Attack Chain

1. An attacker identifies an application utilizing affected Clerk packages and vulnerable authorization checks.
2. The attacker targets an endpoint protected by a combined authorization check (e.g., requiring a specific role and reverification).
3. The attacker crafts a request that satisfies one, but not all, of the authorization conditions.
4. Due to the bypass vulnerability, the has() or auth.protect() predicate incorrectly returns true.
5. The application grants the attacker access to the protected resource or functionality.
6. In the case of the @clerk/nextjs bypass, the attacker might exploit the silent discarding of authorization parameters when unauthenticatedUrl, unauthorizedUrl, or token are also present in the auth.protect() call, effectively bypassing authorization.
7. The attacker performs unauthorized actions, such as modifying data or accessing restricted areas of the application.

Impact

Successful exploitation of this vulnerability could lead to unauthorized access to sensitive resources and functionalities within applications using Clerk for authentication and authorization. This could result in data breaches, privilege escalation, and other security incidents. The vulnerability affects a wide range of Clerk packages, potentially impacting a significant number of applications relying on Clerk for access control. Immediate patching is crucial to mitigate the risk of exploitation.

Recommendation

• Upgrade to the latest patch release of the consuming app’s framework package as specified in the advisory to remediate CVE-2026-42349.
• If immediate upgrade is not feasible, implement the suggested workaround of splitting combined has() or auth.protect() calls into sequential single-condition checks as described in the advisory.
• Deploy the Sigma rule ClerkAuthProtectBypass to detect potential exploitation attempts by monitoring for calls to auth.protect that include unauthenticatedUrl, unauthorizedUrl, or token parameters.
• Deploy the Sigma rule ClerkCombinedAuthCheckBypass to identify suspicious process creation events that may indicate unauthorized access due to the authorization bypass.

Attack Chain

1. An attacker authenticates to the Better Auth application with a low-privilege account.
2. The attacker crafts a POST request to either /api/auth/oauth2/create-client or a custom endpoint that routes to adminCreateOAuthClient.
3. The attacker includes parameters for client_name, redirect_uris, and other client metadata within the POST request body.
4. The createOAuthClientEndpoint function is called without first performing a clientPrivileges authorization check.
5. A new OAuth client is created and persisted in the system.
6. The attacker now controls a registered OAuth client with attacker-defined redirect URIs.
7. The attacker can potentially use this client for phishing attacks or to bypass consent flows if skip_consent is enabled (if adminCreateOAuthClient is exposed).
8. The attacker exploits the newly created OAuth client to gain unauthorized access to resources or user data.

Impact

This vulnerability allows unauthorized users to create OAuth clients, potentially leading to several negative consequences. Attackers can register clients with malicious redirect URIs, which can be used in phishing campaigns to steal user credentials or OAuth tokens. In scenarios where the adminCreateOAuthClient endpoint is exposed, attackers can create clients that bypass user consent, further increasing the risk of successful attacks. The impact is significant because it breaks the intended access control mechanism of the clientPrivileges configuration, affecting applications that rely on it to restrict client registration. Successful exploitation can lead to unauthorized access to user data, compromised accounts, and damaged trust in the application.

Recommendation

• Monitor web server logs for POST requests to the /api/auth/oauth2/create-client endpoint, especially from users who should not have client creation privileges. Implement the “Detect Unauthorized OAuth Client Creation Attempt” Sigma rule below, using webserver logs (category: “webserver”, product: “linux”).
• Apply the necessary patches to upgrade @better-auth/oauth-provider to a version that addresses this vulnerability (>= 1.6.5 or >= 1.7.0-beta.2).
• Audit your application’s OAuth client registration process to ensure that the clientPrivileges check is enforced correctly.
• If using adminCreateOAuthClient, ensure it is not exposed to low-privilege authenticated users to prevent the skip_consent bypass.
• Deploy the “Detect OAuth Client Creation with Skip Consent” Sigma rule if your deployment exposes the admin client creation endpoint.

Attack Chain

1. An attacker identifies a Fastify application using @fastify/middie version 9.3.1 or earlier with the ignoreDuplicateSlashes option enabled.
2. The attacker crafts a malicious HTTP request targeting a protected resource. The request URI includes duplicate slashes (e.g., /api//resource).
3. The request is received by the Fastify server.
4. Fastify’s router normalizes the duplicate slashes in the URI before passing it to the middleware.
5. The middleware’s path matching logic fails to correctly handle the normalized URI due to the ignoreDuplicateSlashes setting.
6. As a result, the request bypasses the intended authentication and/or authorization checks implemented by the middleware.
7. The request reaches the targeted resource, which is processed by the application.
8. The attacker gains unauthorized access to the resource, potentially leading to data breaches, privilege escalation, or other malicious activities.

Impact

Successful exploitation of this vulnerability allows attackers to bypass authentication and authorization controls, potentially gaining unauthorized access to sensitive data or functionality within the Fastify application. The severity of the impact depends on the nature of the protected resources and the extent of the attacker’s access. This could lead to data breaches, privilege escalation, or other malicious activities. The number of potential victims is dependent on the number of applications using the vulnerable version of @fastify/middie with the ignoreDuplicateSlashes option enabled.

Recommendation

• Upgrade @fastify/middie to version 9.3.2 or later to patch the vulnerability described in CVE-2026-33804.
• Disable the ignoreDuplicateSlashes option in Fastify configurations as an alternative mitigation.
• Deploy the Sigma rule DetectFastifyMiddieBypassAttempt to identify potential exploitation attempts based on duplicate slashes in the request URI.

Attack Chain

1. User attempts to log in with valid username and password.
2. The application, running a vulnerable version of better-auth with session.cookieCache enabled, creates a session.
3. The session is cached due to the session.cookieCache setting, before the 2FA challenge is presented.
4. The user is prompted for their second factor (e.g., TOTP code).
5. Instead of providing the 2FA code, the attacker intercepts or reuses the cached session cookie.
6. The attacker presents the cached session cookie to the application.
7. The application retrieves the cached session, which it prematurely considers valid.
8. The attacker gains access to protected resources without completing 2FA.

Impact

Successful exploitation of this vulnerability allows attackers with valid usernames and passwords to bypass two-factor authentication, gaining unauthorized access to sensitive application resources. The number of affected applications is unknown, but all applications using better-auth with 2FA and session caching are potentially at risk. A successful attack could lead to data breaches, account takeovers, and other serious security incidents.

Recommendation

• Upgrade to better-auth version 1.4.9 or later to patch the vulnerability.
• Disable session.cookieCache when using two-factor authentication as a temporary mitigation.
• If disabling session.cookieCache is not feasible, implement server-side checks to ensure 2FA is completed before granting full session validity (requires code modification).

Attack Chain

1. Attacker identifies a Docker environment utilizing an AuthZ plugin that relies on request body inspection for authorization.
2. Attacker crafts a malicious Docker API request targeting a sensitive resource or action.
3. The attacker inflates the request body to exceed a size threshold that triggers the bypass behavior.
4. The Docker daemon receives the oversized API request.
5. Due to the vulnerability, the Docker daemon forwards the request to the AuthZ plugin without the request body.
6. The AuthZ plugin, lacking the request body, makes an authorization decision based on incomplete information.
7. The AuthZ plugin, unable to properly validate the request, grants access to the sensitive resource or action.
8. The attacker successfully executes the unauthorized action, bypassing the intended security controls.

Impact

This vulnerability primarily impacts Docker environments that utilize authorization plugins and rely on request body inspection for access control decisions. If exploited successfully, an attacker can bypass the intended authorization mechanisms, potentially leading to unauthorized access to sensitive resources, data breaches, or other malicious activities within the containerized environment. The severity is high for affected installations, however, the base likelihood of exploitation is low, and only impacts those using AuthZ plugins.

Recommendation

• Upgrade to Moby version 29.3.1 or later to address the vulnerability. This resolves the incomplete fix for CVE-2024-41110 and prevents the AuthZ bypass.
• For environments where immediate upgrades are not possible, avoid using AuthZ plugins that rely on request body inspection for security decisions as described in the overview.
• Restrict access to the Docker API to trusted parties following the principle of least privilege to reduce the attack surface.

Attack Chain

1. Attacker crafts a malicious payload.
2. Attacker packages the payload into a TAR archive.
3. The TAR archive is nested inside another TAR archive.
4. The nested TAR archives are then compressed into a 7-Zip archive using 7z.exe.
5. The 7-Zip archive is packaged into a CAB archive using makecab.exe.
6. The CAB archive is distributed to the victim, potentially via phishing or drive-by download.
7. The victim opens the CAB archive, extracting the nested 7-Zip, TAR, and payload.
8. The payload executes without a Zone.Identifier stream, bypassing MOTW and SmartScreen, potentially leading to malware infection or unauthorized access.

Impact

Successful exploitation allows attackers to bypass security controls that rely on MOTW and SmartScreen. This can lead to malware infections, data breaches, or other malicious activities. The bypass affects fully patched environments, increasing the scope of potential victims. The absence of security warnings makes it more likely that users will execute the malicious payload, increasing the success rate of attacks.

Recommendation

• Implement detections for unusual process chains involving makecab.exe, 7z.exe, and tar.exe as these tools are used in the bypass (see Sigma rule “Detect Suspicious Archive Chaining”).
• Monitor for archive extractions from unusual locations, especially those originating from downloaded CAB files, using file event logging and process monitoring (see Sigma rule “Detect Archive Extraction from Downloaded CAB”).
• Analyze network connections from processes spawned from archive extractions, as they may indicate command and control or data exfiltration.
• Block the URL https://youtu.be/pQxiPwGTBL8 to prevent users from accessing potentially malicious content related to this bypass.

Attack Chain

While the specifics of the attack chain depend on the bypass technique detailed in the linked article, a general attack chain for Credential Guard bypass might look like this:

1. Initial Access: The attacker gains initial access to the system through methods such as phishing, exploiting a vulnerability, or using stolen credentials.
2. Privilege Escalation: The attacker escalates privileges to Administrator or SYSTEM level, often required to perform actions that interact with Credential Guard.
3. Credential Guard Check: The attacker probes the system to determine if Credential Guard is enabled and active.
4. Bypass Technique Execution: The attacker executes a specific Credential Guard bypass technique, potentially involving kernel-level exploits, direct memory access, or manipulation of VBS.
5. Credential Theft: After successfully bypassing Credential Guard, the attacker attempts to access the protected credentials, such as NTLM hashes, Kerberos tickets, or other secrets.
6. Credential Decryption/Use: The attacker decrypts or utilizes the stolen credentials to impersonate users, gain access to network resources, or perform other malicious activities.
7. Lateral Movement: The attacker uses the compromised credentials to move laterally to other systems within the network.
8. Objective Completion: The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or system disruption.

Impact

A successful Credential Guard bypass can lead to widespread compromise within an organization. Attackers can gain access to sensitive data, move laterally across the network, and escalate privileges to domain administrator. Depending on the environment, this could result in significant financial loss, reputational damage, and disruption of business operations. Organizations across various sectors are vulnerable if they rely on Credential Guard as a primary defense against credential theft.

Recommendation

• Investigate the linked article (https://ipurple.team/2026/03/17/credential-guard/) to understand the specific bypass techniques and indicators discussed.
• Enable and review Windows event logs related to virtualization-based security (VBS) and Credential Guard for anomalies that might indicate bypass attempts.
• Deploy the Sigma rules in this brief to your SIEM to detect potential Credential Guard bypass attempts based on suspicious process creation and registry modifications.

Attack Chain

1. An attacker compromises or gains access to a non-admin user account within Admidio that possesses hasRightEditProfile() permission over an administrator account.
2. The attacker crafts a POST request to /adm_program/modules/profile/two_factor_authentication.php with the mode parameter set to reset and the user_uuid parameter set to the UUID of the target administrator account.
3. The server-side script modules/profile/two_factor_authentication.php executes the flawed authorization check at line 84. Due to the inverted logic (!== instead of ===), the check incorrectly grants permission to the non-admin user to reset the administrator’s 2FA.
4. The server removes the TOTP configuration associated with the administrator’s account from the database or configuration files.
5. The attacker can now attempt to log in to the administrator account using only the password, bypassing the 2FA requirement.
6. If the attacker knows or can guess the administrator’s password (via credential stuffing, brute force, or other means), they successfully gain access to the account.
7. With administrator privileges, the attacker can perform a variety of malicious actions, such as creating new accounts, modifying website content, or accessing sensitive data.

Impact

The vulnerability allows attackers to bypass two-factor authentication on administrator accounts in Admidio installations. This can lead to unauthorized access to sensitive data, modification of website content, and potentially full control over the affected system. While the number of affected installations is unknown, organizations using vulnerable versions of Admidio are at risk. Success of the attack results in complete compromise of the Admidio instance and the data it manages.

Recommendation

• Apply the recommended fix by changing !== to === on line 84 of modules/profile/two_factor_authentication.php to correct the authorization logic (see Overview).
• Deploy the Sigma rule Detect Admidio 2FA Reset Request to detect attempts to exploit this vulnerability by monitoring HTTP POST requests to the vulnerable endpoint (see Rules).
• Upgrade Admidio to a patched version that incorporates the fix for CVE-2026-41660.