProvider.java file, potentially allowing unauthorized access.","title":"JeecgBoot AI Chat Module Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-jeecgboot-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5570"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","authentication-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5570, exists in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30. This vulnerability resides within the \u003ccode\u003eindex_config\u003c/code\u003e function of the \u003ccode\u003e/LoginCB\u003c/code\u003e file. Successful exploitation allows remote attackers to bypass authentication mechanisms. Publicly available exploit code exists, increasing the risk of widespread exploitation. The vendor was notified but did not respond. Given the lack of vendor response and the existence of a public exploit, organizations using affected Technostrobe devices should immediately assess their exposure and implement mitigation measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Technostrobe HI-LED-WR120-G2 device running firmware version 5.5.0.1R6.03.30 accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/LoginCB\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits the improper authentication flaw in the \u003ccode\u003eindex_config\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function fails to properly validate the attacker\u0026rsquo;s identity due to the flaw.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to administrative functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies device configurations, potentially disrupting operations or gaining further control.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gained access to access internal network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised device as a foothold for lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5570 allows attackers to bypass authentication on affected Technostrobe HI-LED-WR120-G2 devices. This could lead to unauthorized access to sensitive configurations, disruption of lighting systems, and potential use of the compromised device as a pivot point for further attacks within the network. The lack of vendor response to the vulnerability exacerbates the risk, as no official patch is available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/LoginCB\u003c/code\u003e endpoint, specifically those attempting to manipulate the \u003ccode\u003eindex_config\u003c/code\u003e function, to detect potential exploitation attempts related to CVE-2026-5570.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect unauthorized access attempts via the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised Technostrobe device on other network resources.\u003c/li\u003e\n\u003cli\u003eConsider placing the affected Technostrobe device behind a reverse proxy with strict access controls and input validation rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T14:16:17Z","date_published":"2026-04-05T14:16:17Z","id":"/briefs/2026-04-technostrobe-auth-bypass/","summary":"CVE-2026-5570 is an improper authentication vulnerability in the index_config function of the /LoginCB file of Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30, allowing remote attackers to bypass authentication.","title":"Technostrobe HI-LED-WR120-G2 Improper Authentication Vulnerability (CVE-2026-5570)","url":"https://feed.craftedsignal.io/briefs/2026-04-technostrobe-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-34952"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["vulnerability","authentication bypass","websocket"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-34952 exposes a critical vulnerability in PraisonAI, a multi-agent teams system. Specifically, versions of the PraisonAI Gateway server prior to 4.5.97 lack authentication for WebSocket connections at the \u003ccode\u003e/ws\u003c/code\u003e endpoint and for serving agent topology information at the \u003ccode\u003e/info\u003c/code\u003e endpoint. This absence of authentication means that any client on the network can connect to these endpoints. Attackers could exploit this vulnerability to enumerate registered agents, send arbitrary messages to agents and their associated tool sets, and potentially gain unauthorized control over the PraisonAI system. The vulnerability was reported on April 3, 2026, and is addressed in version 4.5.97 of PraisonAI.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable PraisonAI Gateway server running a version prior to 4.5.97.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a WebSocket connection to the \u003ccode\u003e/ws\u003c/code\u003e endpoint of the server without providing any credentials.\u003c/li\u003e\n\u003cli\u003eThe server, lacking authentication, accepts the connection.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the \u003ccode\u003e/info\u003c/code\u003e endpoint to enumerate registered agents and their topology.\u003c/li\u003e\n\u003cli\u003eThe server responds with the agent topology data.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts arbitrary messages and sends them to specific agents through the established WebSocket connection.\u003c/li\u003e\n\u003cli\u003eThe targeted agent receives the message and executes the corresponding actions, potentially including tool usage or data modification.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized control over the PraisonAI system by manipulating agents and their tool sets.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to complete compromise of the PraisonAI system. Attackers can enumerate and control agents, manipulate data, and potentially use the agents\u0026rsquo; tool sets for malicious purposes, such as data theft or system disruption. This could impact organizations relying on PraisonAI for critical functions, leading to financial losses, reputational damage, and operational downtime. The severity is high due to the ease of exploitation and the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all PraisonAI Gateway servers to version 4.5.97 or later to patch CVE-2026-34952.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect unauthorized connections to the \u003ccode\u003e/ws\u003c/code\u003e and \u003ccode\u003e/info\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious WebSocket connections to the PraisonAI Gateway server to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T23:17:06Z","date_published":"2026-04-03T23:17:06Z","id":"/briefs/2026-04-praisonai-auth-bypass/","summary":"PraisonAI Gateway server versions prior to 4.5.97 allow unauthenticated access to WebSocket connections and agent topology, enabling unauthorized message sending and agent enumeration.","title":"PraisonAI Gateway Unauthenticated Access Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","jupyterhub","oauthenticator","cve-2026-33175"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOAuthenticator is a software package that enables the integration of OAuth2 identity providers with JupyterHub. A critical authentication bypass vulnerability, identified as CVE-2026-33175, affects OAuthenticator versions prior to 17.4.0. This flaw permits an attacker with an unverified email address on an Auth0 tenant to successfully authenticate and log in to a JupyterHub instance. The vulnerability arises when email is used as the \u003ccode\u003eusername_claim\u003c/code\u003e, granting attackers control over their username and potentially enabling account takeover. Organizations using affected versions of OAuthenticator in conjunction with Auth0 are at risk. The vulnerability was patched in version 17.4.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to an Auth0 tenant and creates an account.\u003c/li\u003e\n\u003cli\u003eThe attacker does not verify the email address associated with the Auth0 account.\u003c/li\u003e\n\u003cli\u003eJupyterHub is configured to use OAuthenticator for authentication, with email specified as the \u003ccode\u003eusername_claim\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to log in to JupyterHub using the unverified Auth0 account.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability in OAuthenticator versions prior to 17.4.0, the authentication bypass occurs, allowing the attacker to successfully log in.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the JupyterHub environment.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the compromised account to perform malicious activities, such as accessing sensitive data or modifying Jupyter notebooks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33175 allows unauthorized access to JupyterHub instances. This can lead to the compromise of sensitive data, modification of Jupyter notebooks, and potential disruption of services. The vulnerability impacts organizations that use OAuthenticator with Auth0 and rely on email as the username claim. The number of affected organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OAuthenticator to version 17.4.0 or later to patch CVE-2026-33175.\u003c/li\u003e\n\u003cli\u003eReview JupyterHub configurations to ensure that email is not used as the \u003ccode\u003eusername_claim\u003c/code\u003e if possible.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for JupyterHub accounts to mitigate the risk of account takeover.\u003c/li\u003e\n\u003cli\u003eMonitor logs for suspicious login attempts from Auth0 accounts with unverified email addresses. Deploy the provided Sigma rule targeting process creation after successful authentication to detect suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T22:16:26Z","date_published":"2026-04-03T22:16:26Z","id":"/briefs/2026-04-oauthenticator-auth-bypass/","summary":"OAuthenticator versions prior to 17.4.0 contain an authentication bypass vulnerability (CVE-2026-33175) that allows an attacker with an unverified email address on an Auth0 tenant to log in to JupyterHub when email is used as the username claim, potentially leading to account takeover.","title":"OAuthenticator Authentication Bypass Vulnerability (CVE-2026-33175)","url":"https://feed.craftedsignal.io/briefs/2026-04-oauthenticator-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32646"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32646","authentication-bypass","device-management"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32646 describes a critical vulnerability affecting an unspecified device or application. This vulnerability allows unauthenticated access to a specific administrative endpoint, thereby bypassing intended access controls.  Successful exploitation grants unauthorized access to device management functions, potentially leading to configuration changes, data manipulation, or complete device compromise. The vulnerability was reported to ICS-CERT and assigned a CVSS v3.1 base score of 7.5 (High).  The specific products affected are not detailed in the source document. The vulnerability falls under CWE-306, Missing Authentication for Critical Function. Defenders need to identify affected systems and implement appropriate access controls to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies the vulnerable administrative endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthenticated Request:\u003c/strong\u003e The attacker sends a crafted HTTP request to the administrative endpoint without providing any authentication credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Granted:\u003c/strong\u003e Due to the missing authentication check, the server incorrectly grants access to the requested administrative functions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDevice Information Retrieval:\u003c/strong\u003e The attacker uses the exposed administrative functions to retrieve sensitive device configuration information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Modification:\u003c/strong\u003e The attacker modifies device settings, potentially changing network configurations or security policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Potential):\u003c/strong\u003e Using the modified configuration, the attacker may escalate privileges within the affected system or network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Potential):\u003c/strong\u003e The compromised device is used as a pivot point to access other systems on the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise:\u003c/strong\u003e The attacker achieves full control over the targeted device, potentially leading to data theft, denial of service, or further network compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32646 allows unauthorized access to device management functions. The specific impact depends on the functions exposed, but could include configuration changes, data manipulation, or complete device compromise. Absent specific product information, it is difficult to estimate the number of affected devices or target sectors; however, successful exploitation could lead to significant operational disruption and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify systems potentially affected by CVE-2026-32646 and prioritize patching or mitigation (reference CVE-2026-32646).\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to administrative endpoints without valid authentication tokens or credentials (reference webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised device.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect unauthorized access attempts to administrative endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual activity originating from devices that may be vulnerable.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T21:17:11Z","date_published":"2026-04-03T21:17:11Z","id":"/briefs/2026-04-cve-2026-32646/","summary":"CVE-2026-32646 allows unauthenticated access to a specific administrative endpoint, potentially exposing device management functions, with a CVSS v3.1 score of 7.5.","title":"Unauthenticated Access to Administrative Endpoint (CVE-2026-32646)","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2026-32646/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-20093"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["authentication bypass","cisco","imc","cve-2026-20093"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, CVE-2026-20093, affects multiple versions of Cisco Integrated Management Controller (IMC) software. The vulnerability allows an unauthenticated remote attacker to bypass the login process and gain full administrative privileges on the affected system. This flaw stems from improper input validation (CWE-20). Exploitation grants the attacker the ability to change user passwords, manipulate hardware settings such as power cycling servers, and potentially use the compromised device to launch attacks on other systems within the network. The impacted product list is extensive, spanning multiple Cisco product lines, including the 5000 Series ENCS, Catalyst 8300 Series Edge uCPE, UCS C-Series M5/M6 Rack Servers, and UCS E-Series M3/M6. This vulnerability poses a significant threat to organizations relying on these systems for critical infrastructure management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe unauthenticated attacker sends a specially crafted request to the Cisco IMC web interface.\u003c/li\u003e\n\u003cli\u003eThe vulnerable IMC software fails to properly validate the request, allowing the attacker to bypass the authentication mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full administrative access to the IMC.\u003c/li\u003e\n\u003cli\u003eThe attacker changes the password of an existing administrative user or creates a new administrative user.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in to the IMC with the newly acquired administrative credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies hardware settings, such as power management configurations, potentially power cycling servers.\u003c/li\u003e\n\u003cli\u003eThe attacker disrupts critical infrastructure managed by the compromised IMC.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised device as a pivot point to launch further attacks against other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20093 grants an attacker complete control over the affected Cisco IMC. This can lead to severe consequences, including disruption of critical services, data breaches, and lateral movement within the network. Given the hardware-level access provided by IMC, attackers can manipulate physical infrastructure, leading to extended downtime and potential data loss. The CCB has assessed the risk of this vulnerability as high due to the ease of exploitation and the potential impact on confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all affected Cisco IMC instances to the latest available version to remediate CVE-2026-20093 (refer to the affected software list).\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any suspicious activity related to unauthorized access attempts to Cisco IMC web interfaces (deploy the Sigma rules provided).\u003c/li\u003e\n\u003cli\u003eIn case of an intrusion, report the incident via \u003ca href=\"https://ccb.belgium.be/en/cert/report-incident\"\u003ehttps://ccb.belgium.be/en/cert/report-incident\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T14:00:09Z","date_published":"2026-04-03T14:00:09Z","id":"/briefs/2026-04-cisco-imc-auth-bypass/","summary":"An unauthenticated remote attacker can exploit CVE-2026-20093 to bypass authentication in Cisco Integrated Management Controller (IMC), gain full administrative access, and manipulate hardware settings, potentially disrupting critical infrastructure.","title":"Critical Authentication Bypass Vulnerability in Cisco Integrated Management Controller (CVE-2026-20093)","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-imc-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-34840"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-34840","saml","authentication-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOneUptime, an open-source monitoring and observability platform, is vulnerable to an authentication bypass in versions prior to 10.0.42. The vulnerability, identified as CVE-2026-34840, resides in the SAML Single Sign-On (SSO) implementation within the \u003ccode\u003eApp/FeatureSet/Identity/Utils/SSO.ts\u003c/code\u003e file. The flawed logic involves a decoupling of signature verification and identity extraction processes. Specifically, the \u003ccode\u003eisSignatureValid()\u003c/code\u003e function checks the signature of the first \u003ccode\u003e\u0026lt;Signature\u0026gt;\u003c/code\u003e element, while the \u003ccode\u003egetEmail()\u003c/code\u003e function extracts the email address from the first assertion element \u003ccode\u003eassertion[0]\u003c/code\u003e. This design allows an attacker to prepend a malicious, unsigned SAML assertion containing an arbitrary identity before a legitimate, signed assertion. This bypasses authentication, potentially granting unauthorized access to sensitive monitoring data and platform functionalities. The vulnerability has been patched in version 10.0.42.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious SAML response containing an unsigned assertion with a forged identity (e.g., a privileged user\u0026rsquo;s email).\u003c/li\u003e\n\u003cli\u003eThe attacker prepends this malicious assertion to a valid, signed SAML assertion generated for a low-privilege account or a newly created account.\u003c/li\u003e\n\u003cli\u003eThe combined SAML response is sent to the OneUptime platform for authentication.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisSignatureValid()\u003c/code\u003e function verifies the signature of the second assertion (the originally signed, valid one), passing the signature check.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetEmail()\u003c/code\u003e function extracts the email address from the first assertion (the malicious, unsigned one), effectively impersonating the forged identity.\u003c/li\u003e\n\u003cli\u003eOneUptime grants access based on the forged identity extracted from the malicious assertion.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the OneUptime platform with the privileges of the impersonated user.\u003c/li\u003e\n\u003cli\u003eThe attacker can then view monitoring data, modify configurations, or perform other actions allowed to the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34840 allows an attacker to bypass authentication and impersonate any user on the OneUptime platform. This could lead to unauthorized access to sensitive monitoring data, modification of system configurations, and potentially complete compromise of the OneUptime instance. The vulnerability has a CVSS v3.1 base score of 8.1, indicating a high severity. Organizations using vulnerable OneUptime versions are at risk of significant data breaches and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade OneUptime instances to version 10.0.42 or later to patch CVE-2026-34840.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to inspect SAML responses for multiple assertions and reject requests containing more than one assertion to prevent the attack described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious SAML authentication requests and responses, focusing on unusual source IPs or deviations from normal authentication patterns related to the webserver log source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T20:16:28Z","date_published":"2026-04-02T20:16:28Z","id":"/briefs/2024-01-oneuptime-auth-bypass/","summary":"OneUptime versions prior to 10.0.42 are vulnerable to an authentication bypass due to improper SAML signature validation, allowing attackers to impersonate users by prepending unsigned assertions.","title":"OneUptime SAML SSO Authentication Bypass Vulnerability (CVE-2026-34840)","url":"https://feed.craftedsignal.io/briefs/2024-01-oneuptime-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2024-14034"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["authentication bypass","cve-2024-14034","hieos","ics"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2024-14034 describes an authentication bypass vulnerability affecting Hirschmann HiEOS devices. The vulnerability resides within the HTTP(S) management module and allows unauthenticated remote attackers to gain administrative privileges. By sending specially crafted HTTP(S) requests, attackers can bypass authentication checks due to improper handling. This enables them to perform unauthorized actions such as downloading or uploading device configurations and modifying the device firmware. Successful exploitation leads to a complete compromise of the affected HiEOS device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Hirschmann HiEOS device accessible over the network via HTTP(S).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP(S) request designed to exploit the authentication bypass. This request likely targets specific endpoints in the management module.