Authentication-Bypass — CraftedSignal Threat Feed

WordPress Easy PayPal Events & Tickets Plugin Authentication Bypass Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:27 +0000

The Easy PayPal Events & Tickets plugin for WordPress, version 1.3 and earlier, contains a critical hardcoded authentication bypass vulnerability (CVE-2026-32834) within its QR code scanning functionality. This flaw allows unauthenticated remote attackers to bypass hash verification by supplying the string ’test’ as the hash parameter when accessing the add_wpeevent_button_qr action. This bypass enables attackers to retrieve sensitive order details associated with any post ID, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The vulnerable plugin was officially closed on March 18, 2026, making it imperative to identify and mitigate any remaining installations to prevent potential data breaches.

Attack Chain

Attacker identifies a WordPress site using the Easy PayPal Events & Tickets plugin (version 1.3 or earlier).
Attacker crafts a malicious HTTP GET request targeting the /wp-admin/admin-ajax.php endpoint.
The request includes the action parameter set to add_wpeevent_button_qr.
The request includes a hash parameter set to the hardcoded value test.
The request includes a post_id parameter, either guessed or obtained through other means.
The vulnerable plugin bypasses authentication due to the hardcoded hash.
The plugin processes the request and retrieves sensitive order details associated with the provided post_id.
The attacker receives the sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers access to sensitive customer and transaction data associated with events and tickets managed through the Easy PayPal Events & Tickets plugin. The leaked information, including customer email addresses and PayPal transaction IDs, can be used for further malicious activities such as phishing campaigns, identity theft, and financial fraud. The number of affected WordPress sites is unknown, but any site using a vulnerable version of the plugin is at risk.

Recommendation

Deploy the Sigma rule Detect WordPress Easy PayPal Events & Tickets Authentication Bypass Attempt to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.
Inspect web server logs for requests to /wp-admin/admin-ajax.php with the action parameter set to add_wpeevent_button_qr and the hash parameter set to test to identify potential exploitation attempts.
Monitor network traffic for suspicious data exfiltration following the identified exploitation attempts to mitigate potential damage.
If the plugin is still installed, remove it immediately.

Quarkus Vertx HTTP Authorization Bypass via Matrix Parameters

hello@craftedsignal.io — Mon, 04 May 2026 17:20:20 +0000

A vulnerability exists in Quarkus Vertx HTTP versions < 3.20.6.1, >= 3.21.0 and < 3.27.3.1, >= 3.30.0 and < 3.33.1.1, and >= 3.34.0 and < 3.35.1.1. The vulnerability, designated as CVE-2026-39852, allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. By appending a semicolon (;) and arbitrary text to the request URL, attackers can gain unauthorized access to protected resources. This vulnerability stems from an inconsistency in path normalization: Quarkus’s security layer checks the raw URL path, while RESTEasy Reactive’s routing layer strips matrix parameters before matching endpoints. This means a request like /api/admin;anything can bypass authorization for /api/admin while still routing to the protected endpoint. This issue was discovered and verified by the GitHub Security Lab.

Attack Chain

An attacker identifies a protected endpoint, such as /api/admin, that requires authentication or specific privileges.
The attacker crafts a malicious HTTP request targeting the protected endpoint but appends a semicolon and arbitrary text, such as /api/admin;anything.
The request is sent to the Quarkus Vertx HTTP server.
Quarkus’s security layer performs an authorization check on the raw URL path /api/admin;anything, which may not match the intended authorization rules for /api/admin.
RESTEasy Reactive’s routing layer strips the matrix parameters (;anything) from the URL, resulting in the endpoint /api/admin being matched.
The request is routed to the protected endpoint /api/admin, bypassing the intended authorization checks.
The attacker gains unauthorized access to the protected resource or functionality.
The attacker performs actions they would not normally be authorized to perform, such as accessing sensitive data or modifying system configurations.

Impact

Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, modification of system configurations, or other malicious activities. The vulnerability affects Quarkus Vertx HTTP applications that rely on path-based authorization policies. The number of affected applications is currently unknown, but any application using the vulnerable versions of Quarkus Vertx HTTP is susceptible.

Recommendation

Upgrade Quarkus Vertx HTTP to a patched version (>= 3.20.6.1, >= 3.27.3.1, >= 3.33.1.1, >= 3.35.1.1) to remediate CVE-2026-39852.
Deploy the Sigma rule Detect Quarkus Authorization Bypass Attempt to identify potential exploitation attempts in web server logs.
Monitor web server logs for requests containing semicolons in the URL path to detect potential exploitation attempts using the Monitor Semicolons in URL Path Sigma rule.

Critical Authentication Bypass Vulnerability in MOVEit Automation (CVE-2026-4670)

hello@craftedsignal.io — Mon, 04 May 2026 15:08:49 +0000

Progress MOVEit Automation is affected by a critical authentication bypass vulnerability, CVE-2026-4670, which has a CVSS score of 9.8. Successful exploitation allows an unauthenticated remote attacker to gain administrative access to the vulnerable service. Additionally, a high severity privilege escalation vulnerability, CVE-2026-5174, exists due to improper input validation. While there is no current evidence of active exploitation in the wild, the historical targeting of Managed File Transfer (MFT) solutions, such as the 2023 Cl0p ransomware campaigns targeting MOVEit Transfer, heightens the urgency of patching this vulnerability. The affected versions of MOVEit Automation include versions prior to 2024.0.0, versions 2024.0.0 before 2024.1.8, versions 2025.0.0 before 2025.0.9, and versions 2025.1.0 before 2025.1.5. Defenders should prioritize patching to prevent potential exploitation.

Attack Chain

An unauthenticated attacker sends a specially crafted request to the MOVEit Automation server, exploiting CVE-2026-4670 (authentication bypass).
The vulnerable MOVEit Automation software fails to properly validate the attacker’s identity, granting them unauthorized access.
The attacker gains access to the MOVEit Automation application with administrative privileges.
The attacker leverages CVE-2026-5174 (improper input validation) to further escalate privileges within the application.
The attacker manipulates sensitive file transfer workflows, potentially modifying file permissions or altering transfer schedules.
The attacker exfiltrates sensitive data stored within MOVEit Automation.
Alternatively, the attacker could deploy malicious scripts or backdoors to maintain persistence and control over the system.
The attacker achieves complete control over the MOVEit Automation server, potentially impacting connected systems and data integrity.

Impact

Successful exploitation of CVE-2026-4670 allows an unauthenticated attacker to gain administrative access to Progress MOVEit Automation servers. This can lead to the compromise of sensitive data, disruption of file transfer workflows, and potential deployment of ransomware or other malicious payloads. Given the history of MOVEit products being targeted, a successful attack could have widespread impact across various sectors that rely on MOVEit for secure file transfer, potentially affecting thousands of organizations.

Recommendation

Immediately patch all affected MOVEit Automation installations to versions 2025.1.5 or later, 2025.0.9 or later, or 2024.1.8 or later as recommended by Progress Software to remediate CVE-2026-4670 and CVE-2026-5174.
Upscale monitoring and detection capabilities to identify any suspicious activity related to MOVEit Automation, as recommended by the CCB.
Implement the provided Sigma rule “Detect MOVEit Automation Authentication Bypass Attempt” to identify potential exploitation attempts targeting CVE-2026-4670 based on web server logs.

AAP Gateway Account Hijacking Vulnerability (CVE-2026-6266)

hello@craftedsignal.io — Mon, 04 May 2026 14:16:35 +0000

A vulnerability, tracked as CVE-2026-6266, exists in the AAP gateway. Specifically, the user auto-link strategy introduced in AAP 2.6 automatically links external Identity Provider (IDP) identities to existing AAP user accounts based on email matching without verifying email ownership. This vulnerability enables a remote attacker to potentially hijack a victim’s account and gain unauthorized access to other accounts, including administrative accounts. The attacker achieves this by manipulating the email address provided by the IDP during the auto-linking process. This poses a significant risk to organizations using AAP for identity management, potentially leading to data breaches and system compromise.

Attack Chain

Attacker identifies a target user account within the AAP gateway.
Attacker creates an account on a configured external Identity Provider (IDP).
Attacker configures the IDP account with the same email address as the target user in the AAP gateway.
The target user attempts to authenticate to the AAP gateway using the configured IDP.
The AAP gateway, running version 2.6 or later, automatically links the attacker-controlled IDP identity to the existing AAP user account based on email matching, without verifying ownership.
The attacker successfully authenticates to the AAP gateway using the attacker-controlled IDP account, gaining access to the target user’s account.
If the hijacked account has administrative privileges, the attacker can escalate privileges and compromise the entire AAP gateway environment.

Impact

Successful exploitation of CVE-2026-6266 can lead to unauthorized access to sensitive data and systems managed by the AAP gateway. This includes the potential compromise of administrative accounts, which could allow an attacker to gain full control over the AAP environment. The vulnerability impacts organizations using AAP 2.6 and later for identity management. The potential consequences include data breaches, service disruption, and financial loss.

Recommendation

Apply the patch provided in Red Hat Security Advisory RHSA-2026:13508 to remediate CVE-2026-6266.
Monitor AAP gateway logs for successful authentications from unexpected IDPs to detect potential account hijacking attempts. Deploy a Sigma rule to detect this behavior.
Implement multi-factor authentication (MFA) for all AAP accounts to mitigate the impact of successful account hijacking, even if the IDP is compromised.

YunaiV yudao-cloud Authentication Bypass Vulnerability (CVE-2026-7710)

hello@craftedsignal.io — Mon, 04 May 2026 00:16:39 +0000

CVE-2026-7710 is an authentication bypass vulnerability affecting YunaiV’s yudao-cloud, specifically versions up to 3.8.0. The vulnerability resides in the doFilterInternal function within the JwtAuthenticationTokenFilter.java file of the Ruoyi-Vue-Pro component. An attacker can exploit this vulnerability by manipulating the mock-token argument, leading to improper authentication. This allows a remote attacker to potentially gain unauthorized access to the application. Public exploits are available, increasing the risk of exploitation. The vendor was notified but has not responded.

Attack Chain

Attacker identifies a YunaiV yudao-cloud instance running a vulnerable version (<= 3.8.0).
Attacker crafts a malicious HTTP request targeting an endpoint protected by authentication.
The crafted request includes a manipulated mock-token argument designed to bypass the JWT authentication filter.
The JwtAuthenticationTokenFilter.java component processes the request and improperly validates the manipulated mock-token.
Due to the flawed authentication logic, the attacker is granted unauthorized access as an authenticated user.
Attacker gains access to protected resources and functionalities within the application.
Attacker performs privileged actions such as data modification, account takeover, or further exploitation of the system.

Impact

Successful exploitation of CVE-2026-7710 allows attackers to bypass authentication and gain unauthorized access to YunaiV yudao-cloud applications. This can lead to the compromise of sensitive data, modification of application settings, and potentially full system takeover. Given the availability of public exploits, organizations using affected versions of yudao-cloud are at high risk. The CVSS v3.1 base score for this vulnerability is 7.3, indicating a high severity level.

Recommendation

Upgrade YunaiV yudao-cloud to a patched version that addresses CVE-2026-7710.
Deploy the Sigma rule Detect Malicious Mock Token Argument to identify exploitation attempts by monitoring web server logs for the presence of a mock-token argument.
Implement input validation on the server side to ensure that mock-token values conform to expected patterns.

InnoShop Improper Authentication Vulnerability (CVE-2026-7630)

hello@craftedsignal.io — Sat, 02 May 2026 14:16:18 +0000

A critical vulnerability, CVE-2026-7630, affects innocommerce InnoShop versions up to 0.7.8. The vulnerability resides in the InstallServiceProvider::boot function within the innopacks/install/src/InstallServiceProvider.php file, which governs the installation endpoint. Successful exploitation allows remote attackers to bypass authentication mechanisms, potentially leading to complete system compromise. Publicly available exploits exist, increasing the risk of active exploitation. It is crucial for administrators to apply the provided patch (identifier: 45758e4ec22451ab944ae2ae826b1e70f6450dc9) immediately.

Attack Chain

An attacker identifies an InnoShop instance running a vulnerable version (<= 0.7.8).
The attacker crafts a malicious HTTP request targeting the installation endpoint (innopacks/install/src/InstallServiceProvider.php).
The request exploits the improper authentication in the InstallServiceProvider::boot function.
Authentication checks are bypassed due to the vulnerability.
The attacker gains unauthorized access to the installation process.
The attacker injects malicious code or configurations during the installation phase.
The injected code executes with elevated privileges, granting the attacker control over the InnoShop instance.
The attacker establishes a persistent backdoor for future access and potential data exfiltration or further malicious activities.

Impact

Successful exploitation of CVE-2026-7630 allows unauthenticated remote attackers to compromise InnoShop installations. This can lead to complete control of the web server, potentially affecting sensitive customer data, financial information, and intellectual property. Given the ease of exploitation and publicly available exploits, unpatched InnoShop instances are at high risk of compromise. The number of affected installations is currently unknown, but the widespread use of InnoShop in e-commerce makes this a significant threat.

Recommendation

Immediately apply the patch identified by 45758e4ec22451ab944ae2ae826b1e70f6450dc9 to remediate the improper authentication vulnerability.
Deploy the Sigma rule “Detect InnoShop Installation Endpoint Access” to identify unauthorized access attempts to the installation endpoint.
Monitor web server logs for suspicious activity targeting the innopacks/install/src/InstallServiceProvider.php path, based on “Detect InnoShop Installation Endpoint Access” to identify post-exploitation attempts.

WordPress User Verification Plugin Authentication Bypass Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 05:16:01 +0000

The User Verification by PickPlugins plugin, a popular WordPress plugin, contains a critical authentication bypass vulnerability (CVE-2026-7458) affecting all versions up to and including 2.0.46. The flaw resides within the user_verification_form_wrap_process_otpLogin function, where a loose PHP comparison operator is used to validate OTP codes. This weakness allows unauthenticated attackers to bypass the OTP verification process and log in as any user with a verified email address, potentially gaining administrative access. Successful exploitation requires the attacker to submit the string “true” as the OTP value. This vulnerability poses a significant risk to WordPress sites using the affected plugin, potentially leading to complete site compromise.

Attack Chain

An unauthenticated attacker identifies a WordPress site using a vulnerable version of the User Verification by PickPlugins plugin (<= 2.0.46).
The attacker navigates to the OTP login form provided by the plugin.
The attacker enters the email address of a target user, such as an administrator.
The attacker intercepts the OTP request and instead of a numerical code, submits the string “true” as the OTP value.
The vulnerable user_verification_form_wrap_process_otpLogin function processes the submitted OTP. Due to the loose PHP comparison (e.g., == instead of ===), the string “true” evaluates to true, bypassing the intended OTP validation.
The plugin incorrectly authenticates the attacker as the targeted user.
The attacker gains unauthorized access to the targeted user’s account, potentially gaining administrative privileges.
The attacker can now perform actions such as modifying website content, installing malicious plugins, or exfiltrating sensitive data.

Impact

Successful exploitation of CVE-2026-7458 allows unauthenticated attackers to bypass the OTP verification mechanism and gain unauthorized access to any user account with a verified email address on a vulnerable WordPress site. This can lead to complete compromise of the affected WordPress site, enabling attackers to modify content, inject malicious code, steal sensitive data, or use the site for malicious purposes. Given the plugin’s popularity, this vulnerability could impact a large number of WordPress websites.

Recommendation

Upgrade the User Verification by PickPlugins plugin to the latest version (greater than 2.0.46) to patch CVE-2026-7458.
Monitor WordPress access logs for unusual login attempts or the presence of “true” as OTP values to identify potential exploitation attempts. Deploy the Detect Successful Authentication Bypass via True OTP Sigma rule.
Implement stricter input validation and sanitization for OTP codes to prevent similar bypass vulnerabilities.

WordPress Temporary Login Plugin Authentication Bypass (CVE-2026-7567)

hello@craftedsignal.io — Fri, 01 May 2026 10:15:58 +0000

CVE-2026-7567 is an authentication bypass vulnerability that affects the Temporary Login plugin for WordPress, specifically versions up to and including 1.0.0. The vulnerability stems from a failure to properly validate the ’temp-login-token’ GET parameter within the maybe_login_temporary_user() function. By supplying an array as the value for this parameter, attackers can circumvent the intended empty() check. This leads to the sanitize_key() function returning an empty string, which is then used in a database query to fetch users. WordPress ignores empty meta_value parameters, causing the query to return all users with the _temporary_login_token meta key. Consequently, an unauthenticated attacker can effectively authenticate as any user with an active temporary login session by sending a single, maliciously crafted GET request. This poses a severe risk to website security, as it allows unauthorized access to user accounts and potentially sensitive data.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Temporary Login plugin (version <= 1.0.0).
The attacker crafts a malicious GET request targeting the WordPress site’s login endpoint, including the ’temp-login-token’ parameter as an array (e.g., temp-login-token[]=).
The web server receives the GET request.
The maybe_login_temporary_user() function processes the request.
Due to improper input validation, the empty() check is bypassed when the ’temp-login-token’ parameter is an array.
sanitize_key() processes the array and returns an empty string as the meta_value.
WordPress executes a database query using the empty meta_value, effectively retrieving all users with active temporary login tokens.
The attacker is granted unauthorized access to the account of a targeted temporary user, bypassing normal authentication procedures.

Impact

Successful exploitation of CVE-2026-7567 allows unauthenticated attackers to bypass login restrictions and gain unauthorized access to WordPress user accounts utilizing the vulnerable Temporary Login plugin. The severity is high, as it allows complete compromise of user accounts without requiring any valid credentials. The impact includes potential data theft, account takeover, website defacement, and other malicious activities, depending on the privileges of the compromised user account.

Recommendation

Apply the available patch or upgrade the Temporary Login plugin to a version greater than 1.0.0 to remediate CVE-2026-7567.
Deploy the Sigma rule Detect WordPress Temporary Login Authentication Bypass Attempt to detect exploitation attempts by monitoring HTTP requests with array-based temp-login-token parameters in the query string.
Implement input validation on the web server to reject requests containing array-based parameters where scalar strings are expected.

Critical Authentication Bypass Vulnerability in cPanel & WHM (CVE-2026-41940)

hello@craftedsignal.io — Thu, 30 Apr 2026 12:16:14 +0000

A critical authentication bypass vulnerability, CVE-2026-41940, affects all versions of cPanel & WHM. This vulnerability allows unauthenticated remote attackers to gain administrative access to affected systems due to improper handling of session data. Public technical analyses and proof-of-concept code are available, significantly lowering the barrier to exploitation. There are indications that the vulnerability has been actively exploited in the wild, potentially as a zero-day. cPanel & WHM is commonly exposed to the internet and manages hosting environments, making it an attractive target for attackers seeking control over hosting infrastructures and numerous websites.

Attack Chain

An unauthenticated attacker identifies a cPanel & WHM server exposed to the internet.
The attacker crafts a malicious HTTP request targeting the cPanel & WHM login endpoint.
The crafted request manipulates session creation and processing by injecting controlled data into the session files.
This injected data alters authentication-related attributes within the session, bypassing the normal authentication flow.
The attacker successfully establishes a session that is treated as fully authenticated without providing valid credentials.
With administrative privileges, the attacker gains full control over the cPanel server.
The attacker accesses hosted websites and databases, potentially compromising sensitive data.
The attacker establishes persistence through backdoors or additional user accounts, ensuring continued access to the compromised system.

Impact

Successful exploitation of CVE-2026-41940 allows attackers to gain complete control over cPanel & WHM servers. This can lead to the compromise of hosted websites, databases, and sensitive customer data. Given the central role of cPanel in hosting environments, this vulnerability can result in large-scale compromise affecting multiple customers and services. The widespread use of cPanel & WHM makes this a high-impact vulnerability.

Recommendation

Apply the security patch provided by cPanel to address CVE-2026-41940 immediately after thorough testing to prevent exploitation.
Implement increased monitoring and detection capabilities to identify suspicious activity related to CVE-2026-41940 as recommended by CCB.
Review web server logs for unusual patterns or requests targeting cPanel login endpoints to detect potential exploitation attempts. Create a Sigma rule based on webserver logs.
Monitor for unauthorized changes to user accounts or the creation of new administrative accounts on cPanel servers. Create a Sigma rule based on process creation logs.

ABB Edgenius Management Portal Authentication Bypass Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 12:00:00 +0000

ABB Edgenius Management Portal versions 3.2.0.0 and 3.2.1.1 are vulnerable to an authentication bypass (CVE-2025-10571). An attacker who has gained network access to a vulnerable Edgenius deployment can send a specially crafted message to the system node, bypassing authentication controls. Successful exploitation allows an attacker to install and run arbitrary code, uninstall applications, and modify the configuration of installed applications. ABB reported this vulnerability to CISA. ABB has released version 3.2.2.0 to address the vulnerability. As a mitigation, ABB advises customers to disable the Edgenius Management Portal until the upgrade can be applied.

Attack Chain

The attacker gains access to the network where the Edgenius Management Portal is deployed.
The attacker identifies a vulnerable ABB Edgenius Management Portal instance (versions 3.2.0.0 or 3.2.1.1).
The attacker crafts a malicious message designed to exploit the authentication bypass vulnerability (CVE-2025-10571).
The attacker sends the specially crafted message to the system node of the Edgenius Management Portal.
The vulnerable Edgenius Management Portal improperly processes the crafted message, bypassing authentication.
The attacker leverages the bypassed authentication to install and execute arbitrary code on the system.
The attacker uninstalls applications, further compromising the system’s functionality.
The attacker modifies the configuration of installed applications to maintain persistence and control.

Impact

Successful exploitation of this vulnerability allows an attacker to gain full control over the ABB Edgenius Management Portal. The attacker can install malicious software, uninstall critical applications, and modify configurations, leading to significant disruption of industrial processes, data theft, or further lateral movement within the OT network. Affected sectors include critical manufacturing and information technology, with deployments worldwide.

Recommendation

Upgrade to ABB Ability Edgenius version 3.2.2.0 to remediate CVE-2025-10571, as this version contains the vendor fix.
Until the upgrade is applied, disable the Edgenius Management Portal to mitigate the vulnerability as recommended by ABB.
Minimize network exposure for all control system devices by ensuring they are not accessible from the internet, as suggested by CISA.
Locate control system networks and remote devices behind firewalls, isolating them from business networks per CISA recommendations.
Implement the Sigma rule “Detect ABB Edgenius Management Portal Exploitation Attempt” to identify potential exploitation attempts based on network traffic patterns.

ABB Ability OPTIMAX Authentication Bypass Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 12:00:00 +0000

A critical vulnerability, CVE-2025-14510, affects ABB Ability OPTIMAX versions that utilize Azure Active Directory (Azure AD) for Single-Sign On (SSO) authentication. This flaw stems from an incorrect implementation of the authentication algorithm, potentially allowing attackers to bypass the Azure AD authentication mechanism and gain unauthorized access to the OPTIMAX system. The affected versions include ABB Ability OPTIMAX 6.1 and 6.2 (all versions), 6.3 versions prior to 6.3.1-251120, and 6.4 versions prior to 6.4.1-251120. Successful exploitation could lead to significant disruption in energy, water, and wastewater sectors. The vulnerability was reported to CISA by ABB PSIRT.

Attack Chain

An attacker identifies an ABB Ability OPTIMAX installation using Azure AD SSO with a vulnerable version (6.1, 6.2, 6.3 < 6.3.1-251120, or 6.4 < 6.4.1-251120).
The attacker crafts a malicious authentication request, exploiting the incorrect implementation of the authentication algorithm (CWE-303).
The crafted request bypasses the expected Azure AD authentication checks within OPTIMAX.
OPTIMAX incorrectly validates the attacker’s session, granting them access to the system.
The attacker leverages their unauthorized access to gain control over OPTIMAX functionalities.
The attacker can then modify control parameters, manipulate data, or disrupt operations within the connected industrial processes.

Impact

Successful exploitation of CVE-2025-14510 enables unauthorized access to ABB Ability OPTIMAX systems, potentially leading to severe consequences in critical infrastructure sectors such as energy, water, and wastewater. An attacker could manipulate industrial processes, disrupt critical services, or cause significant financial and operational damage. Given the widespread deployment of ABB Ability OPTIMAX systems globally, a successful campaign exploiting this vulnerability could have far-reaching impact.

Recommendation

Immediately update ABB Ability OPTIMAX to fixed versions (6.3.1-251120 and later) to remediate CVE-2025-14510.
Refer to ABB PSIRT security advisory 9AKK108472A1331 for detailed mitigation steps and recommendations.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet, as per CISA’s recommended practices.

cPanel and WHM Authentication Bypass Vulnerability (CVE-2026-41940)

hello@craftedsignal.io — Wed, 29 Apr 2026 16:16:25 +0000

On April 28, 2026, a critical authentication bypass vulnerability (CVE-2026-41940) was disclosed affecting cPanel and WHM. This vulnerability impacts versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The vulnerability exists within the login flow, allowing unauthenticated remote attackers to bypass authentication and gain unauthorized access to the control panel. Successful exploitation grants attackers complete control over the affected cPanel and WHM instances, potentially leading to data theft, server compromise, and further malicious activities. This vulnerability poses a significant risk to web hosting providers and their customers.

Attack Chain

An unauthenticated attacker sends a crafted HTTP request to the cPanel/WHM login page, exploiting the authentication bypass vulnerability.
The vulnerable cPanel/WHM version fails to properly validate the request, allowing the attacker to bypass the login process.
The attacker gains unauthorized access to the cPanel/WHM interface.
The attacker enumerates the server to identify valuable files, directories, and database configurations.
The attacker leverages the compromised cPanel/WHM access to upload malicious scripts or binaries.
The attacker executes uploaded payloads to establish persistent access, such as a web shell.
The attacker uses the web shell to perform arbitrary commands on the server, including escalating privileges.
The attacker exfiltrates sensitive data, defaces websites, or deploys ransomware.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of cPanel and WHM servers. This can result in data breaches, website defacement, and denial-of-service attacks. The vulnerability affects a wide range of cPanel and WHM installations, potentially impacting thousands of web hosting providers and their customers. The high CVSS score (9.8) reflects the severity of the risk and the ease with which it can be exploited.

Recommendation

Immediately upgrade cPanel and WHM installations to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, or later to patch CVE-2026-41940.
Monitor web server logs for unusual activity and unauthorized access attempts to the cPanel/WHM interface by deploying the Sigma rule DetectCpanelAuthBypassAccess.
Implement strict access control policies to limit access to cPanel/WHM administrative interfaces and monitor the user activity by deploying the Sigma rule DetectCpanelAccountManipulation.

Multiple Vulnerabilities in Spring Boot Allow Authorization Bypass and Potential RCE

hello@craftedsignal.io — Wed, 29 Apr 2026 12:00:00 +0000

A set of critical vulnerabilities has been discovered in Spring Boot, a widely used Java framework for building web applications and backend services. These vulnerabilities, including CVE-2026-40976 (CVSS 9.1), CVE-2026-40973 (CVSS 7.0), and CVE-2026-40972 (CVSS 7.5), pose a significant threat to organizations using affected versions (specifically versions before 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33). Successful exploitation could lead to unauthorized access, session hijacking, and remote code execution, impacting the confidentiality, integrity, and availability of critical business systems. The initial advisory was released by CCB Belgium on April 28, 2026, urging immediate patching.

Attack Chain

Initial Access (CVE-2026-40976 - Authentication Bypass): An attacker sends a crafted HTTP request to a vulnerable Spring Boot application endpoint.
Exploit Default Configuration: If the application is servlet-based, relies on the default Spring Security filter chain, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health, the default web security configuration fails to enforce authorization.
Unauthorized Access: Due to the authorization bypass, the attacker gains unauthorized access to all application endpoints without proper authentication.
Session Hijacking (CVE-2026-40973): A local attacker exploits the vulnerability to take control of the ApplicationTemp directory.
Code Execution (CVE-2026-40973): Once in control of the ApplicationTemp directory, the attacker can potentially execute arbitrary code within the context of the application.
Timing Attack (CVE-2026-40972): An attacker on the same network conducts a timing attack against the DevTools remote secret.
Remote Code Execution (CVE-2026-40972): By successfully exploiting the timing attack, the attacker can potentially achieve remote code execution on the vulnerable server.
Impact: The attacker gains full control of the system, allowing for data exfiltration, system compromise, and operational downtime.

Impact

Successful exploitation of these Spring Boot vulnerabilities can lead to significant damage, including unauthorized access to sensitive data, complete system compromise, and extended operational downtime. The potential number of victims is vast, considering the widespread use of Spring Boot in various sectors including finance, healthcare, and e-commerce. If an attacker successfully exploits these vulnerabilities, they could steal sensitive customer data, disrupt critical business operations, or deploy ransomware, resulting in significant financial losses and reputational damage.

Recommendation

Immediately patch Spring Boot applications to the latest versions (>=4.0.6, >=3.5.14, >=3.4.16, >=3.3.19, >=2.7.33) to address CVE-2026-40976, CVE-2026-40973, and CVE-2026-40972.
Deploy the Sigma rule “Detect Suspicious Access to Actuator Endpoints” to identify potential exploitation attempts targeting CVE-2026-40976 by monitoring access to sensitive actuator endpoints.
Upscale monitoring and detection capabilities to identify any related suspicious activity as recommended by the CCB.
Investigate and remediate any potentially compromised systems following the patching process.

SmythOS sre Authentication Bypass Vulnerability (CVE-2026-7022)

hello@craftedsignal.io — Sun, 26 Apr 2026 06:16:02 +0000

A security vulnerability, CVE-2026-7022, has been identified in SmythOS sre versions up to 0.0.15. The vulnerability resides in the AgentRuntime function within the packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts file, specifically affecting the HTTP Header Handler. By manipulating the X-DEBUG-RUN and X-DEBUG-INJ arguments within HTTP headers, an attacker can bypass authentication mechanisms. This vulnerability is remotely exploitable and has a publicly available exploit, posing a significant risk to systems running vulnerable versions of SmythOS sre. The vendor was notified but did not respond.

Attack Chain

The attacker identifies a SmythOS sre instance running version 0.0.15 or earlier.
The attacker crafts a malicious HTTP request targeting the AgentRuntime function.
The attacker includes specially crafted X-DEBUG-RUN and/or X-DEBUG-INJ headers in the HTTP request.
The vulnerable AgentRuntime function improperly processes these headers.
The system bypasses authentication checks due to the manipulated header values.
The attacker gains unauthorized access to protected resources or functionalities.
The attacker performs privileged actions or exfiltrates sensitive data.

Impact

Successful exploitation of CVE-2026-7022 allows an attacker to bypass authentication, potentially leading to complete system compromise. This could result in unauthorized access to sensitive data, modification of system configurations, or disruption of services. Given the public availability of the exploit, vulnerable systems are at high risk of attack.

Recommendation

Apply appropriate input validation and sanitization to the AgentRuntime function within packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts to prevent manipulation of X-DEBUG-RUN and X-DEBUG-INJ headers (CVE-2026-7022).
Deploy the provided Sigma rule to detect exploitation attempts targeting the vulnerable AgentRuntime function.
Monitor web server logs for HTTP requests containing suspicious X-DEBUG-RUN and X-DEBUG-INJ headers.

Multiple Vulnerabilities in Cisco Products Allow for Remote Code Execution

hello@craftedsignal.io — Fri, 24 Apr 2026 05:43:56 +0000

A cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.

Attack Chain

Attacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).
Attacker exploits a vulnerability allowing authentication bypass.
Upon successful authentication bypass, the attacker gains unauthorized access to the device.
Attacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.
The code executes with administrator privileges, granting the attacker full control over the device.
Attacker uses the compromised device as a pivot point to move laterally within the network.
Attacker compromises additional systems and exfiltrates sensitive data.

Impact

Successful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.

Recommendation

Deploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.
Consult Cisco’s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.

OpenVPN-auth-oauth2 Authentication Bypass in Plugin Mode

hello@craftedsignal.io — Wed, 22 Apr 2026 14:29:22 +0000

OpenVPN-auth-oauth2, a plugin for OpenVPN, is susceptible to an authentication bypass vulnerability in versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode. This flaw allows unauthenticated VPN access for clients that do not support WebAuth/SSO. Specifically, standard OpenVPN clients like the Linux CLI openvpn, which do not advertise WebAuth/SSO support (IV_SSO=webauth), can bypass OIDC authentication and gain full network access. The default management-interface mode is not affected. Successful exploitation grants unauthorized access to the internal network behind the VPN. This vulnerability is addressed in version 1.27.3.

Attack Chain

Attacker identifies an OpenVPN server running openvpn-auth-oauth2 in experimental plugin mode (versions 1.26.3 - 1.27.2).
Attacker uses a standard OpenVPN client (e.g., Linux openvpn CLI) that does not support WebAuth/SSO.
The client initiates a connection to the OpenVPN server, bypassing the expected WebAuth/SSO flow.
The openvpn-auth-oauth2 plugin attempts to deny the client by writing “0” to the auth_control_file.
The plugin incorrectly returns OPENVPN_PLUGIN_FUNC_SUCCESS to the OpenVPN server.
OpenVPN interprets the FUNC_SUCCESS return code as successful authentication, ignoring the “0” in the auth_control_file.
The OpenVPN server grants the unauthenticated client full access to the internal network behind the VPN.
Attacker gains unauthorized access to internal resources and performs malicious activities such as data exfiltration or lateral movement.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers full access to the internal network behind the OpenVPN server. This could lead to data breaches, lateral movement within the network, and potential compromise of sensitive systems. The vulnerability affects any deployment using the experimental plugin mode with vulnerable versions. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations.

Recommendation

Immediately upgrade to openvpn-auth-oauth2 version 1.27.3 to apply the fix described in commit 36f69a6.
If immediate upgrade is not feasible, switch to the standalone management client mode (the default, non-plugin deployment) as a workaround.
Monitor OpenVPN server logs for connection attempts from clients that do not support WebAuth/SSO (identified by missing IV_SSO=webauth in the logs) and correlate with network access activity.

NVIDIA KAI Scheduler Authentication Bypass Vulnerability

hello@craftedsignal.io — Wed, 22 Apr 2026 12:00:00 +0000

CVE-2026-24177 details a security flaw within the NVIDIA KAI Scheduler. This vulnerability stems from a lack of proper authentication mechanisms for critical API endpoints. An attacker exploiting this flaw could potentially bypass authorization checks and gain unauthorized access to sensitive functionalities. Successful exploitation leads to information disclosure. The affected product is NVIDIA KAI Scheduler. As of April 2026, exploitation in the wild has not been confirmed, but the potential impact warrants immediate attention from security teams. This vulnerability allows an attacker with network access to the KAI Scheduler to retrieve sensitive information without proper authorization.

