CVE-2026-40166

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the clientsecret of confidential OAuth2 providers they have previously authenticated against, exposing...

CVE-2026-41418

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint POST /api/access-tokens. When an invalid username/email is provided, the server responds immediately 17ms average. When a val...

Unspecified Vulnerability in StudioCMS (CNVD-2026-18154)

StudioCMS is StudioCMS open source a content management system . A denial of service vulnerability exists in StudioCMS. The vulnerability stems from insufficient DELETE /studiocmsapi/dashboard/api-tokens endpoint validation, which can be exploited by an attacker to cause a denial of service...

Authorization Bypass Through User-Controlled Key

Overview @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the DELETE /studiocmsapi/dashboard/api-tokens endpoint. An attacker can revoke API tokens belonging to other users,...

Incorrect Authorization

Overview studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Incorrect Authorization through the api-tokens endpoint, which allows an authenticated user with editor privileges or higher to genera...

EUVD-2026-10555

StudioCMS has Privilege Escalation via Insecure API Token Generation...

Incorrect Authorization

Overview @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Incorrect Authorization through the api-tokens endpoint, which allows an authenticated user with editor privileges or higher to generate API tokens for any user by specifying...

CVE-2026-30944 StudioCMS Affected by Privilege Escalation via Insecure API Token Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

CVE-2026-30944 StudioCMS Affected by Privilege Escalation via Insecure API Token Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

StudioCMS 安全漏洞

StudioCMS is StudioCMS open source a content management system . StudioCMS has an authorization issue vulnerability that originates from improper authorization of the /studiocmsapi/dashboard/api-tokens endpoint, which can be exploited by an attacker to cause elevation of privilege...

StudioCMS 安全漏洞

StudioCMS is StudioCMS open source a content management system . A denial of service vulnerability exists in StudioCMS. The vulnerability stems from insufficient DELETE /studiocmsapi/dashboard/api-tokens endpoint validation, which can be exploited by an attacker to cause a denial of service...

Mobileiron Sentry Access Control Error Vulnerability

Mobileiron Sentry is a Smart Gateway product from Mobileiron, Inc. An access control error vulnerability exists in Mobileiron Sentry versions prior to 22.1.0 through 23.7.2 that could allow an attacker to steal and exploit user tokens via /api/0/api-tokens/...

PT-2018-15283 · Openstack · Openstack Keystone

Name of the Vulnerable Software and Affected Versions: OpenStack Keystone versions through 14.0.1 Description: The issue allows for user enumeration due to the difference in response times for valid and invalid usernames when making a POST request to the "/v3/auth/tokens" endpoint. The vendor vie...

DEBIAN-CVE-2014-5252

The V3 API in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issuedat value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification 1 GET or 2 HEAD request to v3/auth/tokens/...

UBUNTU-CVE-2014-5252

The V3 API in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issuedat value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification 1 GET or 2 HEAD request to v3/auth/tokens/...