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP(S) request to the vulnerable HiEOS device.\u003c/li\u003e\n\u003cli\u003eDue to improper authentication handling, the device incorrectly processes the request, granting the attacker administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to download the device configuration, potentially exposing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the device configuration, injecting malicious settings or backdoors.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the modified configuration to the HiEOS device, effectively compromising its functionality.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could use their elevated privileges to upload and install a modified firmware image. This allows complete control over the device and can ensure persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-14034 allows an unauthenticated attacker to gain full administrative control over the targeted Hirschmann HiEOS device. This can lead to device configuration modification, firmware manipulation, and potential disruption of network services relying on the compromised device. Given the nature of HiEOS devices, successful attacks can impact industrial control systems (ICS) and critical infrastructure. A CVSS v3.1 base score of 9.8 reflects the critical severity and potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches or mitigations provided in the Belden Security Bulletin BSECV-2024-02 (reference URL in the References section) to remediate CVE-2024-14034.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for unusual HTTP requests targeting the HiEOS management interface using the Sigma rule \u0026ldquo;Detect Suspicious HiEOS Management Requests\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of HiEOS devices and reduce the potential impact of a successful attack.\u003c/li\u003e\n\u003cli\u003eRegularly review and update firmware on HiEOS devices to address known vulnerabilities and improve overall security posture.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T20:16:19Z","date_published":"2026-04-02T20:16:19Z","id":"/briefs/2026-04-hieos-auth-bypass/","summary":"Hirschmann HiEOS devices contain an authentication bypass vulnerability (CVE-2024-14034) in the HTTP(S) management module, allowing unauthenticated remote attackers to gain administrative access by sending specially crafted HTTP(S) requests.","title":"Hirschmann HiEOS HTTP(S) Management Module Authentication Bypass (CVE-2024-14034)","url":"https://feed.craftedsignal.io/briefs/2026-04-hieos-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-34581","authentication-bypass","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-34581 affects goshs, a SimpleHTTPServer written in Go. Versions 1.1.0 to before 2.0.0-beta.2 are susceptible to an authentication bypass vulnerability. When a user attempts to access the server with a Share Token, it is possible to bypass the intended file download restriction, gaining access to all goshs functionalities. This includes the ability to execute arbitrary code on the server. The vulnerability was patched in version 2.0.0-beta.2. This vulnerability allows unauthenticated attackers to potentially gain full control of the server hosting goshs. Organizations using affected versions of goshs should upgrade immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a server running a vulnerable version of goshs (1.1.0 to before 2.0.0-beta.2).\u003c/li\u003e\n\u003cli\u003eAttacker requests a resource that should be protected by the Share Token.\u003c/li\u003e\n\u003cli\u003eThe server prompts for the Share Token.\u003c/li\u003e\n\u003cli\u003eAttacker exploits the authentication bypass vulnerability by manipulating the request (details not specified in source).\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation grants the attacker access to all goshs functionalities, bypassing the intended file download restriction.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the unrestricted access to execute arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eAttacker gains a shell or other form of remote access to the compromised server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34581 allows an unauthenticated attacker to execute arbitrary code on the server. This can lead to complete system compromise, data theft, or denial of service. The impact is significant for organizations using vulnerable versions of goshs to serve sensitive files or applications. The report does not mention the number of victims, but the severity is high given the potential for code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade goshs to version 2.0.0-beta.2 or later to patch CVE-2026-34581 (reference: \u003ca href=\"https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2)\"\u003ehttps://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Goshs Code Execution via Auth Bypass\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to goshs, specifically requests that might be attempting to bypass authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T19:21:32Z","date_published":"2026-04-02T19:21:32Z","id":"/briefs/2026-04-goshs-auth-bypass/","summary":"goshs versions 1.1.0 to before 2.0.0-beta.2 are vulnerable to authentication bypass via Share Token, potentially allowing code execution (CVE-2026-34581).","title":"goshs Authentication Bypass Vulnerability (CVE-2026-34581)","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5320"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","cve-2026-5320","vanna-ai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, identified as CVE-2026-5320, affects vanna-ai vanna versions up to 2.0.2. The vulnerability lies within the Chat API Endpoint located at \u003ccode\u003e/api/vanna/v2/\u003c/code\u003e. Successful exploitation allows remote attackers to bypass authentication mechanisms through a yet unspecified manipulation of the API endpoint. Public exploits are available, increasing the risk of widespread exploitation. The vendor has been unresponsive to disclosure attempts, further raising the urgency for mitigation. This vulnerability allows attackers to interact with the Chat API without proper authorization, potentially leading to data breaches, unauthorized actions, or disruption of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable vanna-ai vanna instance running a version up to 2.0.2.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted request to the \u003ccode\u003e/api/vanna/v2/\u003c/code\u003e Chat API endpoint.\u003c/li\u003e\n\u003cli\u003eThe request exploits the missing authentication vulnerability (CVE-2026-5320) through an unspecified manipulation.\u003c/li\u003e\n\u003cli\u003eThe server improperly processes the request without requiring valid authentication credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the Chat API functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the API, potentially retrieving sensitive information or executing unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage the unauthorized access to compromise user accounts or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5320 allows attackers to bypass authentication and gain unauthorized access to the vanna-ai vanna Chat API. This can lead to the compromise of user data, unauthorized actions performed on behalf of legitimate users, and potential disruption of the service. The lack of vendor response and the availability of public exploits significantly increase the risk and potential impact of this vulnerability. Given the nature of AI chatbot applications, sensitive information handled by the application could be exposed, damaging data confidentiality.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply immediate patching or mitigation measures to vanna-ai vanna instances running versions up to 2.0.2. Consult the vendor\u0026rsquo;s website for any available patches, or consider applying a reverse proxy rule to enforce authentication on the \u003ccode\u003e/api/vanna/v2/\u003c/code\u003e endpoint until a patch is available.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect vanna-ai vanna Authentication Bypass Attempt\u003c/code\u003e to identify and alert on exploitation attempts targeting the \u003ccode\u003e/api/vanna/v2/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003e/api/vanna/v2/\u003c/code\u003e endpoint, paying close attention to unusual request patterns or error codes, and investigate any anomalies.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests exploiting CVE-2026-5320 based on known exploit patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T05:16:04Z","date_published":"2026-04-02T05:16:04Z","id":"/briefs/2026-04-vanna-auth-bypass/","summary":"CVE-2026-5320 describes an unauthenticated remote access vulnerability in vanna-ai vanna up to version 2.0.2 via manipulation of the /api/vanna/v2/ Chat API endpoint, potentially allowing unauthorized access and actions.","title":"vanna-ai vanna Authentication Bypass Vulnerability (CVE-2026-5320)","url":"https://feed.craftedsignal.io/briefs/2026-04-vanna-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4101"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","cve-2026-4101","ibm-verify"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eIBM Verify Identity Access Container and IBM Security Verify Access Container are vulnerable to an authentication bypass vulnerability identified as CVE-2026-4101. The affected versions include IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1, as well as IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1. This vulnerability can be exploited under certain load conditions, potentially granting an attacker unauthorized access to the application. Defenders should prioritize patching vulnerable systems to mitigate the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable IBM Verify or Security Verify Access instance running a susceptible version (11.0-11.0.2 or 10.0-10.0.9.1).\u003c/li\u003e\n\u003cli\u003eThe attacker floods the targeted application with requests to induce high load conditions.\u003c/li\u003e\n\u003cli\u003eUnder these high load conditions, a flaw in the authentication mechanism is triggered.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts specific requests to exploit the authentication bypass.\u003c/li\u003e\n\u003cli\u003eThe application incorrectly validates the attacker\u0026rsquo;s request, bypassing authentication controls.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the application.\u003c/li\u003e\n\u003cli\u003eOnce authenticated, the attacker may perform privileged actions, access sensitive data, or escalate privileges within the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4101 allows an unauthenticated attacker to bypass authentication mechanisms and gain unauthorized access to the targeted IBM Verify or Security Verify Access application. This could lead to the compromise of sensitive data, unauthorized modification of system configurations, and potential lateral movement within the network. The number of potential victims is dependent on the number of unpatched IBM Verify and Security Verify Access instances exposed to network traffic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches provided by IBM to address CVE-2026-4101 on all affected IBM Verify Identity Access Container and IBM Security Verify Access Container instances (refer to IBM\u0026rsquo;s advisory \u003ca href=\"https://www.ibm.com/support/pages/node/7268253\"\u003ehttps://www.ibm.com/support/pages/node/7268253\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual HTTP requests or error patterns that may indicate exploitation attempts. Deploy the Sigma rule targeting HTTP 500 responses originating from the access container to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and traffic shaping mechanisms to mitigate the risk of denial-of-service conditions that could exacerbate the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T21:17:02Z","date_published":"2026-04-01T21:17:02Z","id":"/briefs/2026-04-ibm-verify-auth-bypass/","summary":"CVE-2026-4101 describes an authentication bypass vulnerability in IBM Verify Identity Access Container and IBM Security Verify Access Container versions 11.0 through 11.0.2 and 10.0 through 10.0.9.1, respectively, that could allow unauthorized access under specific load conditions.","title":"IBM Verify and Security Verify Access Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-ibm-verify-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","code-execution","goshs"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGoshs versions 1.1.0 and later are susceptible to an authentication bypass vulnerability (CVE-2026-34581) when using share tokens. The vulnerability resides in the \u003ccode\u003eBasicAuthMiddleware\u003c/code\u003e which prioritizes token validation over credential checks. This allows an attacker with a valid share token to bypass all authentication and access restricted functionalities such as directory listing, file deletion, clipboard access, WebSocket connections, and CLI command execution. A patch is available in version v2.0.0-beta.2. This vulnerability affects systems using goshs where authentication is enabled alongside the share token feature, potentially leading to unauthorized access and command execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA legitimate user creates a share token for a specific file using the goshs web interface or API.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid share token, either through social engineering or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the goshs server, including the valid share token as a query parameter (e.g., \u003ccode\u003e?token=\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBasicAuthMiddleware\u003c/code\u003e in goshs checks for the \u003ccode\u003etoken\u003c/code\u003e parameter first and, upon finding a valid token, bypasses subsequent authentication checks.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003ews\u003c/code\u003e parameter in the same request (e.g., \u003ccode\u003e?ws\u0026amp;token=\u003c/code\u003e), enabling a WebSocket connection.\u003c/li\u003e\n\u003cli\u003eUsing the established WebSocket connection, the attacker sends commands to the server by sending a JSON payload with \u003ccode\u003e{\u0026quot;type\u0026quot;:\u0026quot;command\u0026quot;,\u0026quot;Content\u0026quot;:\u0026quot;command_to_execute\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server executes the attacker-supplied command, such as \u003ccode\u003eid\u003c/code\u003e or \u003ccode\u003ecat /etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the output of the executed command via the WebSocket connection, effectively achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-34581) allows an attacker to bypass authentication, gain unauthorized access to the goshs server, and execute arbitrary commands. This can lead to complete system compromise, data exfiltration, and denial-of-service. Since the vulnerability exists in a widely used web file server, a successful attack could impact numerous organizations using goshs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to goshs version v2.0.0-beta.2 or later to patch CVE-2026-34581, as the vulnerability is fixed in that version (\u003ca href=\"https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2\"\u003ehttps://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing both \u003ccode\u003etoken\u003c/code\u003e and \u003ccode\u003ews\u003c/code\u003e parameters in the query string, which may indicate an attempt to exploit this vulnerability (see the detection rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual WebSocket connections originating from or destined to the goshs server (see the detection rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T20:58:48Z","date_published":"2026-04-01T20:58:48Z","id":"/briefs/2024-01-02-goshs-auth-bypass/","summary":"Goshs is vulnerable to an authentication bypass via share tokens, allowing attackers to bypass authentication checks by using a valid share token in conjunction with other functionalities like WebSocket connections to gain unauthorized access and execute arbitrary commands on the server.","title":"Goshs Authentication Bypass via Share Token","url":"https://feed.craftedsignal.io/briefs/2024-01-02-goshs-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dovecot","vulnerability","sql-injection","authentication-bypass","dos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in the Dovecot mail server software. An attacker can leverage these flaws to execute SQL injection attacks, potentially gaining unauthorized access to the underlying database. Furthermore, successful exploitation could lead to bypassing authentication mechanisms, allowing unauthorized access to mailboxes and sensitive information. The vulnerabilities also pose a risk of sensitive information disclosure and denial-of-service (DoS) conditions, disrupting mail services. The broad functionality affected by these flaws makes it a high-priority issue for organizations using Dovecot.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Dovecot instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input string designed to exploit a SQL injection vulnerability in Dovecot\u0026rsquo;s authentication or user management modules.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted input to a Dovecot service, such as IMAP or POP3, during the authentication process.\u003c/li\u003e\n\u003cli\u003eIf the SQL injection is successful, the attacker gains unauthorized access to the Dovecot database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the database access to extract user credentials or modify authentication settings.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits the SQL injection to disclose sensitive configuration data or internal system information.\u003c/li\u003e\n\u003cli\u003eIf authentication bypass is successful, the attacker logs into a targeted user\u0026rsquo;s mailbox without valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker causes a denial-of-service condition by sending malformed requests that crash the Dovecot server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to complete compromise of the Dovecot server and the data it manages. This includes unauthorized access to user mailboxes, disclosure of sensitive information, and disruption of email services. The impact ranges from data breaches and loss of confidentiality to service outages and reputational damage. The severity depends on the specific vulnerability exploited and the configuration of the Dovecot instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eClosely monitor Dovecot logs for suspicious SQL-related errors or authentication failures (reference: description of SQL injection vulnerability).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures to mitigate potential SQL injection attacks within Dovecot configurations.\u003c/li\u003e\n\u003cli\u003eSince the advisory does not list specific log sources, enable verbose logging for Dovecot services to capture detailed information about authentication attempts and database interactions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T10:14:10Z","date_published":"2026-03-30T10:14:10Z","id":"/briefs/2026-03-dovecot-vulns/","summary":"Multiple vulnerabilities in Dovecot can be exploited by an attacker to perform SQL injection attacks, bypass authentication, disclose sensitive information, or cause a denial-of-service condition.","title":"Multiple Vulnerabilities in Dovecot Mail Server","url":"https://feed.craftedsignal.io/briefs/2026-03-dovecot-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","webhook","cve-2026-32974"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.12 is susceptible to an authentication bypass vulnerability (CVE-2026-32974) affecting Feishu webhook integrations. This vulnerability arises when the \u003ccode\u003everificationToken\u003c/code\u003e is configured without the \u003ccode\u003eencryptKey\u003c/code\u003e. This configuration flaw enables unauthenticated attackers to forge Feishu events and send them to the webhook endpoint. Successful exploitation allows attackers to trigger arbitrary downstream tool execution within the OpenClaw environment. This is a…\u003c/p\u003e\n","date_modified":"2026-03-29T13:17:01Z","date_published":"2026-03-29T13:17:01Z","id":"/briefs/2026-03-openclaw-auth-bypass/","summary":"OpenClaw before 2026.3.12 is vulnerable to an authentication bypass in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing unauthenticated network attackers to inject forged Feishu events and trigger downstream tool execution.","title":"OpenClaw Feishu Webhook Authentication Bypass (CVE-2026-32974)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["openbao","oidc","authentication-bypass","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenBao, a secrets management tool, is vulnerable to an authentication bypass in versions prior to 2.5.2. This vulnerability stems from the lack of user confirmation when logging in via JWT/OIDC with a role configured with \u003ccode\u003ecallback_mode\u003c/code\u003e set to \u003ccode\u003edirect\u003c/code\u003e. The vulnerability allows an attacker to initiate an authentication request and trick a victim into visiting a URL, which automatically logs them into the attacker\u0026rsquo;s session. This constitutes a \u0026ldquo;remote phishing\u0026rdquo; attack because the attacker never directly interacts with the victim\u0026rsquo;s credentials. The \u003ccode\u003edirect\u003c/code\u003e callback mode interacts directly with the OpenBao API, enabling the attacker to poll for a token after the victim has been authenticated and a token has been issued. The vulnerability is tracked as CVE-2026-33757.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker configures an OpenBao role with \u003ccode\u003ecallback_mode=direct\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an OIDC authentication request, generating a unique URL.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the generated URL to the victim via phishing or other social engineering methods.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and authenticates through the OIDC provider. OpenBao automatically associates this authentication with the attacker\u0026rsquo;s session due to the \u003ccode\u003edirect\u003c/code\u003e callback.\u003c/li\u003e\n\u003cli\u003eOpenBao\u0026rsquo;s API receives a direct callback, skipping user confirmation.\u003c/li\u003e\n\u003cli\u003eOpenBao issues a token associated with the attacker\u0026rsquo;s session, effectively authenticating the attacker as the victim.\u003c/li\u003e\n\u003cli\u003eThe attacker continuously polls the OpenBao API for the issued token.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the token and gains unauthorized access to secrets and resources managed by OpenBao, impersonating the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to impersonate a legitimate user within OpenBao. This can lead to unauthorized access to sensitive data, including secrets, credentials, and other protected resources. The impact is critical as it allows complete bypass of intended authentication mechanisms, potentially affecting all users and systems managed by the vulnerable OpenBao instance. This can lead to data breaches, service disruption, and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenBao to version 2.5.2 or later to apply the patch that introduces a confirmation screen for \u003ccode\u003edirect\u003c/code\u003e type logins.\u003c/li\u003e\n\u003cli\u003eAs a workaround, remove any OpenBao roles configured with \u003ccode\u003ecallback_mode=direct\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnforce confirmation for every session on the token issuer side for the Client ID used by OpenBao, mitigating the risk even if roles with \u003ccode\u003ecallback_mode=direct\u003c/code\u003e exist.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns of requests to the OpenBao OIDC callback endpoint after authentication, using the \u0026ldquo;Detect OpenBao Direct Callback Abuse\u0026rdquo; Sigma rule to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect OpenBao Direct Callback Configuration\u0026rdquo; Sigma rule to identify roles configured with the vulnerable \u003ccode\u003ecallback_mode=direct\u003c/code\u003e setting.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T18:33:37Z","date_published":"2026-03-26T18:33:37Z","id":"/briefs/2026-04-17-openbao-oidc-bypass/","summary":"OpenBao versions before 2.5.2 lack user confirmation for OIDC direct callback mode, allowing attackers to perform remote phishing and bypass authentication.","title":"OpenBao OIDC Direct Callback Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-17-openbao-oidc-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sqli","web-application","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWecodex Hotel CMS 1.0 is susceptible to an SQL injection vulnerability (CVE-2018-25195) within its admin login feature. Discovered in 2026, this flaw enables unauthenticated attackers to inject malicious SQL code into the \u0026lsquo;username\u0026rsquo; parameter of a POST request sent to the \u0026lsquo;index.php\u0026rsquo; page with the \u0026lsquo;action=processlogin\u0026rsquo; parameter. Successful exploitation could lead to the bypass of authentication mechanisms, potentially granting unauthorized administrative privileges. The vulnerability poses a significant risk to organizations utilizing the vulnerable CMS, as attackers could gain full control over the web application and its underlying data, including user credentials and sensitive business information. This requires immediate attention and patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Wecodex Hotel CMS 1.0 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL payload designed to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003eindex.php\u003c/code\u003e with the parameter \u003ccode\u003eaction=processlogin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted SQL payload is injected into the \u003ccode\u003eusername\u003c/code\u003e parameter of the POST request.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly sanitize the input, passing the malicious SQL to the database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the authentication query, likely using \u003ccode\u003eOR\u003c/code\u003e clauses and commenting out the rest of the original query.\u003c/li\u003e\n\u003cli\u003eThe manipulated query returns a successful authentication result, bypassing the intended login process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the administrative panel of the Wecodex Hotel CMS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows attackers to bypass authentication controls and gain administrative access to the Wecodex Hotel CMS 1.0. This can lead to full compromise of the system, including the theft of sensitive data such as customer information, financial records, and proprietary business data. Attackers can also modify the website, inject malicious code, or use the compromised server as a launching point for further attacks. Given the potential for complete system compromise, this vulnerability poses a critical risk to affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock POST requests to \u003ccode\u003e/index.php\u003c/code\u003e containing suspicious SQL syntax in the \u003ccode\u003eusername\u003c/code\u003e parameter using a web application firewall (WAF) or intrusion detection system (IDS), based on the provided attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts targeting the login functionality of Wecodex Hotel CMS.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Wecodex Hotel CMS that addresses CVE-2018-25195 if available from the vendor.\u003c/li\u003e\n\u003cli\u003eImplement parameterized queries or prepared statements in the application code to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:16:04Z","date_published":"2026-03-26T12:16:04Z","id":"/briefs/2026-03-wecodex-sqli/","summary":"Wecodex Hotel CMS 1.0 is vulnerable to SQL injection in the admin login functionality, allowing unauthenticated attackers to bypass authentication and potentially extract sensitive database information or gain administrative access by injecting SQL code through the username parameter in POST requests to index.php with action=processlogin.","title":"Wecodex Hotel CMS 1.0 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-wecodex-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-4562","authentication-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4562 details a missing authentication vulnerability within MacCMS version 2025.1000.4052. The vulnerability is located in the \u003ccode\u003eapplication/api/controller/Timming.php\u003c/code\u003e file, specifically within the Timming API Endpoint component. This flaw allows unauthenticated remote attackers to execute actions that should normally require authentication. The vulnerability has been publicly disclosed, increasing the risk of exploitation. Defenders should prioritize identifying and mitigating…\u003c/p\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-maccms-auth-bypass/","summary":"A missing authentication vulnerability exists in MacCMS 2025.1000.4052, specifically affecting the Timming API Endpoint component in application/api/controller/Timming.php, allowing remote attackers to bypass authentication.","title":"MacCMS 2025.1000.4052 Missing Authentication Vulnerability (CVE-2026-4562)","url":"https://feed.craftedsignal.io/briefs/2026-03-maccms-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","authentication-bypass","plugin-vulnerability","cve-2026-4021"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Contest Gallery plugin for WordPress, versions up to and including 28.1.5, is vulnerable to a critical authentication bypass (CVE-2026-4021). This vulnerability stems from how the \u003ccode\u003eusers-registry-check-after-email-or-pin-confirmation.php\u003c/code\u003e script handles email confirmations, combined with an unauthenticated key-based login endpoint in \u003ccode\u003eajax-functions-frontend.php\u003c/code\u003e.  If the \u003ccode\u003eRegMailOptional=1\u003c/code\u003e setting is enabled (non-default), an attacker can register a new user account with a specially…\u003c/p\u003e\n","date_modified":"2026-03-24T00:16:31Z","date_published":"2026-03-24T00:16:31Z","id":"/briefs/2026-03-contest-gallery-auth-bypass/","summary":"CVE-2026-4021 describes an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to gain admin access by manipulating the user activation key and using an AJAX login endpoint.","title":"Contest Gallery WordPress Plugin Authentication Bypass Vulnerability (CVE-2026-4021)","url":"https://feed.craftedsignal.io/briefs/2026-03-contest-gallery-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["quest-kace","vulnerability","authentication-bypass","2fa-bypass","denial-of-service","sma"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eQuest KACE Systems Management Appliance (SMA) is an IT systems management solution used by organizations to manage and secure endpoints. In June 2025, multiple critical vulnerabilities were disclosed. These include CVE-2025-32975, an authentication bypass; CVE-2025-32976, a 2FA bypass; CVE-2025-32977, malicious backup upload; and CVE-2025-32978, license replacement leading to denial of service. The vulnerabilities were discovered during a third-party assessment. As of March 20, 2026, active exploitation has been reported, making immediate patching critical. Versions affected include KACE SMA versions 13.0.385, 13.1.81, 13.2.183, 14.0.341, and 14.1.101. Successful exploitation can lead to complete system compromise, impacting enterprise security and operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthenticated Request (CVE-2025-32975):\u003c/strong\u003e An attacker sends a crafted request to the KACE SMA server, exploiting the improper authentication handling in the SSO mechanism.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass:\u003c/strong\u003e The server fails to properly validate the request, allowing the attacker to bypass authentication and impersonate a legitimate user, gaining unauthorized access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e2FA Bypass (CVE-2025-32976):\u003c/strong\u003e If the attacker has valid credentials, they exploit a logic flaw in the two-factor authentication implementation to bypass TOTP-based 2FA requirements.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Using the bypassed authentication, the attacker gains access to administrative privileges within the KACE SMA.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Backup Upload (CVE-2025-32977):\u003c/strong\u003e An unauthenticated attacker uploads a malicious backup file to the system, exploiting weaknesses in the cryptographic signature validation process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise:\u003c/strong\u003e The malicious backup content is processed, compromising the system\u0026rsquo;s integrity and potentially allowing the attacker to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLicense Replacement (CVE-2025-32978):\u003c/strong\u003e The attacker uses a web interface intended for license renewal to replace valid system licenses with expired or trial licenses.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service:\u003c/strong\u003e The replacement of valid licenses causes a denial of service, disrupting normal operations and preventing legitimate users from accessing the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to gain complete control over the KACE SMA, leading to the compromise of managed endpoints. The denial-of-service vulnerability disrupts IT operations. While the exact number of victims is unknown, the widespread use of KACE SMA across various sectors suggests a broad potential impact. Active exploitation reported as of March 2026 increases the urgency.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches released by Quest for KACE SMA versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), 14.1.101 (Patch 4) to remediate CVE-2025-32975, CVE-2025-32976, CVE-2025-32977, and CVE-2025-32978.