Attack Chain

The attacker identifies an exposed NVIDIA KAI Scheduler instance.
The attacker crafts a malicious HTTP request targeting an API endpoint lacking authentication (CWE-306).
The attacker sends the request to the KAI Scheduler.
Due to the missing authentication check, the KAI Scheduler processes the request without verifying the attacker’s identity.
The KAI Scheduler returns sensitive information to the attacker.
The attacker analyzes the disclosed information for further exploitation.
The attacker uses the disclosed information to access other systems.

Impact

Successful exploitation of CVE-2026-24177 enables an attacker to bypass authentication and access sensitive information managed by the NVIDIA KAI Scheduler. The type of information exposed depends on the specific API endpoint accessed, and could include configuration data, user credentials, or internal system details. The NIST advisory assigns a CVSS v3.1 base score of 7.7 (HIGH), highlighting the significant risk of information disclosure.

Recommendation

Monitor web server logs for suspicious requests to NVIDIA KAI Scheduler API endpoints (webserver category, product linux/windows).
Inspect network traffic for unauthorized access to NVIDIA KAI Scheduler API endpoints (network_connection category).
Deploy the Sigma rules provided to detect potential exploitation attempts against NVIDIA KAI Scheduler.

JetBrains TeamCity Authentication Bypass and Path Traversal Vulnerabilities

hello@craftedsignal.io — Wed, 22 Apr 2026 10:00:00 +0000

JetBrains TeamCity, a CI/CD software platform, is vulnerable to CVE-2024-27198, an authentication bypass, and CVE-2024-27199, a path traversal vulnerability. These flaws affect TeamCity versions prior to 2023.11.4. Initially, there was no observed active exploitation. However, by March 7, 2024, widespread exploitation was detected following the public availability of proof-of-concept code. Attackers are actively exploiting these vulnerabilities to create new user accounts on publicly exposed, unpatched TeamCity instances. A substantial number of compromised servers are utilized as production machines for software building and deployment. These attacks have the potential to lead to supply-chain compromises by exposing sensitive information. CISA added CVE-2024-27199 to its Known Exploited Vulnerabilities catalog on April 20, 2026.

Attack Chain

The attacker sends a crafted HTTP request to a vulnerable TeamCity server, exploiting CVE-2024-27198 to bypass authentication.
Once authenticated (or bypassing authentication), the attacker leverages CVE-2024-27199, a path traversal vulnerability, to access sensitive files and directories on the server.
The attacker reads configuration files containing credentials for other systems and services.
The attacker creates new administrative user accounts on the TeamCity server to ensure persistent access.
The attacker modifies build configurations to inject malicious code into software builds.
The attacker compromises the software supply chain by injecting malicious code into build artifacts.
The attacker uses stolen credentials to access deployment environments and deploy compromised builds.

Impact

Successful exploitation allows attackers to perform administrative actions on affected TeamCity servers, leading to a compromise of confidentiality, integrity, and availability of data and infrastructure. The compromise of TeamCity servers used for software building and deployment can result in supply-chain attacks, as these servers often contain sensitive information, such as credentials for deployment environments. A substantial portion of compromised TeamCity servers are utilized as production machines for software building and deployment processes, increasing the scope and impact of potential supply chain attacks.

Recommendation

Immediately patch all JetBrains TeamCity servers to version 2023.11.4 or later to remediate CVE-2024-27198 and CVE-2024-27199 (Reference: https://www.jetbrains.com/privacy-security/issues-fixed/).
Deploy the Sigma rule “Detect TeamCity Authentication Bypass Attempt” to your SIEM to detect exploitation attempts of CVE-2024-27198.
Enable web server logging and increase monitoring to detect suspicious activity related to path traversal attempts indicative of CVE-2024-27199 exploitation.
Monitor for the creation of new user accounts within TeamCity, especially administrative accounts, which could indicate successful exploitation.

Rowboatlabs Rowboat Improper Authentication Vulnerability (CVE-2026-6635)

hello@craftedsignal.io — Mon, 20 Apr 2026 12:16:09 +0000

A critical security flaw, identified as CVE-2026-6635, has been discovered in rowboatlabs rowboat, specifically in versions up to and including 0.1.67. This vulnerability resides within the tool_call function located in the apps/experimental/tools_webhook/app.py file of the tools_webhook component. The vulnerability stems from the improper handling of the X-Tools-JWE argument, which can be manipulated by a remote attacker to bypass authentication mechanisms. This flaw allows attackers to potentially gain unauthorized access and execute arbitrary actions within the application. Public exploits are available, increasing the urgency for mitigation. The vendor was notified but has not responded.

Attack Chain

Attacker identifies a vulnerable instance of rowboatlabs rowboat version 0.1.67 or earlier.
The attacker crafts a malicious HTTP request targeting the tool_call function.
Within the HTTP request, the attacker manipulates the X-Tools-JWE argument with a crafted payload designed to bypass authentication checks.
The vulnerable tool_call function fails to properly validate the manipulated X-Tools-JWE argument.
The application grants the attacker unauthorized access based on the bypassed authentication.
The attacker leverages the unauthorized access to execute actions normally restricted to authenticated users.
Depending on the application’s functionality, this could involve data exfiltration, modification, or execution of arbitrary code.

Impact

Successful exploitation of CVE-2026-6635 can lead to complete compromise of the rowboatlabs rowboat application. Attackers can gain unauthorized access to sensitive data, modify application settings, or even execute arbitrary code on the server. Due to the ease of exploitation with public exploits available, all instances of vulnerable rowboat versions are at immediate risk. The specific impact depends on the application’s role and the data it handles, but potential consequences include data breaches, service disruption, and financial loss.

Recommendation

Apply appropriate input validation to X-Tools-JWE argument using tool_call function within apps/experimental/tools_webhook/app.py to prevent improper authentication (CVE-2026-6635).
Deploy the Sigma rule Detect Rowboat Authentication Bypass Attempt via X-Tools-JWE Manipulation to detect exploitation attempts.
Monitor web server logs for HTTP requests targeting the tool_call function with unusual X-Tools-JWE values.

liangliangyy DjangoBlog Authentication Bypass Vulnerability (CVE-2026-6577)

hello@craftedsignal.io — Sun, 19 Apr 2026 20:16:28 +0000

CVE-2026-6577 is an authentication bypass vulnerability affecting liangliangyy DjangoBlog versions up to 2.1.0.0. The vulnerability exists within an unknown function of the owntracks/views.py file related to the logtracks endpoint. Due to missing authentication, a remote attacker can inject arbitrary GPS data without proper authorization. This can lead to manipulation of location data, unauthorized access to location-based features, and potentially further compromise of the application. A public exploit for this vulnerability is available, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using DjangoBlog, potentially impacting data integrity and confidentiality.

Attack Chain

The attacker identifies a DjangoBlog instance running a vulnerable version (<= 2.1.0.0).
The attacker crafts a malicious HTTP request targeting the /owntracks/views.py logtracks endpoint.
The malicious request injects arbitrary GPS data, bypassing the authentication mechanisms.
The DjangoBlog application processes the crafted request without proper authentication checks.
The injected GPS data is stored and associated with a user or device, potentially overwriting legitimate data.
The attacker gains unauthorized access to location-based features or data due to the injected GPS coordinates.
The attacker leverages the compromised location data to perform further malicious activities, such as tracking user movements or manipulating location-based services.

Impact

Successful exploitation of CVE-2026-6577 allows attackers to inject arbitrary GPS data into vulnerable DjangoBlog instances. This can lead to the manipulation of user location data, potentially impacting location-based services and features. An attacker can track user movements, access restricted resources based on location, or even impersonate legitimate users. Given the availability of a public exploit, unpatched DjangoBlog instances are at high risk of compromise, potentially affecting hundreds of deployments. The lack of vendor response exacerbates the risk, as no official patch or mitigation is available.

Recommendation

Deploy the Sigma rule Detect Suspicious GPS Data Injection to your SIEM to identify exploitation attempts targeting the logtracks endpoint (logsource: webserver).
Inspect web server logs for requests to /owntracks/views.py with unusual parameters or patterns, potentially indicating malicious GPS data injection (logsource: webserver).
Monitor application logs for any anomalies related to GPS data processing or location-based services, which might be signs of successful exploitation (logsource: webserver).

FastGPT NoSQL Injection Vulnerability (CVE-2026-40351)

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

FastGPT is an AI Agent building platform. Versions prior to 4.14.9.5 are susceptible to a critical NoSQL injection vulnerability (CVE-2026-40351) affecting the password-based login endpoint. The vulnerability stems from the use of TypeScript type assertion without runtime validation, enabling unauthenticated attackers to inject MongoDB query operators within the password field. This bypasses the intended password check, granting the attacker the ability to authenticate as any user, including the root administrator. Successful exploitation leads to complete control over the FastGPT instance and its associated data. This vulnerability was addressed in FastGPT version 4.14.9.5. All users of FastGPT versions prior to 4.14.9.5 are vulnerable to this attack.

Attack Chain

An unauthenticated attacker identifies a vulnerable FastGPT instance running a version prior to 4.14.9.5.
The attacker crafts a malicious HTTP POST request to the password-based login endpoint.
Within the POST request body, the attacker places a MongoDB query operator object (e.g., {"$ne": ""}) in the password field, bypassing the standard password check.
The vulnerable FastGPT application processes the malicious request without proper validation.
The MongoDB query operator is executed, bypassing the authentication mechanism.
The attacker is granted unauthorized access to the FastGPT application, assuming the identity of an arbitrary user, including the root administrator.
The attacker leverages their administrative privileges to access sensitive data, modify configurations, or perform other malicious actions within the FastGPT instance.

Impact

Successful exploitation of CVE-2026-40351 allows an unauthenticated attacker to gain complete control over a FastGPT instance. This can lead to unauthorized access to sensitive AI agent configurations, user data, and other critical information. The impact includes data breaches, service disruption, and potential compromise of downstream systems that rely on the FastGPT platform. Given the critical nature of AI agent building platforms, the compromise of a FastGPT instance can have far-reaching consequences.

Recommendation

Immediately upgrade all FastGPT instances to version 4.14.9.5 or later to patch CVE-2026-40351.
Deploy the Sigma rule Detect FastGPT NoSQL Injection Attempt to identify potential exploitation attempts targeting the login endpoint.
Monitor web server logs for unusual POST requests to the login endpoint, specifically looking for MongoDB query operators within the password field as detected by rule Detect FastGPT NoSQL Injection Attempt.
Review and restrict network access to the FastGPT instance to only authorized users and systems to minimize the attack surface.

Anviz CX2 Lite and CX7 Unauthenticated Debug Setting Modification

hello@craftedsignal.io — Fri, 17 Apr 2026 20:16:36 +0000

CVE-2026-40461 describes a vulnerability affecting Anviz CX2 Lite and CX7 devices. The vulnerability allows unauthenticated attackers to send POST requests that modify debug settings on the devices. A successful exploit can enable features like SSH, which are normally restricted. This unauthorized configuration change could be leveraged to gain unauthorized access to the device and potentially the network it is connected to, allowing for further malicious activity. The vulnerability was disclosed in April 2026 and poses a significant risk to organizations using the affected Anviz devices for access control.

Attack Chain

The attacker identifies an Anviz CX2 Lite or CX7 device on the network.
The attacker sends an unauthenticated POST request to the device’s web interface.
The POST request targets a specific endpoint responsible for modifying debug settings.
The request includes parameters that enable debug features, such as SSH.
The device improperly processes the request without requiring authentication, modifying the debug settings accordingly.
The attacker uses the newly enabled SSH service to gain shell access to the device.
The attacker leverages the gained access to escalate privileges, move laterally within the network, or exfiltrate sensitive information.

Impact

Successful exploitation of CVE-2026-40461 allows an attacker to modify device settings, potentially enabling unauthorized access and control over Anviz CX2 Lite and CX7 devices. This can lead to a compromise of the physical security system and potentially the entire network. The impact includes unauthorized entry, data breaches, and disruption of operations. The number of affected devices and organizations is currently unknown.

Recommendation

Monitor network traffic for POST requests targeting Anviz CX2 Lite and CX7 devices attempting to modify debug settings. Deploy the Sigma rule Detect Anviz Debug Setting Modification to identify such activity.
Implement network segmentation to isolate Anviz devices from critical network resources to limit the impact of a potential compromise.
Consult the vendor’s website (https://www.anviz.com/contact-us.html) and CISA advisory (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03) for any available patches or mitigations.

OpenViking Authentication Bypass Vulnerability (CVE-2026-40525)

hello@craftedsignal.io — Fri, 17 Apr 2026 19:16:39 +0000

OpenViking, a bot management framework, contains a critical authentication bypass vulnerability (CVE-2026-40525) affecting versions prior to commit c7bb167. Specifically, the VikingBot OpenAPI HTTP route surface fails to enforce authentication when the api_key configuration value is either unset or configured as an empty string. This vulnerability enables remote attackers with network access to the exposed OpenViking service to bypass authentication controls and execute privileged bot-control functionalities. This includes submitting attacker-controlled prompts, creating or manipulating bot sessions, and gaining unauthorized access to downstream tools, integrations, secrets, and sensitive data that the bot has access to. Given the potential for broad impact and ease of exploitation, this vulnerability poses a significant risk to organizations using vulnerable versions of OpenViking.

Attack Chain

Attacker identifies a vulnerable OpenViking instance with an exposed VikingBot OpenAPI endpoint.
Attacker checks the api_key configuration on the target, either through misconfiguration or default settings, it’s found to be unset or empty.
Attacker crafts a malicious HTTP request to the VikingBot OpenAPI endpoint, omitting the required X-API-Key header.
Due to the authentication bypass, the vulnerable OpenViking instance processes the attacker’s request without proper authentication.
Attacker utilizes the exposed bot-control functionalities to submit malicious prompts.
Attacker creates or hijacks bot sessions, leveraging the compromised session to access downstream systems.
Attacker leverages the bot’s permissions to access internal tools, integrations, and secrets, potentially escalating privileges.
Attacker exfiltrates sensitive data or compromises downstream systems accessible to the bot.

Impact

Successful exploitation of CVE-2026-40525 allows attackers to completely bypass authentication controls and gain full access to bot control functionalities within the OpenViking framework. This could lead to unauthorized access to sensitive data, compromise of downstream systems and integrations, and potential financial loss. The CVSS v3.1 base score for this vulnerability is 9.1, highlighting its critical severity and the potential for widespread damage.

Recommendation

Immediately upgrade OpenViking to a version containing commit c7bb167 or later to patch CVE-2026-40525.
If upgrading is not immediately possible, configure a strong, unique api_key value within the OpenViking configuration to mitigate the authentication bypass.
Deploy the Sigma rule “OpenViking Authentication Bypass Attempt” to detect unauthorized requests to the VikingBot API endpoint lacking the X-API-Key header.
Monitor web server logs for HTTP requests to the VikingBot OpenAPI endpoint without the X-API-Key header to identify potential exploitation attempts using the “OpenViking API requests without API Key” Sigma rule.
Review access logs for downstream systems connected to OpenViking for any unauthorized activity originating from the OpenViking server following potential exploitation.

Paperclip Unauthenticated API Access Vulnerability

hello@craftedsignal.io — Fri, 17 Apr 2026 12:00:00 +0000

Paperclip, a software application, contains multiple API endpoints that lack proper authentication checks, even when the application is configured in “authenticated” mode. This vulnerability allows unauthenticated access to sensitive information and functionality. Observed in versions prior to 2026.416.0, the issue impacts the confidentiality and integrity of the application. An attacker can exploit these vulnerabilities to gather reconnaissance information about the deployment, access heartbeat run issues, retrieve agent instructions, and potentially bypass authentication mechanisms via unauthenticated CLI challenge creation. The disclosed information includes API structure, authentication mechanisms, and internal workflows, which can be leveraged for further malicious activities.

Attack Chain

The attacker sends an unauthenticated GET request to /api/health to obtain deployment mode, exposure setting, auth status, version, and feature flags.
The attacker sends an unauthenticated GET request to /api/skills/index to retrieve a list of available skill endpoints.
The attacker sends an unauthenticated GET request to /api/skills/paperclip to leak the agent heartbeat procedure, API endpoints, parameters, authentication mechanisms, and agent coordination protocols.
The attacker sends an unauthenticated GET request to /api/heartbeat-runs/:runId/issues, attempting to access issue data for a heartbeat run by guessing or obtaining a valid runId.
The attacker sends an unauthenticated POST request to /api/cli-auth/challenges with a JSON payload containing a command to create a CLI authentication challenge and obtain a boardApiToken.
The attacker uses the leaked information to map the internal API structure and plan further attacks or unauthorized access.
The attacker exploits the boardApiToken obtained in step 5, combined with open registration (if enabled), to persistently generate API keys.

Impact

This vulnerability results in significant data exposure, including heartbeat run issues, agent instructions, and internal API structure. An attacker can fingerprint the deployment and map the entire internal API for reconnaissance purposes. Successful exploitation of the unauthenticated CLI challenge creation allows for authentication bypass, potentially leading to a full remote code execution chain. The vulnerability affects organizations using Paperclip versions prior to 2026.416.0. A successful attack can compromise sensitive data, facilitate unauthorized access, and lead to further malicious activities.

