Unauthenticated Access

The npm `praisonai` package's TypeScript `AgentOS` HTTP server defaults to `0.0.0.0` and exposes unauthenticated API endpoints (`/api/agents`, `/api/chat`), allowing attackers to disclose agent configurations and invoke agents without authorization, leading to potential data exfiltration, unauthorized actions, and resource consumption.

PraisonAI's call server exposes a network-facing agent control API without authentication when `CALL_SERVER_TOKEN` is not configured, allowing attackers to list, inspect, invoke, and unregister agents due to a fail-open authentication default and a default binding to `0.0.0.0`, as tracked by CVE-2026-47396.

An unauthenticated user can modify existing Formie submissions by posting a known or guessed submission ID to `formie/submissions/save-submission`, affecting versions prior to 2.2.21 and versions 3.0.0 to 3.1.26.

FUXA v1.3.0-2773 is vulnerable to unauthenticated project data disclosure (CVE-2026-47717) via the /api/project endpoint, exposing sensitive configuration data like scripts and device settings, even with security enabled.

IBM Engineering Lifecycle Management versions 7.0.3 through Interim Fix 021, 7.1.0 through Interim Fix 009, and 7.2.0 through Interim Fix 001 are vulnerable to an unauthenticated remote attacker who can update server property files, leading to unauthorized access to the application.

camofox-mcp exposed an unauthenticated HTTP MCP endpoint, allowing remote clients to invoke browser-control tools without authentication, potentially leading to unauthorized browser automation and data access.

Coder is vulnerable to a PKCS#7 signature bypass in Azure instance identity (CVE-2026-46354), allowing unauthenticated agent token theft via a forged vmId, enabling access to Git SSH private keys, OAuth access tokens, and workspace secrets.

The Penpot MCP module's ReplServer binds to all interfaces and exposes an unauthenticated /execute endpoint, allowing remote attackers to execute arbitrary code by sending a POST request with JavaScript code, leading to potential information disclosure and command execution.

A local exploit has been published for Remote Sunrise Helper for Windows 2026.14, detailing an unauthenticated file/directory listing vulnerability. Successful exploitation allows unauthenticated attackers to list files and directories on the affected system.

MCPHub is vulnerable to user identity spoofing on the MCP transport layer; an unauthenticated network user can impersonate any user, including administrators, on SSE/MCP endpoints by providing the target username in the URL path, which allows execution of MCP tool calls under a spoofed user's identity, access to user-scoped resources and data, and poisoning of audit logs.

Siemens SIMATIC HMI Unified Comfort Panels before V21.0 are vulnerable to unauthenticated access via the help link and Control Panel (CVE-2026-27662), potentially leading to unauthorized configuration changes and discovery of backdoors.

The Database Backup for WordPress plugin up to version 2.5.2 is vulnerable to unauthorized database export due to improper authorization enforcement, allowing unauthenticated attackers to export database tables in WordPress Multisite environments.

Dalfox server mode is vulnerable to an unauthenticated arbitrary file read with out-of-band exfiltration via the `custom-payload-file` parameter, allowing attackers to read sensitive files on the host.

free5GC's NEF nnef-pfdmanagement API is vulnerable to unauthenticated access, allowing attackers with network access to read PFD data and create/delete PFD subscriptions by using forged bearer tokens due to the absence of inbound OAuth2/bearer-token authorization.

OneUptime versions prior to 10.0.42 are vulnerable to unauthenticated access to Notification test and Phone Number management endpoints, leading to potential abuse of SMS, Call, Email, and WhatsApp functionalities, and unauthorized phone number purchases, fixed in version 10.0.42.

The gmaps-mcp package allows unauthenticated access to Google Maps API calls when deployed with a blank MCP_API_KEY, potentially leading to significant financial costs for the operator; it also permits path injection attacks.

phpMyFAQ version 4.1.1 and earlier is vulnerable to an unauthenticated FAQ permission bypass, allowing attackers to enumerate solution IDs and discover restricted FAQ titles due to missing permission filters in key functions.

Nginx-UI version 2.3.5 is vulnerable to an unauthenticated takeover via the `/api/install` endpoint during the initial setup window, allowing a remote attacker to claim administrative control of a fresh instance.