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any related suspicious activity as recommended by CCB.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Unauthenticated Access Attempts to KACE SMA\u0026rdquo; to identify potential exploitation attempts targeting CVE-2025-32975.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious file uploads to detect potential exploitation of CVE-2025-32977.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T12:00:00Z","date_published":"2026-03-21T12:00:00Z","id":"/briefs/2026-03-quest-kace-sma-vulns/","summary":"Multiple critical vulnerabilities in Quest KACE Systems Management Appliance (SMA), including authentication bypass and 2FA bypass, allow unauthenticated attackers to achieve system takeover and cause denial of service; active exploitation is reported.","title":"Critical Vulnerabilities in Quest KACE SMA Allow System Takeover","url":"https://feed.craftedsignal.io/briefs/2026-03-quest-kace-sma-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["apache-artemis","apache-activemq","authentication-bypass","message-injection","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 5, 2026, the Centre for Cybersecurity Belgium (CCB) issued a warning regarding CVE-2026-27446, a critical authentication bypass vulnerability affecting Apache Artemis and Apache ActiveMQ Artemis. This vulnerability stems from a lack of proper authentication controls within the Core protocol used for communication between brokers. Successful exploitation allows unauthenticated remote attackers to force a target broker to establish an outbound Core federation connection to a rogue broker…\u003c/p\u003e\n","date_modified":"2026-03-05T09:31:38Z","date_published":"2026-03-05T09:31:38Z","id":"/briefs/2026-03-apache-artemis-auth-bypass/","summary":"CVE-2026-27446 allows an unauthenticated remote attacker to inject malicious messages or exfiltrate data from Apache Artemis and ActiveMQ Artemis brokers due to a missing authentication check in the Core protocol.","title":"Apache Artemis and ActiveMQ Artemis Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-apache-artemis-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-1241","authentication-bypass","ip-camera","ics"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePelco Sarix Pro 3 Series IP Cameras are affected by an authentication bypass vulnerability (CVE-2026-1241) in their web management interface. The vulnerability stems from inadequate access control enforcement, allowing unauthorized access to certain functionalities without proper authentication. This issue impacts Sarix Professional IMP 3 Series, IXP 3 Series, IBP 3 Series, and IWP 3 Series IP Cameras with firmware versions equal to or less than 02.52. Successful exploitation can lead to…\u003c/p\u003e\n","date_modified":"2026-02-27T10:00:00Z","date_published":"2026-02-27T10:00:00Z","id":"/briefs/2026-02-pelco-sarix-auth-bypass/","summary":"An authentication bypass vulnerability (CVE-2026-1241) in the web management interface of Pelco Sarix Pro 3 Series IP Cameras (versions \u003c= 02.52) allows unauthenticated attackers to access sensitive device data and bypass surveillance controls.","title":"Pelco Sarix Pro 3 Series IP Camera Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-02-pelco-sarix-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Traefik"],"_cs_severities":["high"],"_cs_tags":["traefik","authentication-bypass","webserver"],"_cs_type":"advisory","_cs_vendors":["Traefik"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability impacts Traefik instances utilizing the \u003ccode\u003eForwardAuth\u003c/code\u003e middleware with \u003ccode\u003etrustForwardHeader=false\u003c/code\u003e, when deployed behind a trusted upstream proxy. This vulnerability arises from Traefik\u0026rsquo;s failure to properly sanitize the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header. Although Traefik correctly rebuilds other \u003ccode\u003eX-Forwarded-*\u003c/code\u003e headers like \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eX-Forwarded-Host\u003c/code\u003e, it does not strip or rebuild \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e. An attacker can inject a malicious \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e value, which is then passed to the authentication service in the subrequest. If the authentication service relies on the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header for authorization decisions, an attacker can bypass access controls and reach protected backend routes. This issue affects Traefik versions v2.11.x before v2.11.43, v3.6.x before v3.6.14, and v3.7.0-rc.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a request with a crafted \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header (e.g., \u003ccode\u003eX-Forwarded-Prefix: /admin\u003c/code\u003e) to a trusted upstream proxy (e.g., nginx).\u003c/li\u003e\n\u003cli\u003eThe trusted proxy forwards the request to the Traefik instance.\u003c/li\u003e\n\u003cli\u003eTraefik\u0026rsquo;s \u003ccode\u003eStripPrefix\u003c/code\u003e middleware processes the request, stripping a configured prefix (e.g., \u003ccode\u003e/forbidden\u003c/code\u003e) and appending it to the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header using \u003ccode\u003eHeader.Add\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eForwardAuth\u003c/code\u003e middleware creates a subrequest to the authentication service, copying all incoming headers, including the attacker-controlled \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e and the \u003ccode\u003eStripPrefix\u003c/code\u003e-added value.\u003c/li\u003e\n\u003cli\u003eThe authentication service receives the subrequest with the concatenated \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e values, where the attacker\u0026rsquo;s value appears first (e.g., \u003ccode\u003eX-Forwarded-Prefix: /admin, /forbidden\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe authentication service incorrectly uses the attacker-supplied \u003ccode\u003e/admin\u003c/code\u003e prefix to make authorization decisions.\u003c/li\u003e\n\u003cli\u003eThe authentication service authorizes the request due to the spoofed prefix.\u003c/li\u003e\n\u003cli\u003eTraefik forwards the request to the protected backend route, granting the attacker unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to bypass access controls and gain unauthorized access to protected backend routes. This can lead to data breaches, unauthorized modification of resources, and other security compromises. The impact is especially severe in environments where \u003ccode\u003eStripPrefix\u003c/code\u003e is used before \u003ccode\u003eForwardAuth\u003c/code\u003e, and where the authentication service relies heavily on the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header for authorization decisions. The number of affected deployments is unknown but likely significant, given Traefik\u0026rsquo;s popularity as a reverse proxy and load balancer.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Traefik version v2.11.43, v3.6.14, or v3.7.0-rc.2 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a workaround, if upgrading is not immediately feasible, configure your authentication service to validate and sanitize the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header, ensuring it only trusts values originating from the trusted proxy.\u003c/li\u003e\n\u003cli\u003eImplement the following Sigma rule to detect suspicious requests with the \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e header targeting the \u003ccode\u003e/forbidden\u003c/code\u003e path, indicating potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden your Traefik configuration to ensure that the \u003ccode\u003etrustForwardHeader\u003c/code\u003e parameter is appropriately set based on your deployment environment and trust relationships.\u003c/li\u003e\n\u003cli\u003eMonitor Traefik access logs for suspicious activity, especially requests with unusual \u003ccode\u003eX-Forwarded-Prefix\u003c/code\u003e values, using the \u003ccode\u003ewebserver\u003c/code\u003e log source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-traefik-auth-bypass/","summary":"A high-severity authentication bypass vulnerability exists in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy; Traefik fails to sanitize the `X-Forwarded-Prefix` header, allowing attackers to spoof a trusted prefix value and gain unauthorized access to protected backend routes.","title":"Traefik ForwardAuth Authentication Bypass via X-Forwarded-Prefix Spoofing","url":"https://feed.craftedsignal.io/briefs/2024-07-traefik-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Dgraph"],"_cs_severities":["critical"],"_cs_tags":["dgraph","authentication-bypass","admin-token-disclosure"],"_cs_type":"advisory","_cs_vendors":["Dgraph"],"content_html":"\u003cp\u003eDgraph, a graph database, exposes sensitive information through an unauthenticated endpoint, \u003ccode\u003e/debug/vars\u003c/code\u003e, in versions prior to 25.3.3. The vulnerability arises because the admin token is often passed as a command-line argument using the \u003ccode\u003e--security \u0026quot;token=...\u0026quot;\u003c/code\u003e flag. This argument is exposed through the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint, which is enabled by default via Go\u0026rsquo;s \u003ccode\u003eexpvar\u003c/code\u003e package. An attacker can retrieve this token without authentication and then use it to gain administrative privileges by including it in the \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e header of subsequent requests. This is a bypass of previous attempts to mitigate similar issues via \u003ccode\u003e/debug/pprof/cmdline\u003c/code\u003e, which were addressed incompletely. This issue impacts deployments where the Alpha HTTP port is reachable by untrusted parties, allowing for a full authentication bypass.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends an unauthenticated GET request to the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint on the Dgraph Alpha server (e.g., \u003ccode\u003eGET /debug/vars HTTP/1.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing the \u003ccode\u003ecmdline\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response and extracts the value of the \u003ccode\u003ecmdline\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker searches the \u003ccode\u003ecmdline\u003c/code\u003e output for the \u003ccode\u003e--security token=...\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the admin token from the \u003ccode\u003e--security\u003c/code\u003e argument string.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to an admin-only endpoint (e.g., \u003ccode\u003eGET /admin/config/cache_mb HTTP/1.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker includes the extracted admin token in the \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e header of the request.\u003c/li\u003e\n\u003cli\u003eThe Dgraph Alpha server validates the token, granting the attacker administrative access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to gain complete administrative control over the Dgraph database. This includes the ability to read and modify admin configurations, and perform operational control actions. In deployments where the Alpha HTTP port is publicly accessible, this vulnerability poses a significant risk, leading to potential data breaches, service disruption, and unauthorized manipulation of the database. While the number of affected deployments is not explicitly stated, any Dgraph instance running a vulnerable version with an exposed Alpha HTTP port is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Dgraph to version 25.3.3 or later to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, restrict access to the Alpha HTTP port to trusted networks only.