Recommendation

Apply the patch to upgrade Paperclip to version 2026.416.0 or later, which addresses the unauthenticated API access vulnerabilities.
Implement authentication checks for the /api/heartbeat-runs/:runId/issues endpoint in server/src/routes/activity.ts using assertCompanyAccess.
Implement authentication checks for the /api/cli-auth/challenges endpoint in server/src/routes/access.ts using assertBoard.
Implement authentication checks for the /api/skills/index and /api/skills/:skillName endpoints in server/src/routes/access.ts.
Reduce the information exposed by the /api/health endpoint by removing sensitive data such as deploymentMode, deploymentExposure, and version or by requiring authentication via assertBoard.
Deploy the Sigma rule “Detect Paperclip Unauthenticated Health Endpoint Access” to identify unauthorized access attempts to the /api/health endpoint.

Velociraptor Authentication Bypass via query() Plugin

hello@craftedsignal.io — Wed, 15 Apr 2026 18:17:25 +0000

Velociraptor, a powerful open-source endpoint detection and response (EDR) framework, is vulnerable to an authentication bypass issue affecting versions prior to 0.76.3. The vulnerability, identified as CVE-2026-6290, resides within the query() plugin. A user with valid credentials and access to one organization within Velociraptor can leverage the query() plugin from a notebook cell to execute VQL (Velociraptor Query Language) queries against other organizations, irrespective of their explicit permissions in those other organizations. This occurs because the plugin improperly uses the user’s current ACL token for all queries, effectively granting the user the same level of access across all organizations as they have in their primary organization. This vulnerability allows for potentially broad data exfiltration and privilege escalation within a Velociraptor deployment.

Attack Chain

An attacker gains valid credentials for a user account within one organization in a vulnerable Velociraptor instance (version < 0.76.3).
The attacker logs into the Velociraptor GUI.
The attacker creates a new notebook or modifies an existing one.
Within a notebook cell, the attacker uses the query() plugin with a crafted VQL query designed to access data from a different organization. For example, using SELECT * FROM org_id='TARGET_ORG'.
The Velociraptor server processes the query using the attacker’s existing ACL token, bypassing the organization’s access controls.
The server returns data from the target organization to the attacker.
The attacker analyzes the retrieved data, potentially gaining access to sensitive information or identifying further targets within the compromised Velociraptor instance.
The attacker uses the information gathered to perform actions in other organizations, based on the permissions of their initial account.

Impact

Successful exploitation of CVE-2026-6290 could allow an attacker to gain unauthorized access to sensitive data stored within different organizations managed by the same Velociraptor instance. This could lead to the exfiltration of confidential information, potential privilege escalation within targeted organizations, and a compromise of the overall security posture of the affected environment. The severity is compounded by the fact that it’s a logic error within a security product, making it harder to detect and remediate without patching. The CVSS v3.1 score is 8.0 HIGH, indicating a significant risk.

Recommendation

Immediately upgrade all Velociraptor installations to version 0.76.3 or later to patch CVE-2026-6290.
Prioritize reviewing Velociraptor user accounts and their assigned organizational access to identify potentially compromised accounts.
Deploy the Sigma rule provided in this brief to detect anomalous use of the query() plugin that targets different organizations than the user’s primary organization.
Monitor Velociraptor server logs for any unexpected access patterns or data retrieval attempts originating from the query() plugin.

OAuth2 Proxy Authentication Bypass via User-Agent Header

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

OAuth2 Proxy is vulnerable to an authentication bypass (CVE-2026-34457) when configured with auth_request-style integration (e.g., nginx auth_request) and either the --ping-user-agent option is set or --gcp-healthchecks is enabled. This flaw allows an unauthenticated remote attacker to gain unauthorized access to protected upstream resources. The vulnerability exists because OAuth2 Proxy incorrectly treats requests with the configured health check User-Agent value as legitimate health checks, irrespective of the requested path. This bypasses the normal login flow, granting access without proper authentication. Versions prior to v7.15.2 are affected, alongside versions <= 3.2.0. Defenders must take immediate action to remediate affected deployments.

Attack Chain

Attacker identifies an OAuth2 Proxy deployment utilizing auth_request and either --ping-user-agent or --gcp-healthchecks.
Attacker determines the configured --ping-user-agent value or identifies that --gcp-healthchecks is enabled (default User-Agent: GoogleHC/1.0).
Attacker crafts an HTTP request to a protected resource, setting the User-Agent header to the configured --ping-user-agent value (or “GoogleHC/1.0” if --gcp-healthchecks is enabled).
The reverse proxy (e.g., Nginx) forwards the request to the OAuth2 Proxy’s /oauth2/auth endpoint.
OAuth2 Proxy incorrectly interprets the request as a health check due to the matching User-Agent header.
OAuth2 Proxy responds to the reverse proxy with a 200 OK status, indicating successful authentication.
The reverse proxy, believing the authentication was successful, forwards the attacker’s request to the protected upstream resource.
Attacker successfully accesses the protected resource without authenticating, achieving unauthorized access.

Impact

Successful exploitation of this vulnerability results in complete authentication bypass, granting attackers unauthorized access to sensitive resources protected by OAuth2 Proxy. The number of affected deployments is unknown, but any organization using OAuth2 Proxy with the specified configurations is potentially at risk. This can lead to data breaches, service disruption, and other severe security incidents.

Recommendation

Upgrade to OAuth2 Proxy version v7.15.2 or later to patch CVE-2026-34457.
Disable the --gcp-healthchecks flag if it is enabled.
Remove any configured --ping-user-agent flag.
Implement reverse proxy configurations, such as the provided Nginx example, to prevent forwarding client-controlled User-Agent headers to the OAuth2 Proxy /oauth2/auth endpoint.
Deploy the Sigma rule “OAuth2 Proxy Authentication Bypass Attempt” to detect malicious requests exploiting this vulnerability.

Industrial Edge Management Authentication Bypass Vulnerability (CVE-2026-33892)

hello@craftedsignal.io — Tue, 14 Apr 2026 09:16:36 +0000

A critical authentication bypass vulnerability, CVE-2026-33892, affects Industrial Edge Management Pro V1 (versions >= V1.7.6 and < V1.15.17), Industrial Edge Management Pro V2 (versions >= V2.0.0 and < V2.1.1), and Industrial Edge Management Virtual (versions >= V2.2.0 and < V2.8.0). The flaw stems from a failure to properly enforce user authentication on remote connections to managed devices. An unauthenticated attacker can exploit this vulnerability to circumvent authentication mechanisms and impersonate a legitimate user, potentially gaining unauthorized access to and control over the affected devices. Successful exploitation requires the attacker to discover the header and port used for remote connections and that the remote connection feature is enabled on the targeted device. While exploitation grants access to the device, it’s important to note that security features implemented directly on the device itself, such as application-specific authentication, remain unaffected.

Attack Chain

The attacker identifies a vulnerable Industrial Edge Management Pro or Virtual instance.
The attacker probes the target system to identify the header and port used for remote connections to managed devices. This may involve network scanning or analyzing network traffic.
The attacker exploits CVE-2026-33892 by crafting a malicious request that bypasses authentication, impersonating a legitimate user. This request is sent to the identified port using the specific header.
The vulnerable system accepts the unauthenticated request due to the improper enforcement of user authentication.
The attacker establishes a tunnel to the targeted managed device.
The attacker gains unauthorized access to the managed device, potentially allowing them to execute commands or access sensitive data.
The attacker leverages the tunneled connection to further compromise the device or network.
The attacker’s final objective depends on their motives, potentially involving data exfiltration, disruption of services, or lateral movement within the network.

Impact

Successful exploitation of CVE-2026-33892 can lead to complete compromise of Industrial Edge Management systems and the managed devices connected to them. This could enable attackers to disrupt critical industrial processes, steal sensitive data, or launch further attacks within the affected network. The lack of proper authentication enforcement allows an attacker to impersonate legitimate users, granting them elevated privileges and potentially unrestricted access to the compromised system and devices. The severity of the impact depends on the criticality of the managed devices and the data they handle.

Recommendation

Immediately upgrade Industrial Edge Management Pro V1 to a version >= V1.15.17, Pro V2 to a version >= V2.1.1, and Virtual to a version >= V2.8.0 to patch CVE-2026-33892, as outlined in the product’s security advisory.
Monitor network traffic for suspicious connections to Industrial Edge Management systems on non-standard ports, using the provided network_connection Sigma rule to identify potentially malicious activity.
Implement network segmentation to isolate Industrial Edge Management systems and managed devices from other parts of the network, limiting the potential impact of a successful exploit.
Review and enforce strong authentication policies on the managed devices themselves to mitigate the risk of unauthorized access even if the Industrial Edge Management system is compromised.
Enable and review logs from Industrial Edge Management systems, focusing on authentication attempts and remote connection activity, to detect and respond to suspicious behavior.

SINEC NMS Authentication Bypass Vulnerability (CVE-2026-24032)

hello@craftedsignal.io — Tue, 14 Apr 2026 09:16:34 +0000

A critical authentication bypass vulnerability, identified as CVE-2026-24032, affects SINEC NMS (Network Management System) versions prior to V4.0 SP3 with UMC (Unified Management Center). This weakness stems from insufficient validation of user identity within the UMC component, a central piece of the SINEC NMS architecture. Successful exploitation could allow a remote, unauthenticated attacker to bypass security measures and gain unauthorized access to the SINEC NMS application. Siemens has released a security advisory (SSA-801704) addressing this vulnerability. This poses a significant risk to organizations relying on SINEC NMS for network management, potentially leading to data breaches, system compromise, and denial-of-service attacks. The vulnerability was reported through the Zero Day Initiative (ZDI-CAN-27564).

Attack Chain

The attacker identifies a vulnerable SINEC NMS instance running a version prior to V4.0 SP3 with UMC.
The attacker crafts a malicious request that exploits the insufficient user identity validation in the UMC component.
This request is sent to the SINEC NMS server, targeting the UMC component’s authentication process.
The UMC component fails to properly validate the user’s identity due to the vulnerability.
The attacker bypasses the authentication mechanism, gaining unauthorized access.
With unauthorized access, the attacker can access sensitive data within the SINEC NMS application.
The attacker may then leverage their access to modify configurations, add malicious users, or disrupt network operations.

Impact

Successful exploitation of CVE-2026-24032 allows an unauthenticated remote attacker to gain complete unauthorized access to the SINEC NMS application. This could lead to the compromise of sensitive network configuration data, allowing the attacker to reconfigure managed network devices, monitor network traffic, and potentially disrupt critical infrastructure. Given the broad use of SINEC NMS in industrial control systems (ICS) and critical infrastructure, a successful attack could have significant consequences, including financial losses, operational downtime, and even physical damage.

Recommendation

Immediately upgrade SINEC NMS to version V4.0 SP3 with UMC or later to patch CVE-2026-24032 as referenced in the Siemens advisory https://cert-portal.siemens.com/productcert/html/ssa-801704.html.
Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.
Monitor web server logs for suspicious activity and unexpected requests targeting the UMC component.

MinIO Unauthenticated Object Write Vulnerability

hello@craftedsignal.io — Tue, 14 Apr 2026 00:05:52 +0000

MinIO is susceptible to two authentication bypass vulnerabilities affecting all deployments up to AIStor RELEASE.2026-04-11T03-20-12Z. The vulnerability lies within the STREAMING-UNSIGNED-PAYLOAD-TRAILER code path. An attacker possessing a valid access key (including the default minioadmin or any key with WRITE permissions) can exploit these flaws to write arbitrary objects to any bucket. This bypass eliminates the need for the secret key or a valid cryptographic signature. One vulnerability involves missing signature verification in PutObjectExtractHandler, while the other bypasses signature verification using query-string credentials. These issues stem from the introduction of authTypeStreamingUnsignedTrailer support in commit 76913a9fd, specifically impacting releases from RELEASE.2023-05-18T00-05-36Z onwards.

Attack Chain

Attacker obtains a valid MinIO access key, either through default credentials or compromised accounts.
For vulnerability 1, the attacker crafts a PUT request with X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER, X-Amz-Meta-Snowball-Auto-Extract: true, and an Authorization header containing the valid access key but a fabricated signature.
The request is sent to the MinIO server’s PutObjectExtractHandler endpoint.
Due to the missing signature verification in the PutObjectExtractHandler, the request proceeds without proper authentication.
The server extracts the access key and checks IAM permissions via isPutActionAllowed, but the fabricated signature is not validated.
The server accepts the request, and the attacker-controlled payload is extracted into the target bucket.
For vulnerability 2, the attacker crafts a PUT or PUT Part request omitting the Authorization header.
The attacker includes authentication credentials (access key) exclusively via the X-Amz-Credential query parameter. Since the Authorization header is missing, signature verification is skipped, and the request proceeds with the permissions of the impersonated access key, allowing the attacker to write arbitrary objects.

Impact

Successful exploitation of these vulnerabilities allows unauthorized users to modify objects within MinIO storage buckets, potentially leading to data breaches, service disruptions, or the injection of malicious content. Any MinIO deployment is affected, creating a widespread risk for organizations relying on MinIO for their storage infrastructure. The CVSS v4.0 score of 8.8 (High) highlights the severity and potential impact of these vulnerabilities. The number of victims depends on the adoption rate of vulnerable MinIO versions.

Recommendation

Upgrade to MinIO AIStor version RELEASE.2026-04-11T03-20-12Z or later, as indicated in the MinIO AIStor documentation.
Implement a block at the load balancer or reverse proxy to reject any requests containing X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER, as mentioned in the Workarounds section.
Deploy the Sigma rule Detect MinIO Unsigned Payload Trailer to identify exploitation attempts based on the presence of the vulnerable header.
Review and restrict WRITE permissions (s3:PutObject) to trusted principals to reduce the attack surface as described in the Workarounds section.

zhayujie chatgpt-on-wechat CowAgent Authentication Bypass (CVE-2026-6129)

hello@craftedsignal.io — Sun, 12 Apr 2026 20:16:19 +0000

A critical authentication bypass vulnerability, CVE-2026-6129, has been identified in zhayujie chatgpt-on-wechat CowAgent versions up to 2.0.4. This flaw resides within the Agent Mode Service component and enables unauthenticated remote attackers to execute unauthorized actions by manipulating requests. The vulnerability stems from missing authentication checks, allowing malicious actors to potentially gain unauthorized access and control over affected systems. Exploit code is publicly available, increasing the risk of widespread exploitation. The vendor has been notified, but has not yet responded to the report.

Attack Chain

Attacker identifies a vulnerable instance of zhayujie chatgpt-on-wechat CowAgent running version 2.0.4 or earlier.
Attacker crafts a malicious request targeting the Agent Mode Service.
The malicious request bypasses authentication checks due to the missing authentication vulnerability (CVE-2026-6129).
The Agent Mode Service processes the crafted request without proper authorization.
Attacker gains unauthorized access to sensitive functions and data within the application.
Attacker leverages the gained access to execute arbitrary commands or manipulate application settings.
Attacker potentially escalates privileges within the application.
Attacker achieves full control over the affected chatgpt-on-wechat CowAgent instance.

Impact

Successful exploitation of CVE-2026-6129 can lead to complete compromise of the chatgpt-on-wechat CowAgent instance. This includes unauthorized access to user data, modification of application settings, and potentially remote code execution. The lack of authentication allows attackers to perform administrative actions without legitimate credentials. The impact is significant, especially if the affected instance handles sensitive information or is integrated with critical systems.

Recommendation

Apply available patches or updates for zhayujie chatgpt-on-wechat CowAgent immediately to remediate CVE-2026-6129.
Monitor web server logs for suspicious requests targeting the Agent Mode Service to identify potential exploitation attempts. Deploy the Sigma rule Detect ChatGPT WeChat CowAgent Authentication Bypass Attempt to detect exploitation attempts in web server logs.
Implement strong authentication mechanisms for all application endpoints, especially those handling sensitive data or administrative functions.
Restrict network access to the chatgpt-on-wechat CowAgent instance to only authorized users and systems.
Review and audit the application’s codebase to identify and address any other potential security vulnerabilities.

zhayujie chatgpt-on-wechat CowAgent Authentication Bypass Vulnerability (CVE-2026-6126)

hello@craftedsignal.io — Sun, 12 Apr 2026 11:16:16 +0000

A critical vulnerability, CVE-2026-6126, has been discovered in zhayujie chatgpt-on-wechat CowAgent version 2.0.4. This flaw resides within an unspecified function of the Administrative HTTP Endpoint component. Successful exploitation of this vulnerability allows remote attackers to bypass authentication mechanisms, potentially leading to unauthorized access and control over the affected system. The vulnerability is due to missing authentication checks on a critical function. Publicly available exploits exist, increasing the likelihood of exploitation. The project maintainers were notified; however, there has been no response at the time of this writing. This poses a significant risk to any deployment of chatgpt-on-wechat CowAgent 2.0.4 accessible over a network.

Attack Chain

Attacker identifies a vulnerable instance of zhayujie chatgpt-on-wechat CowAgent 2.0.4.
Attacker crafts a malicious HTTP request targeting the Administrative HTTP Endpoint.
The malicious request bypasses authentication due to the missing authentication vulnerability (CVE-2026-6126).
The request executes an unauthorized administrative function.
Attacker gains unauthorized access to sensitive data or configuration.
Attacker deploys a persistent backdoor for long-term access.
Attacker uses the backdoor to pivot to other systems or networks.

