Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server

Summary If you have the MCP Server ID, you can connect to the MCP server even if you don't have permissions to the server. The MCP gateway endpoint /mcp-connect/mcpid does not enforce Access Control Rules ACRs. Any authenticated Obot user who possesses an MCP Server ID can connect to that server...

PT-2026-38469

Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may...

MiracleLinux 7 : pki-core-10.5.1-13.1.el7 (AXSA:2018-3231:02)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2018-3231:02 advisory. pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access CVE-2018-1080 Tenable has extracted the preceding...

EUVD-2010-0320

Malware in sbrugna...

EUVD-2025-24848

Malicious code in bioql PyPI...

CVE-2025-20219

A vulnerability in the implementation of access control rules for loopback interfaces in Cisco Secure Firewall Adaptive Security Appliance ASA Software and Cisco Secure Firewall Threat Defense FTD Software could allow an unauthenticated, remote attacker to send traffic that should have been block...

Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Access Control Rules Bypass Vulnerability

A vulnerability in the implementation of access control rules for loopback interfaces in Cisco Secure Firewall Adaptive Security Appliance ASA Software and Cisco Secure Firewall Threat Defense FTD Software could allow an unauthenticated, remote attacker to send traffic that should have been block...

PT-2025-33319 · Cisco · Cisco Secure Firewall Threat Defense (Ftd) +1

Name of the Vulnerable Software and Affected Versions: Cisco Secure Firewall Adaptive Security Appliance ASA Software and Cisco Secure Firewall Threat Defense FTD Software affected versions not specified Description: A vulnerability exists in the implementation of access control rules for loopbac...

ROS-20250707-02

Vulnerability in the prefix-based ACL policy search mechanism of Nomad application orchestrator is related to incorrect assignment of access control rules. Exploitation of the vulnerability could allow an attacker, acting remotely, to bypass existing security mechanisms by creating a job with a...

User can copy folder that contain files that are blocked by the files access control

None...

freeipa: delegation rules allow a proxy service to impersonate any user to access another target service

A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the checkallowedtodelegate function: If the target service...

OpenSearch 安全漏洞

OpenSearch Project is OpenSearch Project open source a community-driven, Apache 2.0 licensed open source search and analytics suite. Making it easy to access, search, visualize and analyze data. A security vulnerability exists in OpenSearch versions 1.3.10 and 2.7.0 that stems from a problem with...

Siemens SCALANCE X Authentication Bypass (CVE-2019-13933)

A vulnerability has been identified in SCALANCE X204RNA HSR, SCALANCE X204RNA PRP, SCALANCE X204RNA EEC HSR, SCALANCE X204RNA EEC PRP, SCALANCE X204RNA EEC PRP/HSR, SCALANCE X302-7 EEC 230V, SCALANCE X302-7 EEC 230V, coated, SCALANCE X302-7 EEC 24V, SCALANCE X302-7 EEC 24V, coated, SCALANCE X302-...

CVE-2022-41918

OpenSearch has a vulnerability where fine-grained access controls (document-level security, field-level security, and field masking) are not correctly applied to the indices backing data streams, potentially allowing incorrect access authorization. The issue affects OpenSearch prior to the patche...

Improper access control

In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn't properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by...

CVE-2021-43337

SchedMD Slurm 21.08. before 21.08.4 has Incorrect Access Control. On sites using the new AccountingStoreFlags=jobscript and/or jobenv options, the access control rules in SlurmDBD may permit users to request job scripts and environment files to which they should not have access...

Design/Logic Flaw

SchedMD Slurm 21.08. before 21.08.4 has Incorrect Access Control. On sites using the new AccountingStoreFlags=jobscript and/or jobenv options, the access control rules in SlurmDBD may permit users to request job scripts and environment files to which they should not have access...

CVE-2018-11787

Prior to Karaf 3.0.9, Karaf 4.0.9, and Karaf 4.1.1, HTTP endpoints published by Karaf features may also be published under the HTTP web root, in addition to the paths specifically configured by the installed feature. Authentication and access control rules may not cover this additional path,...

Cross site request forgery (csrf)

Multiple cross-site request forgery CSRF vulnerabilities in the ACL Manager plugin plugins/acl/ajax.php in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown...

CVE-2010-0289

Multiple cross-site request forgery CSRF vulnerabilities in the ACL Manager plugin plugins/acl/ajax.php in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown...