4191 matches found
Authentication Bypass by Primary Weakness
Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the findfastapivalidator function. An attacker can gain unauthorized access to sensitive API endpoints by sending requests to non-/gateway/ paths when the server is started with authenticati...
Authentication Bypass by Primary Weakness
Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the...
MLflow: unauthenticated access to certain FastAPI routes
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...
CVE-2026-2652
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...
CVE-2026-2652
Summary (CVE-2026-2652) : In mlflow/mlflow
CVE-2026-2652
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...
CVE-2026-2652 Authentication Bypass in mlflow/mlflow
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...
CVE-2026-2652 Authentication Bypass in mlflow/mlflow
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...
PT-2026-41398
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1 Description Budibase contains a route-level authorization misconfiguration where the endpoint "PUT /api/datasources/:datasourceId" is incorrectly assigned to the authorizedRoutes group with TABLE/READ...
CVE-2025-62312
HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices...
CVE-2026-44514
Kubetail vulnerability (CVE-2026-44514) is a CSWSH flaw where the dashboard exposed WebSocket endpoints before 0.14.0 did not properly validate the Origin header, allowing an attacker to read authenticated users’ Kubernetes logs via a malicious page. Affected components and versions: Kubetail Das...
EUVD-2025-209855
HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices...
CVE-2025-62312 HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication
HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices...
CVE-2025-62312
HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices...
CVE-2025-62312 HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication
HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices...
CVE-2025-62312
Technical details about CVE-2025-62312 are not publicly available in the provided documents. The materials describe basic authentication usage but do not specify affected products, versions, root cause, or remediation. Monitor for updates.
Brute Force
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Brute Force due to the use of the checkBasicAuth function for checking credentials. An attacker can enumerate valid credentials by sending repeated authentication attempts without restriction, exploiting th...
NPM: FlowiseAI Exposes Basic Auth Credentials via API
NPM: FlowiseAI Exposes Basic Auth Credentials via API vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
GHSA-PHP6-83FG-GW3G FlowiseAI Exposes Basic Auth Credentials via API
Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Severity | Medium | | CWE | CWE-522 Insufficiently Protected Credentials | | Location | packages/server/src/enterprise/controllers/account.controller.ts:128-135 | | Practical Exploitability | Medium | | Developer Approv...
CVE-2026-8181
CVE-2026-8181 affects Burst Statistics – Privacy-Friendly WordPress Analytics (v3.4.0–3.4.1.1). Root cause: is_mainwp_authenticated() passes authentication when wp_authenticate_application_password() returns null outside the REST API, because the code only checks for WP_Error. This allows an unau...