Lucene search
K

10 matches found

NVD
NVD
added last week7 views

CVE-2026-56775

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization vulnerability in three mutating evaluation test-run endpoints that authorize state-changing actions using the workflow:read scope instead of the action-appropriate workflow:execute scope. On instances using Advanced Permissions...

5.4CVSS0.00176EPSS
Exploits0References2
EUVD
EUVD
added last week6 views

EUVD-2026-42262

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization vulnerability in three mutating evaluation test-run endpoints that authorize state-changing actions using the workflow:read scope instead of the action-appropriate workflow:execute scope. On instances using Advanced Permissions...

5.4CVSS6AI score0.00176EPSS
Exploits0References2
OSV
OSV
added last week4 views

CVE-2026-56775 n8n - Incorrect OAuth Scope Validation in Evaluation Test Runs Endpoints

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization vulnerability in three mutating evaluation test-run endpoints that authorize state-changing actions using the workflow:read scope instead of the action-appropriate workflow:execute scope. On instances using Advanced Permissions...

5.3CVSS6.1AI score0.00176EPSS
Exploits0References4
NVD
NVD
added 2026/07/06 10:16 p.m.9 views

CVE-2026-32718

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and...

6.5CVSS0.00213EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/06 9:4 p.m.34 views

CVE-2026-32718 Coolify read-scoped API tokens can perform state-changing validation operations

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and...

6.5CVSS0.00213EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/19 5:59 p.m.4 views

CVE-2026-49291

mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at /mcp requires only OAuth read scope for all requests, then dispatches tools/call directly to handlers that include mutating tools. A read-only OAuth client can call...

8.1CVSS5.9AI score0.00264EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/08 11:9 p.m.14 views

nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints

Every /ui/ POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. SameSite=Lax on the session cookie prevents most cross-site form submits but does not protect: - top-level form-submit navigations from third-party pages some browsers still send Lax cookie...

5.3AI score0.00013EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/08 11:9 p.m.8 views

GHSA-273Q-QGH5-WRJ6 nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints

Every /ui/ POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. SameSite=Lax on the session cookie prevents most cross-site form submits but does not protect: - top-level form-submit navigations from third-party pages some browsers still send Lax cookie...

7CVSS5.3AI score0.00013EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/06/06 4:6 p.m.103 views

glitchtip-session-auth-bypass-poc

GlitchTip authorization bypass PoC This PoC documents and rep...

5.5AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.10 views

PT-2026-20368

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3 Description Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote...

7.1CVSS5.5AI score0.0014EPSS
Exploits0References6
Rows per page
Query Builder