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect unauthorized access attempts to the \u003ccode\u003e/admin/config/cache_mb\u003c/code\u003e endpoint using the \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect access to \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T12:00:00Z","date_published":"2024-05-02T12:00:00Z","id":"/briefs/2024-05-dgraph-auth-bypass/","summary":"Dgraph versions prior to 25.3.3 expose the admin token via the `/debug/vars` endpoint, allowing unauthenticated attackers to bypass authentication and gain administrative access.","title":"Dgraph Unauthenticated Admin Token Disclosure via /debug/vars","url":"https://feed.craftedsignal.io/briefs/2024-05-dgraph-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7723"}],"_cs_exploited":false,"_cs_products":["prefect (\u003c= 3.6.13)"],"_cs_severities":["high"],"_cs_tags":["CVE-2026-7723","authentication-bypass","websocket","prefecthq"],"_cs_type":"advisory","_cs_vendors":["PrefectHQ"],"content_html":"\u003cp\u003ePrefectHQ Prefect, a workflow management system, is vulnerable to an authentication bypass vulnerability identified as CVE-2026-7723. The vulnerability exists in versions up to 3.6.13 and stems from a flaw within the \u003ccode\u003e/api/events/in\u003c/code\u003e WebSocket endpoint. A remote attacker can manipulate data sent to this endpoint, leading to a failure in authentication checks. This can allow the attacker to perform unauthorized actions within the Prefect system. The vulnerability was published on 2026-05-04 and a patch is available in version 3.6.14, specifically commit \u003ccode\u003e0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40\u003c/code\u003e. Defenders should upgrade affected Prefect installations to version 3.6.14 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a PrefectHQ Prefect instance running a vulnerable version (\u0026lt;= 3.6.13) with an exposed \u003ccode\u003e/api/events/in\u003c/code\u003e WebSocket endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious WebSocket message specifically targeting the \u003ccode\u003e/api/events/in\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the manipulated message to the \u003ccode\u003e/api/events/in\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the authentication checks within the WebSocket endpoint fail to properly validate the attacker\u0026rsquo;s identity.\u003c/li\u003e\n\u003cli\u003eThe Prefect system incorrectly processes the attacker\u0026rsquo;s request as authenticated.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits this lack of authentication to execute unauthorized actions within the Prefect system. These actions could include modifying workflows, accessing sensitive data, or disrupting operations.\u003c/li\u003e\n\u003cli\u003eThe attacker may further leverage their access to compromise other connected systems or data stores.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7723 allows an unauthenticated remote attacker to bypass authentication mechanisms in PrefectHQ Prefect. This can lead to unauthorized access to sensitive data, modification of workflows, and disruption of critical business processes. The CVSS v3.1 base score is 7.3, indicating a high severity vulnerability. The number of affected organizations depends on the adoption rate of PrefectHQ Prefect, but any organization running a vulnerable version is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PrefectHQ Prefect to version 3.6.14 or later to apply the patch (\u003ccode\u003e0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40\u003c/code\u003e) that resolves CVE-2026-7723.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003e/api/events/in\u003c/code\u003e endpoint to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect PrefectHQ Auth Bypass Attempt\u003c/code\u003e to identify unusual requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful exploit by restricting access to sensitive resources from the Prefect server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-prefect-auth-bypass/","summary":"PrefectHQ Prefect versions up to 3.6.13 are vulnerable to an authentication bypass via manipulation of the /api/events/in WebSocket endpoint, potentially allowing remote attackers to execute unauthorized actions.","title":"PrefectHQ Prefect Authentication Bypass Vulnerability (CVE-2026-7723)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-prefect-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["coredns"],"_cs_severities":["high"],"_cs_tags":["coredns","tsig","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["coredns"],"content_html":"\u003cp\u003eCoreDNS versions prior to 1.14.3 contain a flaw in the handling of TSIG authentication for gRPC, QUIC, DoH, and DoH3 transports. Specifically, gRPC and QUIC transports only check for the presence of a TSIG key name without verifying the HMAC, while DoH and DoH3 transports unconditionally return a successful TSIG status. This vulnerability allows unauthenticated attackers to bypass TSIG authentication, potentially enabling unauthorized zone transfers, dynamic updates, and access to other TSIG-protected resources. This issue was identified in version 1.14.2 and prior, and affects deployments where TSIG authentication is relied upon for secure DNS operations over these transports.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a CoreDNS server using gRPC, QUIC, DoH, or DoH3 with TSIG authentication enabled.\u003c/li\u003e\n\u003cli\u003eFor gRPC/QUIC, the attacker crafts a DNS request with a valid TSIG key name but a forged or invalid HMAC value. For DoH/DoH3, the attacker crafts a DNS request with any TSIG record.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the CoreDNS server via the affected transport (gRPC, QUIC, DoH, or DoH3).\u003c/li\u003e\n\u003cli\u003eCoreDNS receives the request and processes the TSIG information. For gRPC/QUIC, CoreDNS checks if the TSIG key name exists in the configuration. For DoH/DoH3, the transport layer reports successful TSIG verification without performing actual verification.\u003c/li\u003e\n\u003cli\u003eThe TSIG check passes due to the vulnerability: either HMAC is not validated (gRPC/QUIC) or TSIG status is unconditionally reported as valid (DoH/DoH3).\u003c/li\u003e\n\u003cli\u003eThe request is passed to the appropriate plugin, bypassing TSIG authentication requirements.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to TSIG-protected functionality, such as AXFR/IXFR zone transfers or dynamic DNS updates.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates zone data or modifies DNS records, depending on the enabled functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can allow unauthenticated attackers to perform unauthorized actions on the affected CoreDNS server. This can lead to the exposure of sensitive zone data via AXFR/IXFR, unauthorized modification of DNS records through dynamic updates, or other bypasses of TSIG-gated plugin behavior. The DoH and DoH3 variants pose a higher risk because they do not even require a valid TSIG key name to be known. The impact depends on the specific TSIG-protected functionality enabled on the CoreDNS server and the sensitivity of the data being protected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CoreDNS to version 1.14.3 or later to patch CVE-2026-35579.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement network-level access controls to restrict access to gRPC, QUIC, DoH, and DoH3 ports to trusted sources only, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CoreDNS AXFR Request over DoH with Forged TSIG\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-coredns-tsig-bypass/","summary":"CoreDNS versions prior to 1.14.3 are vulnerable to TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports, allowing unauthenticated network attackers to bypass authentication and potentially access TSIG-protected zone data or submit dynamic DNS updates.","title":"CoreDNS TSIG Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-coredns-tsig-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41940"}],"_cs_exploited":false,"_cs_products":["cPanel \u0026 WHM","WP2 (WordPress Squared)"],"_cs_severities":["critical"],"_cs_tags":["cpanel","whm","wp2","wordpress","authentication-bypass","cve-2026-41940","initial-access"],"_cs_type":"advisory","_cs_vendors":["WebPros"],"content_html":"\u003cp\u003eWebPros cPanel \u0026amp; WHM (WebHost Manager) and WP2 (WordPress Squared) are affected by an authentication bypass vulnerability, identified as CVE-2026-41940. This flaw exists within the login flow, potentially granting unauthenticated remote attackers unauthorized access to the control panel. Successful exploitation allows attackers to bypass normal authentication mechanisms and directly access sensitive administrative functions within cPanel \u0026amp; WHM and WP2. Defenders should apply vendor-provided mitigations or discontinue use of the product if mitigations are not available. The vulnerability was disclosed in April 2026, and mitigations should be applied by May 3, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable cPanel \u0026amp; WHM or WP2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request exploiting the authentication bypass vulnerability in the login flow.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the target server, bypassing authentication checks.\u003c/li\u003e\n\u003cli\u003eThe server incorrectly processes the request, granting the attacker an authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the authenticated session to access administrative interfaces and settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies server configurations, potentially creating new administrative accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malicious plugins or software through the control panel.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control over the web server and hosted websites.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41940 can lead to complete compromise of the affected cPanel \u0026amp; WHM or WP2 server. This can result in data breaches, website defacement, malware distribution, and denial-of-service attacks. The impact is significant due to the widespread use of cPanel \u0026amp; WHM in web hosting environments. Compromised servers could be leveraged for further attacks against other systems and networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations provided by WebPros as detailed in their security update advisory to address CVE-2026-41940.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect cPanel/WHM Authentication Bypass Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eIf mitigations cannot be immediately applied, follow BOD 22-01 guidance for cloud services, potentially isolating the affected system until patched.\u003c/li\u003e\n\u003cli\u003eConsider discontinuing use of the affected product if patches or mitigations are unavailable, as advised in the original CISA KEV entry.