5 matches found
CVE-2026-44830
CVE-2026-44830 affects Nocturne Memory prior to 2.4.1. When API_TOKEN is unset or empty, BearerTokenAuthMiddleware does not enforce authentication for all HTTP requests. Coupled with a default 0.0.0.0 host binding and CORS allow_origins=[""], this lets any LAN-reachable client access the Knowledg...
PT-2026-44001
Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when API TOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS allow origins="...
CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...
CVE-2026-32730
CVE-2026-32730 affects ApostropheCMS: the bearer token authentication flow can bypass MFA/TOTP if a password-verification token (incompleteToken) is used as a bearer token. The root cause is a MongoDB query bug in the getBearer() logic: it checks for requirementsToVerify with $ne: [] (not equal t...
EUVD-2026-12975
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware...