Lucene search
K

187 matches found

Snyk
Snyk
added 2026/04/10 3:30 p.m.10 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the OIDC login process when the EmailFallback mechanism is enabled. An attacker can gain unauthorized access to accounts protected by TOTP by authenticating to the OIDC provider with a matching email address,...

9.1CVSS5.8AI score0.00281EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/03 3:29 a.m.31 views

Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)

Summary Under certain configurations, sessions may be considered valid before two-factor authentication 2FA is fully completed. This can allow access to authenticated routes without verifying the second factor. --- Description When two-factor authentication is enabled, the authentication flow...

5.9AI score
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:3 p.m.6 views

CVE-2026-32246

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

8.5CVSS5.8AI score0.0027EPSS
Exploits1References1
SUSE CVE
SUSE CVE
added 2026/03/25 12:24 a.m.13 views

SUSE CVE-2026-32246

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

8.5CVSS5.9AI score0.0027EPSS
Exploits1References3
NVD
NVD
added 2026/03/12 7:16 p.m.20 views

CVE-2026-32246

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

8.5CVSS0.0027EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/12 6:59 p.m.5 views

CVE-2026-32246

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

8.5CVSS5.8AI score0.0027EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/03/12 6:59 p.m.18 views

CVE-2026-32246

CVE-2026-32246 (Tinyauth) : Tinyauth authentication/authorization server before version 5.0.3 allows an attacker who knows a user’s password but not the TOTP secret to obtain an authorization code and valid OIDC tokens by abusing the OIDC authorization endpoint during a TOTP-pending session. This...

8.5CVSS5.8AI score0.0027EPSS
Exploits1References1Affected Software1
Snyk
Snyk
added 2026/03/12 4:38 p.m.8 views

Missing Critical Step in Authentication

Overview Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the OIDC authorize process. An attacker can gain unauthorized access to valid OIDC tokens by leveraging a session where only the password has been verified but the second authentication factor...

8.5CVSS5.7AI score0.0027EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/12 4:38 p.m.3 views

Missing Critical Step in Authentication

Overview Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the OIDC authorize process. An attacker can gain unauthorized access to valid OIDC tokens by leveraging a session where only the password has been verified but the second authentication factor...

8.5CVSS5.7AI score0.0027EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.7 views

PT-2026-25056

Name of the Vulnerable Software and Affected Versions Tinyauth versions prior to 5.0.3 Description Tinyauth is an authentication and authorization server. The OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization...

9.9CVSS7.2AI score0.22162EPSS
Exploits70References138
RedhatCVE
RedhatCVE
added 2026/03/07 7:59 a.m.9 views

CVE-2026-28787

OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during...

9CVSS5.8AI score0.00276EPSS
Exploits1References1
NVD
NVD
added 2026/03/06 5:16 a.m.11 views

CVE-2026-28787

OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during...

9CVSS0.00276EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/03/02 9:40 p.m.17 views

OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay

Summary The WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification W3C Web Authentication Level 2, §13.4.3...

9CVSS6AI score0.00276EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/02 12:0 a.m.8 views

PT-2026-22998

Name of the Vulnerable Software and Affected Versions OneUptime versions 10.0.11 and prior Description The WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during...

9CVSS6AI score0.00276EPSS
Exploits1References11
Snyk
Snyk
added 2026/02/06 6:52 p.m.4 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the UseRecoveryCode function, which fails to check the supplied userID before validating the second factor. A user in possession of the username and password of another user ca...

8.8CVSS5.5AI score0.00424EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/06 6:52 p.m.4 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the UseRecoveryCode function, which fails to check the supplied userID before validating the second factor. A user in possession of the username and password of another user ca...

8.8CVSS5.5AI score0.00424EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/06 6:52 p.m.2 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the UseRecoveryCode function, which fails to check the supplied userID before validating the second factor. A user in possession of the username and password of another user ca...

8.8CVSS5.5AI score0.00424EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/06 6:52 p.m.3 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the UseRecoveryCode function, which fails to check the supplied userID before validating the second factor. A user in possession of the username and password of another user ca...

8.8CVSS5.5AI score0.00424EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/09 11:21 a.m.22 views

CVE-2021-22057

VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify...

8.8CVSS7.1AI score0.0113EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:55 a.m.8 views

CVE-2020-12812

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication FortiToken if they changed the case of their username...

9.8CVSS9.7AI score0.49344EPSS
Exploits0References1
Rows per page
Query Builder