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cpanel-auth-bypass/","summary":"CVE-2026-41940 is an authentication bypass vulnerability in WebPros cPanel \u0026 WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain unauthorized access to the control panel.","title":"WebPros cPanel \u0026 WHM and WP2 Authentication Bypass Vulnerability (CVE-2026-41940)","url":"https://feed.craftedsignal.io/briefs/2024-01-cpanel-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2023-27351"}],"_cs_exploited":true,"_cs_products":["NG/MF"],"_cs_severities":["critical"],"_cs_tags":["papercut","authentication-bypass","ransomware","cve-2023-27351"],"_cs_type":"threat","_cs_vendors":["PaperCut"],"content_html":"\u003cp\u003eCVE-2023-27351 is a critical improper authentication vulnerability affecting PaperCut NG/MF. The vulnerability exists within the SecurityRequestFilter class, enabling remote attackers to bypass authentication mechanisms. This bypass can lead to unauthorized access to sensitive functionalities within the PaperCut NG/MF application. Publicly available reports indicate that this vulnerability is being actively exploited, including instances of ransomware deployment following successful exploitation. Due to the ease of exploitation and the potentially severe consequences, organizations using affected versions of PaperCut NG/MF are urged to apply mitigations immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PaperCut NG/MF instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the SecurityRequestFilter class.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits the improper authentication vulnerability (CVE-2023-27351), bypassing normal authentication checks.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication bypass, the attacker gains unauthorized access to the PaperCut NG/MF application with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to upload malicious scripts or binaries to the PaperCut server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded payload, initiating the ransomware encryption process or other malicious activities.\u003c/li\u003e\n\u003cli\u003eRansomware encrypts sensitive data on the PaperCut server and potentially spreads to other connected systems.\u003c/li\u003e\n\u003cli\u003eThe attacker demands a ransom payment for the decryption key.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-27351 allows attackers to bypass authentication, gain unauthorized access, and potentially deploy ransomware. This can result in significant data loss, disruption of print services, and financial losses due to ransom demands and recovery efforts. The vulnerability is known to be actively exploited, increasing the risk to organizations using affected PaperCut NG/MF installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations provided by PaperCut, referencing their knowledge base articles PO-1216 and PO-1219.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts against the SecurityRequestFilter class.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services if the PaperCut instance is cloud-hosted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-papercut-auth-bypass/","summary":"CVE-2023-27351 is an improper authentication vulnerability in PaperCut NG/MF that allows remote attackers to bypass authentication via the SecurityRequestFilter class, leading to potential ransomware deployment.","title":"PaperCut NG/MF Improper Authentication Vulnerability (CVE-2023-27351)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-papercut-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["note-mark"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","credential-access","note-mark","ghsa"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability affects note-mark deployments configured with OIDC authentication. The vulnerability stems from the \u003ccode\u003eIsPasswordMatch\u003c/code\u003e function in \u003ccode\u003ebackend/db/models.go\u003c/code\u003e, which falls back to a hardcoded \u003ccode\u003ebcrypt(\u0026quot;null\u0026quot;)\u003c/code\u003e hash when a user has no stored password. This occurs because OIDC-registered users are created with an empty password. As a result, any attacker can authenticate as an OIDC user by submitting the password \u0026ldquo;null\u0026rdquo; to the internal login endpoint (\u003ccode\u003ePOST /api/auth/token\u003c/code\u003e). This issue affects note-mark version 0.19.2 and potentially earlier versions. The default configuration ships with both authentication paths side-by-side, so any site that turns on OIDC is affected, allowing for potential account takeover and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a note-mark instance with OIDC enabled and internal login enabled (default configuration). The attacker can confirm this by accessing \u003ccode\u003e/api/info\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates valid usernames via the \u003ccode\u003e/api/users/search\u003c/code\u003e endpoint (anonymous user search enabled by default).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/api/auth/token\u003c/code\u003e with the target username and password \u0026ldquo;null\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eIsPasswordMatch\u003c/code\u003e function in \u003ccode\u003ebackend/db/models.go\u003c/code\u003e is called. Since OIDC-registered users have an empty password, the function uses the \u003ccode\u003enullPasswordHash\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebcrypt.CompareHashAndPassword\u003c/code\u003e function compares \u003ccode\u003enullPasswordHash\u003c/code\u003e with the provided password \u0026ldquo;null\u0026rdquo;, resulting in a successful match.\u003c/li\u003e\n\u003cli\u003eThe server issues an \u003ccode\u003eAuth-Session-Token\u003c/code\u003e cookie to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the valid session cookie to access the target user\u0026rsquo;s account via \u003ccode\u003e/api/users/me\u003c/code\u003e or other authenticated endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker persists access by updating the target user\u0026rsquo;s password via \u003ccode\u003ePUT /api/users/me/password\u003c/code\u003e using \u0026ldquo;null\u0026rdquo; as the existing password, locking out the legitimate user and gaining persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to fully take over OIDC-only user accounts on affected note-mark deployments. This includes reading private notebooks, note markdown, and uploaded assets. An attacker can also write, edit, or delete anything the compromised user owns, leading to significant data loss and confidentiality breaches. The vulnerability is especially severe due to the default configuration enabling both OIDC and internal login paths, making it easy for attackers to exploit.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by rejecting the login path for users with no stored password in \u003ccode\u003ebackend/services/auth.go\u003c/code\u003e and \u003ccode\u003ebackend/services/users.go\u003c/code\u003e as detailed in the advisory. This directly addresses the vulnerability by preventing authentication with the \u0026ldquo;null\u0026rdquo; password.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for POST requests to \u003ccode\u003e/api/auth/token\u003c/code\u003e with a request body containing \u003ccode\u003e\u0026quot;password\u0026quot;:\u0026quot;null\u0026quot;\u003c/code\u003e to identify potential exploitation attempts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eConsider disabling internal logins (\u003ccode\u003eEnableInternalLogin\u003c/code\u003e) if OIDC is the sole authentication method used, mitigating the risk by removing the vulnerable login path.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-note-mark-auth-bypass/","summary":"A critical authentication bypass vulnerability in note-mark allows attackers to authenticate as any OIDC-registered user by submitting the password 'null' to the internal login endpoint due to a hardcoded bcrypt hash fallback, potentially leading to account takeover and persistent access.","title":"Note Mark OIDC Authentication Bypass via Hardcoded Password","url":"https://feed.craftedsignal.io/briefs/2024-01-03-note-mark-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7042"}],"_cs_exploited":false,"_cs_products":["MiroFish"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7042","authentication-bypass","rest-api"],"_cs_type":"advisory","_cs_vendors":["666ghj"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, tracked as CVE-2026-7042, has been identified in 666ghj MiroFish software up to version 0.1.2. The vulnerability lies within the \u003ccode\u003ecreate_app\u003c/code\u003e function of the \u003ccode\u003ebackend/app/__init__.py\u003c/code\u003e file, which manages the REST API Endpoint. A remote attacker can exploit this flaw by manipulating specific parameters within API requests, effectively bypassing authentication mechanisms. This allows unauthorized access to sensitive functionalities and data. Public exploits are available, increasing the risk of widespread exploitation. The vendor was notified, but has not yet responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable MiroFish instance running version 0.1.2 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the REST API Endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request manipulates parameters intended for the \u003ccode\u003ecreate_app\u003c/code\u003e function, specifically designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ecreate_app\u003c/code\u003e function fails to properly validate the request due to the missing authentication check.\u003c/li\u003e\n\u003cli\u003eThe application grants unauthorized access to protected resources or functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as data exfiltration, modification, or deletion, depending on the exposed API endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial access to further compromise the system or pivot to other internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7042 allows an attacker to bypass authentication controls in MiroFish applications. This can lead to unauthorized access to sensitive data, modification of application settings, or complete system compromise. The lack of authentication on the REST API endpoint can have severe implications for data confidentiality, integrity, and availability. Given the availability of a public exploit, affected organizations are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting the REST API Endpoint with unusual parameters, using the provided Sigma rule that detects anomalous HTTP methods in webserver logs.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates from 666ghj to address CVE-2026-7042 immediately.\u003c/li\u003e\n\u003cli\u003eReview the affected \u003ccode\u003ebackend/app/__init__.py\u003c/code\u003e file for authentication logic flaws and implement necessary security measures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mirofish-auth-bypass/","summary":"A missing authentication vulnerability (CVE-2026-7042) exists in 666ghj MiroFish up to version 0.1.2, allowing remote attackers to bypass authentication via manipulation of the REST API Endpoint's create_app function.","title":"666ghj MiroFish REST API Authentication Bypass (CVE-2026-7042)","url":"https://feed.craftedsignal.io/briefs/2024-01-mirofish-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Authentication-Bypass","version":"https://jsonfeed.org/version/1.1"}