Lucene search
K

122 matches found

Snyk
Snyk
added 5 days ago4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the OAuth sign-in callback process. An attacker can regain access to accounts that have been disabled by an administrator by initiating an OAuth sign-in, resulting in unauthorized re-enablement of those account...

9.8CVSS6AI score0.00343EPSS
Exploits0References2
Snyk
Snyk
added 5 days ago6 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the OAuth sign-in callback process. An attacker can regain access to accounts that have been disabled by an administrator by initiating an OAuth sign-in, resulting in unauthorized re-enablement of those account...

9.8CVSS6AI score0.00343EPSS
Exploits0References2
NVD
NVD
added 5 days ago6 views

CVE-2026-58422

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts...

9.8CVSS0.00343EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 5 days ago8 views

CVE-2026-58422

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts...

5.9AI score0.00343EPSS
Exploits0References5
CVE
CVE
added 5 days ago16 views

CVE-2026-58422

CVE-2026-58422 describes an access control bypass in the OAuth sign-in callback that can silently re-enable administrator-disabled accounts in affected Go-Gitea installations. Concrete technical details from connected sources identify vulnerable components as the Gitea web router package paths: r...

9.8CVSS5.9AI score0.00343EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago8 views

PT-2026-55655

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Improper authorization occurs during the OAuth sign-in callback process, which allows accounts that were previously disabled by an administrator to be silently...

5.9AI score0.00343EPSS
Exploits0References7
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.2 views

Astra Linux – Vulnerability in the 389-DS-base

A flaw was discovered in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then any password will successfully match during authentication, instead of being inactive. This flaw allows an attacker to successfully authenticate as a user whose password h...

6.5CVSS6.6AI score0.01428EPSS
Exploits0References2
Veracode
Veracode
added 2026/06/17 11:35 a.m.8 views

Authentication Bypass

Spring Web Services is vulnerable to Authentication Bypass. The vulnerability is due to X509AuthenticationProvider issuing a fully authenticated X509AuthenticationToken based solely on certificate-to-user mapping, without enforcing standard account status checks such as disabled, locked, expired,...

5.4CVSS5.3AI score0.00148EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/10 12:0 a.m.4 views

Incorrect Implementation of Authentication Algorithm

Overview Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm via the X509AuthenticationProvider class in X509AuthenticationProvider.java. The provider issues a fully authenticated X509AuthenticationToken whenever a presented certificate maps to...

5.4CVSS5.5AI score0.00148EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/09 8:59 p.m.12 views

CVE-2026-46657

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...

7.1CVSS5.5AI score0.00271EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:46 p.m.12 views

CVE-2026-24069

Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise KOP was affected before 2.8.2509.4...

5.4CVSS5.5AI score0.00189EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.11 views

CVE-2026-33031

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...

8.6CVSS5.4AI score0.00274EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/22 6:30 a.m.6 views

Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.1AI score0.00215EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/22 5:2 a.m.17 views

CVE-2026-22746

The CVE concerns Spring Security vulnerability CVE-2026-22746 where the timing-attack defense in DaoAuthenticationProvider can be bypassed when an application uses the UserDetails attributes isEnabled, isAccountNonExpired, or isAccountNonLocked to manage user status. Affected versions include Spr...

3.7CVSS5.7AI score0.00215EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/22 5:2 a.m.11 views

CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.7AI score0.00215EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/21 3:0 p.m.7 views

EUVD-2026-23965

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens...

8.6CVSS5.8AI score0.00274EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/21 3:0 p.m.9 views

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Summary A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected...

8.6CVSS5.8AI score0.00274EPSS
Exploits1References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/21 12:0 a.m.9 views

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources...

8.6CVSS5.7AI score0.00274EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/20 8:12 p.m.4 views

CVE-2026-33031

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...

8.6CVSS5.7AI score0.00274EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/20 8:12 p.m.5 views

CVE-2026-33031 Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...

8.6CVSS5.7AI score0.00274EPSS
Exploits1References1
Rows per page
Query Builder