Impact

Successful exploitation of CVE-2026-6126 can lead to complete compromise of the chatgpt-on-wechat CowAgent instance. This may enable attackers to access sensitive data, modify configurations, or disrupt services. Given that the application integrates with WeChat, a successful attack might expose sensitive user data or allow the attacker to conduct further attacks via the compromised instance. Due to the ease of exploitation and public availability of exploit code, the risk is considered high.

Recommendation

Apply available patches or updates for zhayujie chatgpt-on-wechat CowAgent to address CVE-2026-6126 as soon as they are released.
Monitor web server logs for suspicious activity targeting the Administrative HTTP Endpoint using the Sigma rule provided below.
Implement network segmentation to limit the potential impact of a compromised CowAgent instance.
Deploy a web application firewall (WAF) with rules to detect and block exploit attempts targeting CVE-2026-6126.
Conduct regular security audits of the chatgpt-on-wechat CowAgent deployment to identify and remediate potential vulnerabilities.

Laravel Passport Authentication Bypass Vulnerability (CVE-2026-39976)

hello@craftedsignal.io — Thu, 09 Apr 2026 17:16:31 +0000

Laravel Passport, an OAuth2 server implementation for Laravel, is vulnerable to an authentication bypass (CVE-2026-39976) in versions 13.0.0 up to, but not including, 13.7.1. The vulnerability stems from the league/oauth2-server library, where the JWT sub claim is set to the client identifier for client_credentials tokens, as there is no associated user. Subsequently, the token guard uses this client identifier to retrieve user information via retrieveById() without proper validation, potentially resolving and authenticating an unrelated, real user. This means any machine-to-machine token can inadvertently authenticate as an actual user within the Laravel application. The vulnerability is resolved in Laravel Passport version 13.7.1. This allows attackers to perform actions with the privileges of the authenticated user.

Attack Chain

Attacker obtains a valid client_credentials token issued by Laravel Passport (versions 13.0.0 - 13.7.0). This could be a token intended for machine-to-machine communication.
The attacker sends a request to a protected endpoint of the Laravel application, including the client_credentials token in the Authorization header.
The Laravel Passport token guard extracts the JWT sub claim from the token. In vulnerable versions, this sub claim contains the client identifier.
The token guard calls retrieveById() using the client identifier from the sub claim as the user ID.
Due to the lack of validation, retrieveById() queries the user database, potentially finding a user whose ID matches the client identifier.
If a user with the matching ID is found, the application authenticates the request as that user, granting the attacker their privileges.
The attacker can then access resources and perform actions as the authenticated user.
The attacker exploits the user’s privileges to compromise data or perform unauthorized actions within the application.

Impact

Successful exploitation of CVE-2026-39976 allows attackers to bypass authentication and gain unauthorized access to user accounts in Laravel applications using affected versions of Laravel Passport. This can lead to data breaches, privilege escalation, and other malicious activities, depending on the privileges of the compromised user accounts. The severity of the impact depends on the application’s functionality and the sensitivity of the data it handles. Potentially all applications using Laravel Passport for authentication are vulnerable.

Recommendation

Upgrade Laravel Passport to version 13.7.1 or later to patch CVE-2026-39976.
Implement additional validation within the application’s authentication logic to verify that the user ID extracted from the JWT sub claim corresponds to a valid user, especially when using client_credentials tokens.
Monitor application logs for unexpected authentication events or API requests originating from machine-to-machine tokens that are being authenticated as users. The webserver log source can be used for this monitoring.
Deploy the Sigma rule provided to detect requests to protected endpoints with client_credentials tokens that are incorrectly authenticated as users.

LiteLLM Authentication Bypass via Password Hash Exposure and Pass-the-Hash

hello@craftedsignal.io — Wed, 08 Apr 2026 00:04:12 +0000

LiteLLM versions prior to 1.83.0 are vulnerable to an authentication bypass vulnerability. User passwords are stored as unsalted SHA-256 hashes, a weak cryptographic practice that makes them susceptible to rainbow table attacks. Furthermore, these password hashes are exposed through several API endpoints, including /user/info, /user/update, and /spend/users, allowing any authenticated user to retrieve them. The /v2/login endpoint also accepts the raw SHA-256 hash as a valid password without proper re-hashing. This combination of vulnerabilities allows an attacker with low-level access to escalate privileges by obtaining another user’s password hash and using it to directly log in as that user. Defenders should upgrade to version 1.83.0 or later to mitigate this vulnerability.

Attack Chain

Attacker gains initial access to LiteLLM and authenticates as a low-privilege user.
Attacker sends a request to /user/info to retrieve the password hash of another user.
The API responds with the target user’s SHA-256 password hash.
Attacker sends a POST request to the /v2/login endpoint using the stolen SHA-256 hash as the password.
The /v2/login endpoint accepts the raw SHA-256 hash without re-hashing.
The server authenticates the attacker as the target user.
Attacker now has the privileges of the target user, potentially gaining access to sensitive data or administrative functions.

Impact

Successful exploitation of this vulnerability leads to unauthorized access and privilege escalation within the LiteLLM application. An attacker can impersonate other users, including administrators, potentially leading to data breaches, system compromise, and unauthorized modifications. The number of victims depends on the deployment size, but any LiteLLM instance running a version prior to 1.83.0 is vulnerable. Sectors utilizing LiteLLM are at risk.

Recommendation

Upgrade LiteLLM to version 1.83.0 or later to patch the vulnerability (reference: Patches section).
Deploy the Sigma rule “Detect LiteLLM User Info Hash Access” to monitor for unauthorized access to user password hashes via the /user/info endpoint (reference: rule: “Detect LiteLLM User Info Hash Access”).
Deploy the Sigma rule “Detect LiteLLM Login with SHA256 Hash” to detect login attempts using SHA256 hashes (reference: rule: “Detect LiteLLM Login with SHA256 Hash”).

Totolink A8000R Authentication Bypass Vulnerability (CVE-2026-5676)

hello@craftedsignal.io — Mon, 06 Apr 2026 19:16:30 +0000

CVE-2026-5676 is an authentication bypass vulnerability affecting Totolink A8000R routers with firmware version 5.9c.681_B20180413. The vulnerability resides in the /cgi-bin/cstecgi.cgi file, specifically within the setLanguageCfg function. By manipulating the langType argument, an attacker can bypass authentication checks, potentially gaining unauthorized access to sensitive router functionalities. This vulnerability can be exploited remotely without requiring any prior authentication. A public exploit is available, increasing the likelihood of exploitation. Defenders should prioritize detection and patching of this vulnerability to prevent unauthorized access and control of affected devices.

Attack Chain

An attacker identifies a vulnerable Totolink A8000R router running firmware 5.9c.681_B20180413.
The attacker sends a crafted HTTP request to /cgi-bin/cstecgi.cgi.
The request targets the setLanguageCfg function.
The request includes a manipulated langType argument designed to bypass authentication.
The vulnerable setLanguageCfg function processes the request without proper authentication checks.
The attacker gains unauthorized access to router configuration settings.
The attacker modifies sensitive settings such as DNS, routing rules, or firewall configuration.
The attacker achieves full control of the router, potentially using it for malicious purposes like eavesdropping, traffic redirection, or botnet activities.

Impact

Successful exploitation of CVE-2026-5676 allows a remote, unauthenticated attacker to gain full control of the affected Totolink A8000R router. This can lead to a variety of malicious activities, including unauthorized access to the local network, data theft, DNS hijacking, and the use of the router as part of a botnet. The potential number of affected devices is substantial, as the A8000R model is widely used.

Recommendation

Deploy the Sigma rule to detect malicious HTTP requests targeting the vulnerable setLanguageCfg function (see “Detect Totolink A8000R Authentication Bypass Attempt” rule below).
Monitor web server logs for requests to /cgi-bin/cstecgi.cgi with unusual langType parameters (see “Detect Totolink A8000R Authentication Bypass Attempt” rule below).
Upgrade the firmware of Totolink A8000R routers to a patched version that addresses CVE-2026-5676 (consult the vendor’s website for updates).
Implement network segmentation to limit the impact of a compromised router on other devices on the network.

Mattermost Legal Hold Plugin Authentication Bypass Vulnerability

hello@craftedsignal.io — Mon, 06 Apr 2026 13:17:18 +0000

The Mattermost Legal Hold plugin, in versions 1.1.4 and earlier, contains an authentication bypass vulnerability (CVE-2026-3524) that can be exploited by authenticated attackers. The vulnerability lies in the ServeHTTP function, where a failed authorization check does not properly halt request processing. This flaw allows attackers to craft malicious API requests to the plugin’s endpoints, enabling them to access, create, download, and delete legal hold data without proper authorization. The vulnerability is identified by Mattermost Advisory ID MMSA-2026-00621 and poses a significant risk to organizations using the affected plugin versions, potentially leading to data breaches and compliance violations.

Attack Chain

Attacker authenticates to the Mattermost server with valid user credentials.
Attacker crafts a malicious API request targeting the Legal Hold plugin’s endpoints.
The request is sent to the Mattermost server.
The ServeHTTP function in the Legal Hold plugin processes the request.
Authorization check fails due to insufficient privileges or incorrect parameters.
Instead of halting request processing, the plugin continues to execute the request.
The attacker gains unauthorized access to legal hold data or performs unauthorized actions (create, download, delete).
The attacker successfully exfiltrates or manipulates sensitive legal hold information.

Impact

Successful exploitation of this vulnerability (CVE-2026-3524) allows authenticated attackers to bypass authorization controls within the Mattermost Legal Hold plugin. This can result in unauthorized access, creation, modification, or deletion of sensitive legal hold data. The vulnerability affects versions 1.1.4 and earlier of the plugin. Organizations using the affected versions are at risk of data breaches, compliance violations, and reputational damage. A CVSS v3.1 score of 8.8 indicates a high level of severity due to the potential for significant data compromise.

Recommendation

Upgrade the Mattermost Legal Hold plugin to a version later than 1.1.4 to remediate CVE-2026-3524.
Deploy the Sigma rules provided in this brief to detect exploitation attempts targeting the vulnerable Legal Hold plugin endpoints (see rules section).
Monitor Mattermost server logs for unusual API requests to the Legal Hold plugin, specifically those resulting in unexpected data access or modification, as a potential sign of exploitation (webserver log source).

GPT Researcher Authentication Bypass Vulnerability (CVE-2026-5632)

hello@craftedsignal.io — Mon, 06 Apr 2026 07:16:02 +0000

A critical authentication bypass vulnerability, CVE-2026-5632, has been identified in assafelovic’s gpt-researcher up to version 3.4.3. The vulnerability resides within the HTTP REST API Endpoint component. A remote attacker can exploit this flaw by manipulating requests, effectively bypassing authentication mechanisms. This issue allows unauthorized access to functionalities that should be protected. A proof-of-concept exploit is publicly available, increasing the risk of exploitation. Despite being reported through issue #1695, the project maintainers have not yet provided a patch or mitigation. The vulnerability poses a significant threat to systems running affected versions of gpt-researcher, potentially leading to data breaches, unauthorized modifications, or denial of service.

Attack Chain

Attacker identifies a vulnerable gpt-researcher instance running version 3.4.3 or earlier.
Attacker crafts a malicious HTTP request targeting the vulnerable HTTP REST API Endpoint.
The crafted request manipulates authentication parameters, exploiting the authentication bypass vulnerability (CVE-2026-5632).
The application fails to properly validate the request due to the missing authentication check.
The attacker gains unauthorized access to restricted functionalities and data.
Attacker performs unauthorized actions, such as retrieving sensitive information, modifying data, or executing arbitrary commands.
The attacker may escalate privileges within the application to further compromise the system.

Impact

Successful exploitation of CVE-2026-5632 allows an unauthenticated attacker to perform actions as if they were a legitimate user. The impact includes unauthorized access to sensitive data, modification of system settings, or even complete system compromise. Given the nature of gpt-researcher, this could lead to the exposure of research data, API keys, or other confidential information. As a publicly known exploit exists, the risk is elevated for deployments that have not yet been patched or mitigated.

Recommendation

Apply any available patches or updates for assafelovic gpt-researcher to address CVE-2026-5632.
If a patch is not yet available, implement temporary mitigations such as access control restrictions or input validation on the HTTP REST API Endpoint.
Monitor web server logs for suspicious activity targeting the HTTP REST API Endpoint to identify potential exploitation attempts; deploy the Sigma rule “Detect GPT Researcher Authentication Bypass Attempt” to identify potential exploitation attempts.
Implement network segmentation to limit the potential impact of a successful exploit.
Review and harden authentication and authorization mechanisms within the gpt-researcher application.

JeecgBoot AI Chat Module Authentication Bypass Vulnerability

hello@craftedsignal.io — Mon, 06 Apr 2026 04:16:13 +0000

A critical authentication bypass vulnerability has been identified in JeecgBoot, a low-code development platform, affecting versions 3.9.0 and 3.9.1. The vulnerability resides within the AI Chat Module, specifically impacting the jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java file. An attacker can exploit this flaw remotely to bypass authentication mechanisms, potentially gaining unauthorized access to sensitive functionalities or data. The identified patch is b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59. The project has addressed the issue with a commit that will be included in the next official release, urging users to apply the patch.

Attack Chain

The attacker identifies a JeecgBoot instance running versions 3.9.0 or 3.9.1 with the AI Chat Module enabled.
The attacker crafts a malicious HTTP request targeting the vulnerable JeecgBizToolsProvider.java component.
This request exploits the authentication bypass vulnerability, likely by manipulating specific parameters or headers.
The application fails to properly validate the attacker’s identity due to the missing authentication check.
The attacker gains unauthorized access to the AI Chat Module’s functionalities.
Depending on the module’s capabilities, the attacker could potentially access user data or execute arbitrary code within the context of the application.
The attacker leverages the compromised AI Chat Module to escalate privileges within the JeecgBoot application.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to gain unauthorized access to the AI Chat Module in vulnerable JeecgBoot instances. The impact could range from data breaches and unauthorized access to sensitive information to complete system compromise, depending on the permissions and functionality exposed through the AI Chat Module. While the number of affected instances is currently unknown, JeecgBoot’s popularity suggests a potentially widespread risk.

Recommendation

Apply the patch b7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59 to the vulnerable JeecgBizToolsProvider.java file immediately.
Monitor web server logs for suspicious requests targeting the AI Chat Module endpoints, specifically JeecgBizToolsProvider.java, using the provided Sigma rule.
Upgrade to the next official release of JeecgBoot containing the fix for CVE-2026-5616 once it becomes available.

Technostrobe HI-LED-WR120-G2 Improper Authentication Vulnerability (CVE-2026-5570)

hello@craftedsignal.io — Sun, 05 Apr 2026 14:16:17 +0000

A critical vulnerability, CVE-2026-5570, exists in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30. This vulnerability resides within the index_config function of the /LoginCB file. Successful exploitation allows remote attackers to bypass authentication mechanisms. Publicly available exploit code exists, increasing the risk of widespread exploitation. The vendor was notified but did not respond. Given the lack of vendor response and the existence of a public exploit, organizations using affected Technostrobe devices should immediately assess their exposure and implement mitigation measures.

Attack Chain

An attacker identifies a vulnerable Technostrobe HI-LED-WR120-G2 device running firmware version 5.5.0.1R6.03.30 accessible over the network.
The attacker crafts a malicious HTTP request targeting the /LoginCB endpoint.
The crafted request exploits the improper authentication flaw in the index_config function.
The vulnerable function fails to properly validate the attacker’s identity due to the flaw.
The attacker gains unauthorized access to administrative functionalities.
The attacker modifies device configurations, potentially disrupting operations or gaining further control.
The attacker uses the gained access to access internal network resources.
The attacker uses the compromised device as a foothold for lateral movement within the network.

Impact

Successful exploitation of CVE-2026-5570 allows attackers to bypass authentication on affected Technostrobe HI-LED-WR120-G2 devices. This could lead to unauthorized access to sensitive configurations, disruption of lighting systems, and potential use of the compromised device as a pivot point for further attacks within the network. The lack of vendor response to the vulnerability exacerbates the risk, as no official patch is available.

Recommendation

Monitor web server logs for suspicious requests to the /LoginCB endpoint, specifically those attempting to manipulate the index_config function, to detect potential exploitation attempts related to CVE-2026-5570.
Deploy the Sigma rule provided below to detect unauthorized access attempts via the vulnerable endpoint.
Implement network segmentation to limit the impact of a compromised Technostrobe device on other network resources.
Consider placing the affected Technostrobe device behind a reverse proxy with strict access controls and input validation rules.

PraisonAI Gateway Unauthenticated Access Vulnerability

hello@craftedsignal.io — Fri, 03 Apr 2026 23:17:06 +0000

CVE-2026-34952 exposes a critical vulnerability in PraisonAI, a multi-agent teams system. Specifically, versions of the PraisonAI Gateway server prior to 4.5.97 lack authentication for WebSocket connections at the /ws endpoint and for serving agent topology information at the /info endpoint. This absence of authentication means that any client on the network can connect to these endpoints. Attackers could exploit this vulnerability to enumerate registered agents, send arbitrary messages to agents and their associated tool sets, and potentially gain unauthorized control over the PraisonAI system. The vulnerability was reported on April 3, 2026, and is addressed in version 4.5.97 of PraisonAI.

Attack Chain

An attacker identifies a vulnerable PraisonAI Gateway server running a version prior to 4.5.97.
The attacker establishes a WebSocket connection to the /ws endpoint of the server without providing any credentials.
The server, lacking authentication, accepts the connection.
The attacker sends a request to the /info endpoint to enumerate registered agents and their topology.
The server responds with the agent topology data.
The attacker crafts arbitrary messages and sends them to specific agents through the established WebSocket connection.
The targeted agent receives the message and executes the corresponding actions, potentially including tool usage or data modification.
The attacker achieves unauthorized control over the PraisonAI system by manipulating agents and their tool sets.

Impact

Successful exploitation of this vulnerability could lead to complete compromise of the PraisonAI system. Attackers can enumerate and control agents, manipulate data, and potentially use the agents’ tool sets for malicious purposes, such as data theft or system disruption. This could impact organizations relying on PraisonAI for critical functions, leading to financial losses, reputational damage, and operational downtime. The severity is high due to the ease of exploitation and the potential for widespread damage.

Recommendation

Upgrade all PraisonAI Gateway servers to version 4.5.97 or later to patch CVE-2026-34952.
Deploy the Sigma rules provided to detect unauthorized connections to the /ws and /info endpoints.
Monitor network traffic for suspicious WebSocket connections to the PraisonAI Gateway server to detect potential exploitation attempts.

OAuthenticator Authentication Bypass Vulnerability (CVE-2026-33175)

hello@craftedsignal.io — Fri, 03 Apr 2026 22:16:26 +0000

OAuthenticator is a software package that enables the integration of OAuth2 identity providers with JupyterHub. A critical authentication bypass vulnerability, identified as CVE-2026-33175, affects OAuthenticator versions prior to 17.4.0. This flaw permits an attacker with an unverified email address on an Auth0 tenant to successfully authenticate and log in to a JupyterHub instance. The vulnerability arises when email is used as the username_claim, granting attackers control over their username and potentially enabling account takeover. Organizations using affected versions of OAuthenticator in conjunction with Auth0 are at risk. The vulnerability was patched in version 17.4.0.

Attack Chain

Attacker gains access to an Auth0 tenant and creates an account.
The attacker does not verify the email address associated with the Auth0 account.
JupyterHub is configured to use OAuthenticator for authentication, with email specified as the username_claim.
The attacker attempts to log in to JupyterHub using the unverified Auth0 account.
Due to the vulnerability in OAuthenticator versions prior to 17.4.0, the authentication bypass occurs, allowing the attacker to successfully log in.
The attacker gains unauthorized access to the JupyterHub environment.
Attacker leverages the compromised account to perform malicious activities, such as accessing sensitive data or modifying Jupyter notebooks.

Impact

Successful exploitation of CVE-2026-33175 allows unauthorized access to JupyterHub instances. This can lead to the compromise of sensitive data, modification of Jupyter notebooks, and potential disruption of services. The vulnerability impacts organizations that use OAuthenticator with Auth0 and rely on email as the username claim. The number of affected organizations is currently unknown.

Recommendation

Upgrade OAuthenticator to version 17.4.0 or later to patch CVE-2026-33175.
Review JupyterHub configurations to ensure that email is not used as the username_claim if possible.
Implement multi-factor authentication (MFA) for JupyterHub accounts to mitigate the risk of account takeover.
Monitor logs for suspicious login attempts from Auth0 accounts with unverified email addresses. Deploy the provided Sigma rule targeting process creation after successful authentication to detect suspicious activity.

Unauthenticated Access to Administrative Endpoint (CVE-2026-32646)

hello@craftedsignal.io — Fri, 03 Apr 2026 21:17:11 +0000

CVE-2026-32646 describes a critical vulnerability affecting an unspecified device or application. This vulnerability allows unauthenticated access to a specific administrative endpoint, thereby bypassing intended access controls. Successful exploitation grants unauthorized access to device management functions, potentially leading to configuration changes, data manipulation, or complete device compromise. The vulnerability was reported to ICS-CERT and assigned a CVSS v3.1 base score of 7.5 (High). The specific products affected are not detailed in the source document. The vulnerability falls under CWE-306, Missing Authentication for Critical Function. Defenders need to identify affected systems and implement appropriate access controls to mitigate the risk.

Attack Chain

Reconnaissance: The attacker identifies the vulnerable administrative endpoint.
Unauthenticated Request: The attacker sends a crafted HTTP request to the administrative endpoint without providing any authentication credentials.
Access Granted: Due to the missing authentication check, the server incorrectly grants access to the requested administrative functions.
Device Information Retrieval: The attacker uses the exposed administrative functions to retrieve sensitive device configuration information.
Configuration Modification: The attacker modifies device settings, potentially changing network configurations or security policies.
Privilege Escalation (Potential): Using the modified configuration, the attacker may escalate privileges within the affected system or network.
Lateral Movement (Potential): The compromised device is used as a pivot point to access other systems on the network.
System Compromise: The attacker achieves full control over the targeted device, potentially leading to data theft, denial of service, or further network compromise.

Impact

Successful exploitation of CVE-2026-32646 allows unauthorized access to device management functions. The specific impact depends on the functions exposed, but could include configuration changes, data manipulation, or complete device compromise. Absent specific product information, it is difficult to estimate the number of affected devices or target sectors; however, successful exploitation could lead to significant operational disruption and data breaches.

Recommendation

Identify systems potentially affected by CVE-2026-32646 and prioritize patching or mitigation (reference CVE-2026-32646).
Inspect web server logs for requests to administrative endpoints without valid authentication tokens or credentials (reference webserver log source).
Implement network segmentation to limit the impact of a compromised device.
Deploy the Sigma rules provided below to your SIEM to detect unauthorized access attempts to administrative endpoints.
Monitor network traffic for unusual activity originating from devices that may be vulnerable.

Critical Authentication Bypass Vulnerability in Cisco Integrated Management Controller (CVE-2026-20093)

hello@craftedsignal.io — Fri, 03 Apr 2026 14:00:09 +0000

A critical authentication bypass vulnerability, CVE-2026-20093, affects multiple versions of Cisco Integrated Management Controller (IMC) software. The vulnerability allows an unauthenticated remote attacker to bypass the login process and gain full administrative privileges on the affected system. This flaw stems from improper input validation (CWE-20). Exploitation grants the attacker the ability to change user passwords, manipulate hardware settings such as power cycling servers, and potentially use the compromised device to launch attacks on other systems within the network. The impacted product list is extensive, spanning multiple Cisco product lines, including the 5000 Series ENCS, Catalyst 8300 Series Edge uCPE, UCS C-Series M5/M6 Rack Servers, and UCS E-Series M3/M6. This vulnerability poses a significant threat to organizations relying on these systems for critical infrastructure management.

Attack Chain

The unauthenticated attacker sends a specially crafted request to the Cisco IMC web interface.
The vulnerable IMC software fails to properly validate the request, allowing the attacker to bypass the authentication mechanism.
The attacker gains full administrative access to the IMC.
The attacker changes the password of an existing administrative user or creates a new administrative user.
The attacker logs in to the IMC with the newly acquired administrative credentials.
The attacker modifies hardware settings, such as power management configurations, potentially power cycling servers.
The attacker disrupts critical infrastructure managed by the compromised IMC.
The attacker uses the compromised device as a pivot point to launch further attacks against other systems on the network.

Impact

Successful exploitation of CVE-2026-20093 grants an attacker complete control over the affected Cisco IMC. This can lead to severe consequences, including disruption of critical services, data breaches, and lateral movement within the network. Given the hardware-level access provided by IMC, attackers can manipulate physical infrastructure, leading to extended downtime and potential data loss. The CCB has assessed the risk of this vulnerability as high due to the ease of exploitation and the potential impact on confidentiality, integrity, and availability.

Recommendation

Immediately patch all affected Cisco IMC instances to the latest available version to remediate CVE-2026-20093 (refer to the affected software list).
Upscale monitoring and detection capabilities to identify any suspicious activity related to unauthorized access attempts to Cisco IMC web interfaces (deploy the Sigma rules provided).
In case of an intrusion, report the incident via https://ccb.belgium.be/en/cert/report-incident.

OneUptime SAML SSO Authentication Bypass Vulnerability (CVE-2026-34840)

hello@craftedsignal.io — Thu, 02 Apr 2026 20:16:28 +0000

OneUptime, an open-source monitoring and observability platform, is vulnerable to an authentication bypass in versions prior to 10.0.42. The vulnerability, identified as CVE-2026-34840, resides in the SAML Single Sign-On (SSO) implementation within the App/FeatureSet/Identity/Utils/SSO.ts file. The flawed logic involves a decoupling of signature verification and identity extraction processes. Specifically, the isSignatureValid() function checks the signature of the first element, while the getEmail() function extracts the email address from the first assertion element assertion[0]. This design allows an attacker to prepend a malicious, unsigned SAML assertion containing an arbitrary identity before a legitimate, signed assertion. This bypasses authentication, potentially granting unauthorized access to sensitive monitoring data and platform functionalities. The vulnerability has been patched in version 10.0.42.

Attack Chain

Attacker crafts a malicious SAML response containing an unsigned assertion with a forged identity (e.g., a privileged user’s email).
The attacker prepends this malicious assertion to a valid, signed SAML assertion generated for a low-privilege account or a newly created account.
The combined SAML response is sent to the OneUptime platform for authentication.
The isSignatureValid() function verifies the signature of the second assertion (the originally signed, valid one), passing the signature check.
The getEmail() function extracts the email address from the first assertion (the malicious, unsigned one), effectively impersonating the forged identity.
OneUptime grants access based on the forged identity extracted from the malicious assertion.
The attacker gains unauthorized access to the OneUptime platform with the privileges of the impersonated user.
The attacker can then view monitoring data, modify configurations, or perform other actions allowed to the compromised account.

Impact

Successful exploitation of CVE-2026-34840 allows an attacker to bypass authentication and impersonate any user on the OneUptime platform. This could lead to unauthorized access to sensitive monitoring data, modification of system configurations, and potentially complete compromise of the OneUptime instance. The vulnerability has a CVSS v3.1 base score of 8.1, indicating a high severity. Organizations using vulnerable OneUptime versions are at risk of significant data breaches and operational disruption.

Recommendation

Immediately upgrade OneUptime instances to version 10.0.42 or later to patch CVE-2026-34840.
Implement a web application firewall (WAF) rule to inspect SAML responses for multiple assertions and reject requests containing more than one assertion to prevent the attack described in the attack chain.
Monitor web server logs for suspicious SAML authentication requests and responses, focusing on unusual source IPs or deviations from normal authentication patterns related to the webserver log source.

Hirschmann HiEOS HTTP(S) Management Module Authentication Bypass (CVE-2024-14034)

hello@craftedsignal.io — Thu, 02 Apr 2026 20:16:19 +0000

CVE-2024-14034 describes an authentication bypass vulnerability affecting Hirschmann HiEOS devices. The vulnerability resides within the HTTP(S) management module and allows unauthenticated remote attackers to gain administrative privileges. By sending specially crafted HTTP(S) requests, attackers can bypass authentication checks due to improper handling. This enables them to perform unauthorized actions such as downloading or uploading device configurations and modifying the device firmware. Successful exploitation leads to a complete compromise of the affected HiEOS device.

Attack Chain

The attacker identifies a vulnerable Hirschmann HiEOS device accessible over the network via HTTP(S).
The attacker crafts a malicious HTTP(S) request designed to exploit the authentication bypass. This request likely targets specific endpoints in the management module.
The attacker sends the crafted HTTP(S) request to the vulnerable HiEOS device.
Due to improper authentication handling, the device incorrectly processes the request, granting the attacker administrative privileges.
The attacker leverages the elevated privileges to download the device configuration, potentially exposing sensitive information.
The attacker modifies the device configuration, injecting malicious settings or backdoors.
The attacker uploads the modified configuration to the HiEOS device, effectively compromising its functionality.
Alternatively, the attacker could use their elevated privileges to upload and install a modified firmware image. This allows complete control over the device and can ensure persistence.

Impact

Successful exploitation of CVE-2024-14034 allows an unauthenticated attacker to gain full administrative control over the targeted Hirschmann HiEOS device. This can lead to device configuration modification, firmware manipulation, and potential disruption of network services relying on the compromised device. Given the nature of HiEOS devices, successful attacks can impact industrial control systems (ICS) and critical infrastructure. A CVSS v3.1 base score of 9.8 reflects the critical severity and potential impact.

Recommendation

Apply the patches or mitigations provided in the Belden Security Bulletin BSECV-2024-02 (reference URL in the References section) to remediate CVE-2024-14034.
Monitor webserver logs for unusual HTTP requests targeting the HiEOS management interface using the Sigma rule “Detect Suspicious HiEOS Management Requests”.
Implement network segmentation to limit the exposure of HiEOS devices and reduce the potential impact of a successful attack.
Regularly review and update firmware on HiEOS devices to address known vulnerabilities and improve overall security posture.

goshs Authentication Bypass Vulnerability (CVE-2026-34581)

hello@craftedsignal.io — Thu, 02 Apr 2026 19:21:32 +0000

CVE-2026-34581 affects goshs, a SimpleHTTPServer written in Go. Versions 1.1.0 to before 2.0.0-beta.2 are susceptible to an authentication bypass vulnerability. When a user attempts to access the server with a Share Token, it is possible to bypass the intended file download restriction, gaining access to all goshs functionalities. This includes the ability to execute arbitrary code on the server. The vulnerability was patched in version 2.0.0-beta.2. This vulnerability allows unauthenticated attackers to potentially gain full control of the server hosting goshs. Organizations using affected versions of goshs should upgrade immediately.

Attack Chain

Attacker identifies a server running a vulnerable version of goshs (1.1.0 to before 2.0.0-beta.2).
Attacker requests a resource that should be protected by the Share Token.
The server prompts for the Share Token.
Attacker exploits the authentication bypass vulnerability by manipulating the request (details not specified in source).
Successful exploitation grants the attacker access to all goshs functionalities, bypassing the intended file download restriction.
Attacker leverages the unrestricted access to execute arbitrary code on the server.
Attacker gains a shell or other form of remote access to the compromised server.

Impact

Successful exploitation of CVE-2026-34581 allows an unauthenticated attacker to execute arbitrary code on the server. This can lead to complete system compromise, data theft, or denial of service. The impact is significant for organizations using vulnerable versions of goshs to serve sensitive files or applications. The report does not mention the number of victims, but the severity is high given the potential for code execution.

Recommendation

Upgrade goshs to version 2.0.0-beta.2 or later to patch CVE-2026-34581 (reference: https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2).
Deploy the Sigma rule Detect Goshs Code Execution via Auth Bypass to detect potential exploitation attempts.
Monitor web server logs for suspicious activity related to goshs, specifically requests that might be attempting to bypass authentication.

vanna-ai vanna Authentication Bypass Vulnerability (CVE-2026-5320)

hello@craftedsignal.io — Thu, 02 Apr 2026 05:16:04 +0000

A critical authentication bypass vulnerability, identified as CVE-2026-5320, affects vanna-ai vanna versions up to 2.0.2. The vulnerability lies within the Chat API Endpoint located at /api/vanna/v2/. Successful exploitation allows remote attackers to bypass authentication mechanisms through a yet unspecified manipulation of the API endpoint. Public exploits are available, increasing the risk of widespread exploitation. The vendor has been unresponsive to disclosure attempts, further raising the urgency for mitigation. This vulnerability allows attackers to interact with the Chat API without proper authorization, potentially leading to data breaches, unauthorized actions, or disruption of service.

Attack Chain

The attacker identifies a vulnerable vanna-ai vanna instance running a version up to 2.0.2.
The attacker sends a crafted request to the /api/vanna/v2/ Chat API endpoint.
The request exploits the missing authentication vulnerability (CVE-2026-5320) through an unspecified manipulation.
The server improperly processes the request without requiring valid authentication credentials.
The attacker gains unauthorized access to the Chat API functionality.
The attacker interacts with the API, potentially retrieving sensitive information or executing unauthorized actions.
The attacker may leverage the unauthorized access to compromise user accounts or exfiltrate data.

Impact

Successful exploitation of CVE-2026-5320 allows attackers to bypass authentication and gain unauthorized access to the vanna-ai vanna Chat API. This can lead to the compromise of user data, unauthorized actions performed on behalf of legitimate users, and potential disruption of the service. The lack of vendor response and the availability of public exploits significantly increase the risk and potential impact of this vulnerability. Given the nature of AI chatbot applications, sensitive information handled by the application could be exposed, damaging data confidentiality.

Recommendation

Apply immediate patching or mitigation measures to vanna-ai vanna instances running versions up to 2.0.2. Consult the vendor’s website for any available patches, or consider applying a reverse proxy rule to enforce authentication on the /api/vanna/v2/ endpoint until a patch is available.
Deploy the provided Sigma rule Detect vanna-ai vanna Authentication Bypass Attempt to identify and alert on exploitation attempts targeting the /api/vanna/v2/ endpoint.
Monitor web server logs for suspicious activity targeting the /api/vanna/v2/ endpoint, paying close attention to unusual request patterns or error codes, and investigate any anomalies.
Implement web application firewall (WAF) rules to block requests exploiting CVE-2026-5320 based on known exploit patterns.

IBM Verify and Security Verify Access Authentication Bypass Vulnerability

hello@craftedsignal.io — Wed, 01 Apr 2026 21:17:02 +0000

IBM Verify Identity Access Container and IBM Security Verify Access Container are vulnerable to an authentication bypass vulnerability identified as CVE-2026-4101. The affected versions include IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1, as well as IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1. This vulnerability can be exploited under certain load conditions, potentially granting an attacker unauthorized access to the application. Defenders should prioritize patching vulnerable systems to mitigate the risk of exploitation.

