Apache Tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration

A flaw was found in Apache Tomcat where OCSP-based certificate validation may incorrectly soft-fail during CLIENTCERT authentication, even when soft-fail is disabled, under certain FFM-related execution paths. This can result in client certificates being accepted despite failed or unverifiable...

Google Go 安全漏洞

Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go, which occurs when using CertChecker as a public key callback without setting IsUserAuthority or IsHos...

PT-2026-42203

The TLS server implementation does not validate the KeyUsage and ExtendedKeyUsage extensions of client certificates when mutually authenticated TLS is requested. This can lead to impersonation with a certificate issued to a server. Scenario An operations engineer enables mTLS on the admin endpoin...

Fleet has a Windows MDM management endpoint authentication bypass

Summary A vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data. Impact...

EUVD-2026-28394

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates...

Vulnerabilities managed in Ivanti Endpoint Manager Mobile

Ivanti has identified five vulnerabilities in Endpoint Manager Mobile EPMM, also known as MobileIron. One of these vulnerabilities, labeled CVE-2026-6973, allows an authenticated malicious actor with administrative access to remotely execute arbitrary code with administrator privileges. Ivanti...

CVE-2026-5787

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates...

CVE-2026-5787

CVE-2026-5787 is an improper certificate validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) prior to versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. An unauthenticated remote attacker can impersonate registered Sentry hosts and obtain valid CA-signed client certificates. This CVE is lis...

CVE-2026-5787

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates...

CVE-2026-5787

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates...

Ivanti EPMM 信任管理问题漏洞

Ivanti EPMM is a product developed by the American company Ivanti, designed to help IT departments establish policies for mobile devices, applications, and content. Versions of Ivanti EPMM prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 contained vulnerabilities related to trust management. These...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the TLS handshake process. An attacker can cause worker connection handling to block by opening a connection to the authentication listener and delaying or withholding the client...

CVE-2026-7776 Boundary Workers Vulnerable to Denial of Service During TLS Handshake

Boundary Community Edition and Boundary Enterprise “Boundary” workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate...

PT-2026-36926

Name of the Vulnerable Software and Affected Versions Boundary Community Edition versions prior to 0.21.3 Boundary Community Edition versions prior to 0.20.3 Boundary Community Edition versions prior to 0.19.5 Boundary Enterprise versions prior to 0.21.3 Boundary Enterprise versions prior to 0.20...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the TlsTransportPlugin. An attacker can gain unauthorized access by establishing a TLS connection without presenting a valid client certificate, as the system assigns an anonymous princip...

CVE-2026-22747

Summary : CVE-2026-22747 affects Spring Security 7.0.0–7.0.4. The issue is in SubjectX500PrincipalExtractor’s handling of certain malformed X.509 certificate CN values, which can cause the system to read the wrong username value and potentially allow attacker impersonation of another user. The co...

Improper Authentication And Authorization

kubevirt.io/kubevirt is vulnerable to improper authentication and authorization. The vulnerability is due to improper validation of the Common Name CN field in client TLS certificates during mTLS authentication, which allows an attacker to bypass RBAC controls by impersonating the Kubernetes API...

CVE-2025-40745

Summary: CVE-2025-40745 affects Siemens software including Software Center, Simcenter 3D, Simcenter Femap, Simcenter STAR-CCM+, Solid Edge SE2025/SE2026, and Tecnomatix Plant Simulation. All versions listed are prior to the specified updates (e.g., Software Center < V3.5.8.2, Simcenter 3D <...

Siemens多款产品 信任管理问题漏洞

Siemens Solid Edge is a product of German company Siemens. Siemens Solid Edge is a 3D CAD software. Siemens Software Center is another product by Siemens. Siemens Solid Edge SE2025 is a development software. Several Siemens products have vulnerabilities related to trust management. These...

Red Hat rhacm2 信任管理问题漏洞

Red Hat rhacm2 is a library of the American company Red Hat. Red Hat rhacm2 has a trust management vulnerability, which stems from improper validation of Kubernetes client certificate renewal. This vulnerability could allow administrators of managed clusters to forge client certificates that are...