#authentication-bypass
15 articles
Between April and May 2026, ZCyberNews published 17 articles on authentication-bypass vulnerabilities, including critical flaws CVE-2026-20127, CVE-2026-20182, and CVE-2026-20223, each carrying a CVSS score of 10. The coverage spanned seven critical, seven high, and three medium severity issues, affecting technology, financial services, government, healthcare, and software development sectors globally. Additional top CVEs included CVE-2026-41940 (CVSS 9.8) and CVE-2026-33413 (CVSS 8.8), highlighting the pervasive risk of authentication failures across industries.
CRITICALCVE-2026-20223 (CVSS 10): Unauthenticated API Access in Cisco Secure
CVE-2026-20223 (CVSS 10.0): Unauthenticated attackers can access internal REST APIs in Cisco Secure Workload with Site Admin privileges. No authentication required.
HIGHOpen WebUI Patches Three Flaws: XSS, SVG Injection, Auth Bypass
Open WebUI fixes CVE-2026-45314 (SVG XSS), CVE-2026-45303 (iframe script injection), and CVE-2026-44567 (pending role auth bypass) — all in self-hosted AI platform.
HIGHZITADEL LDAP Filter Injection CVE-2026-44671 Allows Unauthenticated
CVE-2026-44671 (CVSS 7.5): ZITADEL identity platform fails to escape usernames in LDAP filters, letting unauthenticated attackers inject arbitrary filter logic during login.
HIGHAegra IDOR CVE-2026-44504 Exposes Cross-Tenant Data in Shared
CVE-2026-44504: Aegra prior to 0.9.7 allows authenticated attackers to read checkpoint state and inject messages into other users' threads via cross-tenant IDOR. Patch available.
CRITICALCisco Catalyst SD-WAN Controller Flaw CVE-2026-20182 Scores Perfect
Rapid7 discovered CVE-2026-20182, a 10.0-CVSS authentication bypass in Cisco Catalyst SD-WAN Controller. Unauthenticated attackers can inject SSH keys and issue NETCONF commands.
HIGHHackers Exploit PraisonAI Auth Bypass Hours After Disclosure
Sysdig detected CVE-2026-44338 exploitation attempts within 3 hours 44 minutes of public advisory — attackers probed /agents on exposed PraisonAI instances.
CRITICALCasdoor LFS Flaw CVE-2026-6815 Lets Admins Write Files Anywhere
CVE-2026-6815 in Casdoor's Local File System storage provider lets authenticated admins traverse paths to write arbitrary files outside the sandbox. No patch yet.
MEDIUMpgAdmin 4 Brute-Force Flaw CVE-2026-7820 Bypasses Account Lockout
CVE-2026-7820 (CVSS 6.5) in pgAdmin 4 lets attackers brute-force passwords via Flask-Security's default /login view, bypassing MAXLOGINATTEMPTS enforcement.
MEDIUMWSO2 API Manager Flaw CVE-2025-8325 Lets Low-Privilege Users Bypass
CVE-2025-8325 (CVSS 6.3) in WSO2 API Manager lets users with the Internal/Everyone role invoke Gateway and Internal Service APIs without authorization, affecting APIM 3.x...
HIGHYeti JWT Flaw CVE-2024-46508 Lets Attackers Forge Auth Tokens
CVE-2024-46508 (CVSS 7.5) in Yeti platform before 2.1.12 lets attackers forge valid JWT tokens when the default secret key is unchanged — full account takeover risk.
CRITICALcPanel & WHM Authentication Bypass CVE-2026-41940: CVSS 9.8
CVE-2026-41940: Unauthenticated remote attackers can bypass authentication in cPanel & WHM and WP Squared. CVSS 9.8. Patch released April 28, 2026.
HIGHFlowise Auth Bypass CVE-2026-41276 Lets Attackers Reset Passwords
CVE-2026-41276 (CVSS 8.1) in Flowise AccountService resetPassword lets unauthenticated attackers bypass authentication. ZDI advisory warns no auth required.
HIGHSiemens SINEC NMS Authentication Bypass CVE-2026-24032 Gets 7.3 CVSS
ZDI disclosed CVE-2026-24032, a 7.3-CVSS authentication bypass in Siemens SINEC NMS that requires no authentication to exploit. Affects industrial network management systems.
CRITICALCritical etcd Authentication Bypass Exposes Kubernetes Cluster Secrets
A critical authentication bypass flaw in etcd, CVE-2026-33413 (CVSS 8.8), allows unauthorized access to sensitive cluster APIs, potentially exposing secrets and configurations in Kubernetes and cloud-native environments.
CRITICALCritical WordPress Plugin Flaw Allows Unauthenticated Admin Takeover
A critical flaw (CVE-2026-1492) in the User Registration & Membership WordPress plugin allows unauthenticated attackers to bypass login and gain full administrator access, impacting thousands of sites.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.