Attack Chain

The attacker identifies a vulnerable IBM Verify or Security Verify Access instance running a susceptible version (11.0-11.0.2 or 10.0-10.0.9.1).
The attacker floods the targeted application with requests to induce high load conditions.
Under these high load conditions, a flaw in the authentication mechanism is triggered.
The attacker crafts specific requests to exploit the authentication bypass.
The application incorrectly validates the attacker’s request, bypassing authentication controls.
The attacker gains unauthorized access to the application.
Once authenticated, the attacker may perform privileged actions, access sensitive data, or escalate privileges within the system.

Impact

Successful exploitation of CVE-2026-4101 allows an unauthenticated attacker to bypass authentication mechanisms and gain unauthorized access to the targeted IBM Verify or Security Verify Access application. This could lead to the compromise of sensitive data, unauthorized modification of system configurations, and potential lateral movement within the network. The number of potential victims is dependent on the number of unpatched IBM Verify and Security Verify Access instances exposed to network traffic.

Recommendation

Apply the patches provided by IBM to address CVE-2026-4101 on all affected IBM Verify Identity Access Container and IBM Security Verify Access Container instances (refer to IBM’s advisory https://www.ibm.com/support/pages/node/7268253).
Monitor web server logs for unusual HTTP requests or error patterns that may indicate exploitation attempts. Deploy the Sigma rule targeting HTTP 500 responses originating from the access container to detect potential exploitation attempts.
Implement rate limiting and traffic shaping mechanisms to mitigate the risk of denial-of-service conditions that could exacerbate the vulnerability.

Goshs Authentication Bypass via Share Token

hello@craftedsignal.io — Wed, 01 Apr 2026 20:58:48 +0000

Goshs versions 1.1.0 and later are susceptible to an authentication bypass vulnerability (CVE-2026-34581) when using share tokens. The vulnerability resides in the BasicAuthMiddleware which prioritizes token validation over credential checks. This allows an attacker with a valid share token to bypass all authentication and access restricted functionalities such as directory listing, file deletion, clipboard access, WebSocket connections, and CLI command execution. A patch is available in version v2.0.0-beta.2. This vulnerability affects systems using goshs where authentication is enabled alongside the share token feature, potentially leading to unauthorized access and command execution.

Attack Chain

A legitimate user creates a share token for a specific file using the goshs web interface or API.
The attacker obtains a valid share token, either through social engineering or other means.
The attacker crafts a malicious request to the goshs server, including the valid share token as a query parameter (e.g., ?token=).
The BasicAuthMiddleware in goshs checks for the token parameter first and, upon finding a valid token, bypasses subsequent authentication checks.
The attacker includes a ws parameter in the same request (e.g., ?ws&token=), enabling a WebSocket connection.
Using the established WebSocket connection, the attacker sends commands to the server by sending a JSON payload with {"type":"command","Content":"command_to_execute"}.
The server executes the attacker-supplied command, such as id or cat /etc/passwd.
The attacker receives the output of the executed command via the WebSocket connection, effectively achieving remote code execution.

Impact

Successful exploitation of this vulnerability (CVE-2026-34581) allows an attacker to bypass authentication, gain unauthorized access to the goshs server, and execute arbitrary commands. This can lead to complete system compromise, data exfiltration, and denial-of-service. Since the vulnerability exists in a widely used web file server, a successful attack could impact numerous organizations using goshs.

Recommendation

Upgrade to goshs version v2.0.0-beta.2 or later to patch CVE-2026-34581, as the vulnerability is fixed in that version (https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2).
Monitor web server logs for requests containing both token and ws parameters in the query string, which may indicate an attempt to exploit this vulnerability (see the detection rule below).
Implement network monitoring to detect unusual WebSocket connections originating from or destined to the goshs server (see the detection rule below).

Multiple Vulnerabilities in Dovecot Mail Server

hello@craftedsignal.io — Mon, 30 Mar 2026 10:14:10 +0000

Multiple vulnerabilities have been identified in the Dovecot mail server software. An attacker can leverage these flaws to execute SQL injection attacks, potentially gaining unauthorized access to the underlying database. Furthermore, successful exploitation could lead to bypassing authentication mechanisms, allowing unauthorized access to mailboxes and sensitive information. The vulnerabilities also pose a risk of sensitive information disclosure and denial-of-service (DoS) conditions, disrupting mail services. The broad functionality affected by these flaws makes it a high-priority issue for organizations using Dovecot.

Attack Chain

An attacker identifies a vulnerable Dovecot instance accessible over the network.
The attacker crafts a malicious input string designed to exploit a SQL injection vulnerability in Dovecot’s authentication or user management modules.
The attacker submits the crafted input to a Dovecot service, such as IMAP or POP3, during the authentication process.
If the SQL injection is successful, the attacker gains unauthorized access to the Dovecot database.
The attacker uses the database access to extract user credentials or modify authentication settings.
Alternatively, the attacker exploits the SQL injection to disclose sensitive configuration data or internal system information.
If authentication bypass is successful, the attacker logs into a targeted user’s mailbox without valid credentials.
The attacker causes a denial-of-service condition by sending malformed requests that crash the Dovecot server.

Impact

Successful exploitation of these vulnerabilities could lead to complete compromise of the Dovecot server and the data it manages. This includes unauthorized access to user mailboxes, disclosure of sensitive information, and disruption of email services. The impact ranges from data breaches and loss of confidentiality to service outages and reputational damage. The severity depends on the specific vulnerability exploited and the configuration of the Dovecot instance.

Recommendation

Closely monitor Dovecot logs for suspicious SQL-related errors or authentication failures (reference: description of SQL injection vulnerability).
Implement strict input validation and sanitization measures to mitigate potential SQL injection attacks within Dovecot configurations.
Since the advisory does not list specific log sources, enable verbose logging for Dovecot services to capture detailed information about authentication attempts and database interactions.

OpenClaw Feishu Webhook Authentication Bypass (CVE-2026-32974)

hello@craftedsignal.io — Sun, 29 Mar 2026 13:17:01 +0000

OpenClaw before version 2026.3.12 is susceptible to an authentication bypass vulnerability (CVE-2026-32974) affecting Feishu webhook integrations. This vulnerability arises when the verificationToken is configured without the encryptKey. This configuration flaw enables unauthenticated attackers to forge Feishu events and send them to the webhook endpoint. Successful exploitation allows attackers to trigger arbitrary downstream tool execution within the OpenClaw environment. This is a…

OpenBao OIDC Direct Callback Authentication Bypass Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 18:33:37 +0000

OpenBao, a secrets management tool, is vulnerable to an authentication bypass in versions prior to 2.5.2. This vulnerability stems from the lack of user confirmation when logging in via JWT/OIDC with a role configured with callback_mode set to direct. The vulnerability allows an attacker to initiate an authentication request and trick a victim into visiting a URL, which automatically logs them into the attacker’s session. This constitutes a “remote phishing” attack because the attacker never directly interacts with the victim’s credentials. The direct callback mode interacts directly with the OpenBao API, enabling the attacker to poll for a token after the victim has been authenticated and a token has been issued. The vulnerability is tracked as CVE-2026-33757.

Attack Chain

The attacker configures an OpenBao role with callback_mode=direct.
The attacker initiates an OIDC authentication request, generating a unique URL.
The attacker sends the generated URL to the victim via phishing or other social engineering methods.
The victim clicks the link and authenticates through the OIDC provider. OpenBao automatically associates this authentication with the attacker’s session due to the direct callback.
OpenBao’s API receives a direct callback, skipping user confirmation.
OpenBao issues a token associated with the attacker’s session, effectively authenticating the attacker as the victim.
The attacker continuously polls the OpenBao API for the issued token.
The attacker retrieves the token and gains unauthorized access to secrets and resources managed by OpenBao, impersonating the victim.

Impact

Successful exploitation of this vulnerability allows an attacker to impersonate a legitimate user within OpenBao. This can lead to unauthorized access to sensitive data, including secrets, credentials, and other protected resources. The impact is critical as it allows complete bypass of intended authentication mechanisms, potentially affecting all users and systems managed by the vulnerable OpenBao instance. This can lead to data breaches, service disruption, and privilege escalation.

Recommendation

Upgrade OpenBao to version 2.5.2 or later to apply the patch that introduces a confirmation screen for direct type logins.
As a workaround, remove any OpenBao roles configured with callback_mode=direct.
Enforce confirmation for every session on the token issuer side for the Client ID used by OpenBao, mitigating the risk even if roles with callback_mode=direct exist.
Monitor web server logs for unusual patterns of requests to the OpenBao OIDC callback endpoint after authentication, using the “Detect OpenBao Direct Callback Abuse” Sigma rule to identify potential exploitation attempts.
Deploy the “Detect OpenBao Direct Callback Configuration” Sigma rule to identify roles configured with the vulnerable callback_mode=direct setting.

Wecodex Hotel CMS 1.0 SQL Injection Vulnerability

hello@craftedsignal.io — Thu, 26 Mar 2026 12:16:04 +0000

Wecodex Hotel CMS 1.0 is susceptible to an SQL injection vulnerability (CVE-2018-25195) within its admin login feature. Discovered in 2026, this flaw enables unauthenticated attackers to inject malicious SQL code into the ‘username’ parameter of a POST request sent to the ‘index.php’ page with the ‘action=processlogin’ parameter. Successful exploitation could lead to the bypass of authentication mechanisms, potentially granting unauthorized administrative privileges. The vulnerability poses a significant risk to organizations utilizing the vulnerable CMS, as attackers could gain full control over the web application and its underlying data, including user credentials and sensitive business information. This requires immediate attention and patching.

Attack Chain

An unauthenticated attacker identifies a Wecodex Hotel CMS 1.0 instance.
The attacker crafts a malicious SQL payload designed to bypass authentication.
The attacker sends a POST request to index.php with the parameter action=processlogin.
The crafted SQL payload is injected into the username parameter of the POST request.
The application fails to properly sanitize the input, passing the malicious SQL to the database.
The injected SQL code manipulates the authentication query, likely using OR clauses and commenting out the rest of the original query.
The manipulated query returns a successful authentication result, bypassing the intended login process.
The attacker gains unauthorized access to the administrative panel of the Wecodex Hotel CMS.

Impact

Successful exploitation of this SQL injection vulnerability allows attackers to bypass authentication controls and gain administrative access to the Wecodex Hotel CMS 1.0. This can lead to full compromise of the system, including the theft of sensitive data such as customer information, financial records, and proprietary business data. Attackers can also modify the website, inject malicious code, or use the compromised server as a launching point for further attacks. Given the potential for complete system compromise, this vulnerability poses a critical risk to affected organizations.

Recommendation

Block POST requests to /index.php containing suspicious SQL syntax in the username parameter using a web application firewall (WAF) or intrusion detection system (IDS), based on the provided attack chain.
Deploy the provided Sigma rule to detect exploitation attempts targeting the login functionality of Wecodex Hotel CMS.
Upgrade to a patched version of Wecodex Hotel CMS that addresses CVE-2018-25195 if available from the vendor.
Implement parameterized queries or prepared statements in the application code to prevent SQL injection vulnerabilities.

MacCMS 2025.1000.4052 Missing Authentication Vulnerability (CVE-2026-4562)

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

CVE-2026-4562 details a missing authentication vulnerability within MacCMS version 2025.1000.4052. The vulnerability is located in the application/api/controller/Timming.php file, specifically within the Timming API Endpoint component. This flaw allows unauthenticated remote attackers to execute actions that should normally require authentication. The vulnerability has been publicly disclosed, increasing the risk of exploitation. Defenders should prioritize identifying and mitigating…

Contest Gallery WordPress Plugin Authentication Bypass Vulnerability (CVE-2026-4021)

hello@craftedsignal.io — Tue, 24 Mar 2026 00:16:31 +0000

The Contest Gallery plugin for WordPress, versions up to and including 28.1.5, is vulnerable to a critical authentication bypass (CVE-2026-4021). This vulnerability stems from how the users-registry-check-after-email-or-pin-confirmation.php script handles email confirmations, combined with an unauthenticated key-based login endpoint in ajax-functions-frontend.php. If the RegMailOptional=1 setting is enabled (non-default), an attacker can register a new user account with a specially…

Critical Vulnerabilities in Quest KACE SMA Allow System Takeover

hello@craftedsignal.io — Sat, 21 Mar 2026 12:00:00 +0000

Quest KACE Systems Management Appliance (SMA) is an IT systems management solution used by organizations to manage and secure endpoints. In June 2025, multiple critical vulnerabilities were disclosed. These include CVE-2025-32975, an authentication bypass; CVE-2025-32976, a 2FA bypass; CVE-2025-32977, malicious backup upload; and CVE-2025-32978, license replacement leading to denial of service. The vulnerabilities were discovered during a third-party assessment. As of March 20, 2026, active exploitation has been reported, making immediate patching critical. Versions affected include KACE SMA versions 13.0.385, 13.1.81, 13.2.183, 14.0.341, and 14.1.101. Successful exploitation can lead to complete system compromise, impacting enterprise security and operations.

Attack Chain

Unauthenticated Request (CVE-2025-32975): An attacker sends a crafted request to the KACE SMA server, exploiting the improper authentication handling in the SSO mechanism.
Authentication Bypass: The server fails to properly validate the request, allowing the attacker to bypass authentication and impersonate a legitimate user, gaining unauthorized access to the system.
2FA Bypass (CVE-2025-32976): If the attacker has valid credentials, they exploit a logic flaw in the two-factor authentication implementation to bypass TOTP-based 2FA requirements.
Privilege Escalation: Using the bypassed authentication, the attacker gains access to administrative privileges within the KACE SMA.
Malicious Backup Upload (CVE-2025-32977): An unauthenticated attacker uploads a malicious backup file to the system, exploiting weaknesses in the cryptographic signature validation process.
System Compromise: The malicious backup content is processed, compromising the system’s integrity and potentially allowing the attacker to execute arbitrary code.
License Replacement (CVE-2025-32978): The attacker uses a web interface intended for license renewal to replace valid system licenses with expired or trial licenses.
Denial of Service: The replacement of valid licenses causes a denial of service, disrupting normal operations and preventing legitimate users from accessing the system.

Impact

Successful exploitation of these vulnerabilities allows attackers to gain complete control over the KACE SMA, leading to the compromise of managed endpoints. The denial-of-service vulnerability disrupts IT operations. While the exact number of victims is unknown, the widespread use of KACE SMA across various sectors suggests a broad potential impact. Active exploitation reported as of March 2026 increases the urgency.

Recommendation

Apply the patches released by Quest for KACE SMA versions 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), 14.1.101 (Patch 4) to remediate CVE-2025-32975, CVE-2025-32976, CVE-2025-32977, and CVE-2025-32978.
Upscale monitoring and detection capabilities to identify any related suspicious activity as recommended by CCB.
Implement the Sigma rule “Detect Unauthenticated Access Attempts to KACE SMA” to identify potential exploitation attempts targeting CVE-2025-32975.
Review web server logs for suspicious file uploads to detect potential exploitation of CVE-2025-32977.

Apache Artemis and ActiveMQ Artemis Authentication Bypass Vulnerability

hello@craftedsignal.io — Thu, 05 Mar 2026 09:31:38 +0000

On March 5, 2026, the Centre for Cybersecurity Belgium (CCB) issued a warning regarding CVE-2026-27446, a critical authentication bypass vulnerability affecting Apache Artemis and Apache ActiveMQ Artemis. This vulnerability stems from a lack of proper authentication controls within the Core protocol used for communication between brokers. Successful exploitation allows unauthenticated remote attackers to force a target broker to establish an outbound Core federation connection to a rogue broker…

Pelco Sarix Pro 3 Series IP Camera Authentication Bypass Vulnerability

hello@craftedsignal.io — Fri, 27 Feb 2026 10:00:00 +0000

Pelco Sarix Pro 3 Series IP Cameras are affected by an authentication bypass vulnerability (CVE-2026-1241) in their web management interface. The vulnerability stems from inadequate access control enforcement, allowing unauthorized access to certain functionalities without proper authentication. This issue impacts Sarix Professional IMP 3 Series, IXP 3 Series, IBP 3 Series, and IWP 3 Series IP Cameras with firmware versions equal to or less than 02.52. Successful exploitation can lead to…

Traefik ForwardAuth Authentication Bypass via X-Forwarded-Prefix Spoofing

hello@craftedsignal.io — Wed, 03 Jul 2024 12:00:00 +0000

A critical authentication bypass vulnerability impacts Traefik instances utilizing the ForwardAuth middleware with trustForwardHeader=false, when deployed behind a trusted upstream proxy. This vulnerability arises from Traefik’s failure to properly sanitize the X-Forwarded-Prefix header. Although Traefik correctly rebuilds other X-Forwarded-* headers like X-Forwarded-For and X-Forwarded-Host, it does not strip or rebuild X-Forwarded-Prefix. An attacker can inject a malicious X-Forwarded-Prefix value, which is then passed to the authentication service in the subrequest. If the authentication service relies on the X-Forwarded-Prefix header for authorization decisions, an attacker can bypass access controls and reach protected backend routes. This issue affects Traefik versions v2.11.x before v2.11.43, v3.6.x before v3.6.14, and v3.7.0-rc.1.

Attack Chain

An attacker sends a request with a crafted X-Forwarded-Prefix header (e.g., X-Forwarded-Prefix: /admin) to a trusted upstream proxy (e.g., nginx).
The trusted proxy forwards the request to the Traefik instance.
Traefik’s StripPrefix middleware processes the request, stripping a configured prefix (e.g., /forbidden) and appending it to the X-Forwarded-Prefix header using Header.Add.
The ForwardAuth middleware creates a subrequest to the authentication service, copying all incoming headers, including the attacker-controlled X-Forwarded-Prefix and the StripPrefix-added value.
The authentication service receives the subrequest with the concatenated X-Forwarded-Prefix values, where the attacker’s value appears first (e.g., X-Forwarded-Prefix: /admin, /forbidden).
The authentication service incorrectly uses the attacker-supplied /admin prefix to make authorization decisions.
The authentication service authorizes the request due to the spoofed prefix.
Traefik forwards the request to the protected backend route, granting the attacker unauthorized access.

Impact

Successful exploitation allows unauthenticated attackers to bypass access controls and gain unauthorized access to protected backend routes. This can lead to data breaches, unauthorized modification of resources, and other security compromises. The impact is especially severe in environments where StripPrefix is used before ForwardAuth, and where the authentication service relies heavily on the X-Forwarded-Prefix header for authorization decisions. The number of affected deployments is unknown but likely significant, given Traefik’s popularity as a reverse proxy and load balancer.

Recommendation

Upgrade to Traefik version v2.11.43, v3.6.14, or v3.7.0-rc.2 or later to patch the vulnerability.
As a workaround, if upgrading is not immediately feasible, configure your authentication service to validate and sanitize the X-Forwarded-Prefix header, ensuring it only trusts values originating from the trusted proxy.
Implement the following Sigma rule to detect suspicious requests with the X-Forwarded-Prefix header targeting the /forbidden path, indicating potential exploitation attempts.
Review and harden your Traefik configuration to ensure that the trustForwardHeader parameter is appropriately set based on your deployment environment and trust relationships.
Monitor Traefik access logs for suspicious activity, especially requests with unusual X-Forwarded-Prefix values, using the webserver log source.

Dgraph Unauthenticated Admin Token Disclosure via /debug/vars

hello@craftedsignal.io — Thu, 02 May 2024 12:00:00 +0000

Dgraph, a graph database, exposes sensitive information through an unauthenticated endpoint, /debug/vars, in versions prior to 25.3.3. The vulnerability arises because the admin token is often passed as a command-line argument using the --security "token=..." flag. This argument is exposed through the /debug/vars endpoint, which is enabled by default via Go’s expvar package. An attacker can retrieve this token without authentication and then use it to gain administrative privileges by including it in the X-Dgraph-AuthToken header of subsequent requests. This is a bypass of previous attempts to mitigate similar issues via /debug/pprof/cmdline, which were addressed incompletely. This issue impacts deployments where the Alpha HTTP port is reachable by untrusted parties, allowing for a full authentication bypass.

Attack Chain

An attacker sends an unauthenticated GET request to the /debug/vars endpoint on the Dgraph Alpha server (e.g., GET /debug/vars HTTP/1.1).
The server responds with a JSON payload containing the cmdline field.
The attacker parses the JSON response and extracts the value of the cmdline field.
The attacker searches the cmdline output for the --security token=... argument.
The attacker extracts the admin token from the --security argument string.
The attacker sends a request to an admin-only endpoint (e.g., GET /admin/config/cache_mb HTTP/1.1).
The attacker includes the extracted admin token in the X-Dgraph-AuthToken header of the request.
The Dgraph Alpha server validates the token, granting the attacker administrative access.

Impact

Successful exploitation allows an unauthenticated attacker to gain complete administrative control over the Dgraph database. This includes the ability to read and modify admin configurations, and perform operational control actions. In deployments where the Alpha HTTP port is publicly accessible, this vulnerability poses a significant risk, leading to potential data breaches, service disruption, and unauthorized manipulation of the database. While the number of affected deployments is not explicitly stated, any Dgraph instance running a vulnerable version with an exposed Alpha HTTP port is at risk.

Recommendation

Upgrade Dgraph to version 25.3.3 or later to address the vulnerability.
As a temporary workaround, restrict access to the Alpha HTTP port to trusted networks only.
Deploy the Sigma rule below to detect unauthorized access attempts to the /admin/config/cache_mb endpoint using the X-Dgraph-AuthToken header.
Deploy the Sigma rule below to detect access to /debug/vars endpoint.

PrefectHQ Prefect Authentication Bypass Vulnerability (CVE-2026-7723)

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

PrefectHQ Prefect, a workflow management system, is vulnerable to an authentication bypass vulnerability identified as CVE-2026-7723. The vulnerability exists in versions up to 3.6.13 and stems from a flaw within the /api/events/in WebSocket endpoint. A remote attacker can manipulate data sent to this endpoint, leading to a failure in authentication checks. This can allow the attacker to perform unauthorized actions within the Prefect system. The vulnerability was published on 2026-05-04 and a patch is available in version 3.6.14, specifically commit 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40. Defenders should upgrade affected Prefect installations to version 3.6.14 or later to mitigate this risk.

Attack Chain

Attacker identifies a PrefectHQ Prefect instance running a vulnerable version (<= 3.6.13) with an exposed /api/events/in WebSocket endpoint.
The attacker crafts a malicious WebSocket message specifically targeting the /api/events/in endpoint.
The attacker sends the manipulated message to the /api/events/in endpoint.
Due to the vulnerability, the authentication checks within the WebSocket endpoint fail to properly validate the attacker’s identity.
The Prefect system incorrectly processes the attacker’s request as authenticated.
The attacker exploits this lack of authentication to execute unauthorized actions within the Prefect system. These actions could include modifying workflows, accessing sensitive data, or disrupting operations.
The attacker may further leverage their access to compromise other connected systems or data stores.

Impact

Successful exploitation of CVE-2026-7723 allows an unauthenticated remote attacker to bypass authentication mechanisms in PrefectHQ Prefect. This can lead to unauthorized access to sensitive data, modification of workflows, and disruption of critical business processes. The CVSS v3.1 base score is 7.3, indicating a high severity vulnerability. The number of affected organizations depends on the adoption rate of PrefectHQ Prefect, but any organization running a vulnerable version is at risk.

Recommendation

Immediately upgrade PrefectHQ Prefect to version 3.6.14 or later to apply the patch (0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40) that resolves CVE-2026-7723.
Monitor web server logs for suspicious activity targeting the /api/events/in endpoint to detect potential exploitation attempts. Deploy the Sigma rule Detect PrefectHQ Auth Bypass Attempt to identify unusual requests to the vulnerable endpoint.
Implement network segmentation to limit the potential impact of a successful exploit by restricting access to sensitive resources from the Prefect server.

CoreDNS TSIG Authentication Bypass Vulnerability

hello@craftedsignal.io — Wed, 24 Jan 2024 12:00:00 +0000

CoreDNS versions prior to 1.14.3 contain a flaw in the handling of TSIG authentication for gRPC, QUIC, DoH, and DoH3 transports. Specifically, gRPC and QUIC transports only check for the presence of a TSIG key name without verifying the HMAC, while DoH and DoH3 transports unconditionally return a successful TSIG status. This vulnerability allows unauthenticated attackers to bypass TSIG authentication, potentially enabling unauthorized zone transfers, dynamic updates, and access to other TSIG-protected resources. This issue was identified in version 1.14.2 and prior, and affects deployments where TSIG authentication is relied upon for secure DNS operations over these transports.

Attack Chain

The attacker identifies a CoreDNS server using gRPC, QUIC, DoH, or DoH3 with TSIG authentication enabled.
For gRPC/QUIC, the attacker crafts a DNS request with a valid TSIG key name but a forged or invalid HMAC value. For DoH/DoH3, the attacker crafts a DNS request with any TSIG record.
The attacker sends the crafted request to the CoreDNS server via the affected transport (gRPC, QUIC, DoH, or DoH3).
CoreDNS receives the request and processes the TSIG information. For gRPC/QUIC, CoreDNS checks if the TSIG key name exists in the configuration. For DoH/DoH3, the transport layer reports successful TSIG verification without performing actual verification.
The TSIG check passes due to the vulnerability: either HMAC is not validated (gRPC/QUIC) or TSIG status is unconditionally reported as valid (DoH/DoH3).
The request is passed to the appropriate plugin, bypassing TSIG authentication requirements.
The attacker gains access to TSIG-protected functionality, such as AXFR/IXFR zone transfers or dynamic DNS updates.
The attacker exfiltrates zone data or modifies DNS records, depending on the enabled functionality.

Impact

Successful exploitation of this vulnerability can allow unauthenticated attackers to perform unauthorized actions on the affected CoreDNS server. This can lead to the exposure of sensitive zone data via AXFR/IXFR, unauthorized modification of DNS records through dynamic updates, or other bypasses of TSIG-gated plugin behavior. The DoH and DoH3 variants pose a higher risk because they do not even require a valid TSIG key name to be known. The impact depends on the specific TSIG-protected functionality enabled on the CoreDNS server and the sensitivity of the data being protected.

Recommendation

Upgrade CoreDNS to version 1.14.3 or later to patch CVE-2026-35579.
If upgrading is not immediately possible, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required as suggested in the advisory.
Implement network-level access controls to restrict access to gRPC, QUIC, DoH, and DoH3 ports to trusted sources only, as recommended in the advisory.
Deploy the Sigma rule “Detect CoreDNS AXFR Request over DoH with Forged TSIG” to identify potential exploitation attempts.

WebPros cPanel & WHM and WP2 Authentication Bypass Vulnerability (CVE-2026-41940)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) are affected by an authentication bypass vulnerability, identified as CVE-2026-41940. This flaw exists within the login flow, potentially granting unauthenticated remote attackers unauthorized access to the control panel. Successful exploitation allows attackers to bypass normal authentication mechanisms and directly access sensitive administrative functions within cPanel & WHM and WP2. Defenders should apply vendor-provided mitigations or discontinue use of the product if mitigations are not available. The vulnerability was disclosed in April 2026, and mitigations should be applied by May 3, 2026.

Attack Chain

The attacker identifies a vulnerable cPanel & WHM or WP2 instance.
The attacker crafts a malicious HTTP request exploiting the authentication bypass vulnerability in the login flow.
The request is sent to the target server, bypassing authentication checks.
The server incorrectly processes the request, granting the attacker an authenticated session.
The attacker leverages the authenticated session to access administrative interfaces and settings.
The attacker modifies server configurations, potentially creating new administrative accounts.
The attacker installs malicious plugins or software through the control panel.
The attacker achieves full control over the web server and hosted websites.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of the affected cPanel & WHM or WP2 server. This can result in data breaches, website defacement, malware distribution, and denial-of-service attacks. The impact is significant due to the widespread use of cPanel & WHM in web hosting environments. Compromised servers could be leveraged for further attacks against other systems and networks.

Recommendation

Apply mitigations provided by WebPros as detailed in their security update advisory to address CVE-2026-41940.
Deploy the Sigma rule “Detect cPanel/WHM Authentication Bypass Attempt” to identify potential exploitation attempts in web server logs.
If mitigations cannot be immediately applied, follow BOD 22-01 guidance for cloud services, potentially isolating the affected system until patched.
Consider discontinuing use of the affected product if patches or mitigations are unavailable, as advised in the original CISA KEV entry.

PaperCut NG/MF Improper Authentication Vulnerability (CVE-2023-27351)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

CVE-2023-27351 is a critical improper authentication vulnerability affecting PaperCut NG/MF. The vulnerability exists within the SecurityRequestFilter class, enabling remote attackers to bypass authentication mechanisms. This bypass can lead to unauthorized access to sensitive functionalities within the PaperCut NG/MF application. Publicly available reports indicate that this vulnerability is being actively exploited, including instances of ransomware deployment following successful exploitation. Due to the ease of exploitation and the potentially severe consequences, organizations using affected versions of PaperCut NG/MF are urged to apply mitigations immediately.

Attack Chain

Attacker identifies a vulnerable PaperCut NG/MF instance accessible over the network.
The attacker crafts a malicious HTTP request targeting the SecurityRequestFilter class.
The crafted request exploits the improper authentication vulnerability (CVE-2023-27351), bypassing normal authentication checks.
Upon successful authentication bypass, the attacker gains unauthorized access to the PaperCut NG/MF application with elevated privileges.
The attacker leverages the gained access to upload malicious scripts or binaries to the PaperCut server.
The attacker executes the uploaded payload, initiating the ransomware encryption process or other malicious activities.
Ransomware encrypts sensitive data on the PaperCut server and potentially spreads to other connected systems.
The attacker demands a ransom payment for the decryption key.

Impact

Successful exploitation of CVE-2023-27351 allows attackers to bypass authentication, gain unauthorized access, and potentially deploy ransomware. This can result in significant data loss, disruption of print services, and financial losses due to ransom demands and recovery efforts. The vulnerability is known to be actively exploited, increasing the risk to organizations using affected PaperCut NG/MF installations.

Recommendation

Apply mitigations provided by PaperCut, referencing their knowledge base articles PO-1216 and PO-1219.
Deploy the Sigma rules provided below to detect potential exploitation attempts against the SecurityRequestFilter class.
Follow applicable BOD 22-01 guidance for cloud services if the PaperCut instance is cloud-hosted.

Note Mark OIDC Authentication Bypass via Hardcoded Password

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

A critical authentication bypass vulnerability affects note-mark deployments configured with OIDC authentication. The vulnerability stems from the IsPasswordMatch function in backend/db/models.go, which falls back to a hardcoded bcrypt("null") hash when a user has no stored password. This occurs because OIDC-registered users are created with an empty password. As a result, any attacker can authenticate as an OIDC user by submitting the password “null” to the internal login endpoint (POST /api/auth/token). This issue affects note-mark version 0.19.2 and potentially earlier versions. The default configuration ships with both authentication paths side-by-side, so any site that turns on OIDC is affected, allowing for potential account takeover and data exfiltration.

Attack Chain

An attacker identifies a note-mark instance with OIDC enabled and internal login enabled (default configuration). The attacker can confirm this by accessing /api/info.
The attacker enumerates valid usernames via the /api/users/search endpoint (anonymous user search enabled by default).
The attacker sends a POST request to /api/auth/token with the target username and password “null”.
The IsPasswordMatch function in backend/db/models.go is called. Since OIDC-registered users have an empty password, the function uses the nullPasswordHash.
The bcrypt.CompareHashAndPassword function compares nullPasswordHash with the provided password “null”, resulting in a successful match.
The server issues an Auth-Session-Token cookie to the attacker.
The attacker uses the valid session cookie to access the target user’s account via /api/users/me or other authenticated endpoints.
The attacker persists access by updating the target user’s password via PUT /api/users/me/password using “null” as the existing password, locking out the legitimate user and gaining persistent access.

Impact

Successful exploitation of this vulnerability allows an attacker to fully take over OIDC-only user accounts on affected note-mark deployments. This includes reading private notebooks, note markdown, and uploaded assets. An attacker can also write, edit, or delete anything the compromised user owns, leading to significant data loss and confidentiality breaches. The vulnerability is especially severe due to the default configuration enabling both OIDC and internal login paths, making it easy for attackers to exploit.

Recommendation

Apply the recommended fix by rejecting the login path for users with no stored password in backend/services/auth.go and backend/services/users.go as detailed in the advisory. This directly addresses the vulnerability by preventing authentication with the “null” password.
Monitor network traffic for POST requests to /api/auth/token with a request body containing "password":"null" to identify potential exploitation attempts using the provided Sigma rule.
Consider disabling internal logins (EnableInternalLogin) if OIDC is the sole authentication method used, mitigating the risk by removing the vulnerable login path.

666ghj MiroFish REST API Authentication Bypass (CVE-2026-7042)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

A critical authentication bypass vulnerability, tracked as CVE-2026-7042, has been identified in 666ghj MiroFish software up to version 0.1.2. The vulnerability lies within the create_app function of the backend/app/__init__.py file, which manages the REST API Endpoint. A remote attacker can exploit this flaw by manipulating specific parameters within API requests, effectively bypassing authentication mechanisms. This allows unauthorized access to sensitive functionalities and data. Public exploits are available, increasing the risk of widespread exploitation. The vendor was notified, but has not yet responded.

Attack Chain

The attacker identifies a vulnerable MiroFish instance running version 0.1.2 or earlier.
The attacker crafts a malicious HTTP request targeting the REST API Endpoint.
The crafted request manipulates parameters intended for the create_app function, specifically designed to bypass authentication checks.
The vulnerable create_app function fails to properly validate the request due to the missing authentication check.
The application grants unauthorized access to protected resources or functionalities.
The attacker performs unauthorized actions, such as data exfiltration, modification, or deletion, depending on the exposed API endpoints.
The attacker leverages the initial access to further compromise the system or pivot to other internal resources.

Impact

Successful exploitation of CVE-2026-7042 allows an attacker to bypass authentication controls in MiroFish applications. This can lead to unauthorized access to sensitive data, modification of application settings, or complete system compromise. The lack of authentication on the REST API endpoint can have severe implications for data confidentiality, integrity, and availability. Given the availability of a public exploit, affected organizations are at immediate risk.

Recommendation

Monitor web server logs for suspicious HTTP requests targeting the REST API Endpoint with unusual parameters, using the provided Sigma rule that detects anomalous HTTP methods in webserver logs.
Apply any available patches or updates from 666ghj to address CVE-2026-7042 immediately.
Review the affected backend/app/__init__.py file for authentication logic flaws and implement necessary security measures.