ZCyberNews
中文

#authentication-bypass

16 articles

Between April and June 2026, ZCyberNews covered 18 articles on authentication-bypass vulnerabilities, with the most critical flaws including CVE-2026-20127, CVE-2026-20182, and CVE-2026-20223, each carrying a CVSS score of 10. High-severity CVEs CVE-2019-25763 and CVE-2026-41940, both rated 9.8, also featured prominently. The coverage spanned eight critical, seven high, and three medium-severity issues, affecting the technology, financial services, government, healthcare, and software development sectors globally.

WordPress admin dashboard login screen illustrating session hijacking riskCRITICAL
Vulnerabilities

CVE-2019-25763: WordPress Beaver Builder Plugin Authentication Bypass

CVE-2019-25763 (CVSS 9.8) allows unauthenticated attackers to hijack admin sessions in WordPress Ultimate Addons for Beaver Builder 1.2.4.1 via a crafted POST request to...

CVE-2019-25763
3 min read
CVE-2026-20223 (CVSS 10): Unauthenticated API Access in Cisco SecureCRITICAL
Vulnerabilities

CVE-2026-20223 (CVSS 10): Unauthenticated API Access in Cisco Secure

CVE-2026-20223 (CVSS 10.0): Unauthenticated attackers can access internal REST APIs in Cisco Secure Workload with Site Admin privileges. No authentication required.

CVE-2026-20223
3 min read
Open WebUI Patches Three Flaws: XSS, SVG Injection, Auth BypassHIGH
Vulnerabilities

Open WebUI Patches Three Flaws: XSS, SVG Injection, Auth Bypass

Open WebUI fixes CVE-2026-45314 (SVG XSS), CVE-2026-45303 (iframe script injection), and CVE-2026-44567 (pending role auth bypass) — all in self-hosted AI platform.

CVE-2026-45314CVE-2026-45303CVE-2026-44567
5 min read
ZITADEL LDAP Filter Injection CVE-2026-44671 Allows UnauthenticatedHIGH
Vulnerabilities

ZITADEL LDAP Filter Injection CVE-2026-44671 Allows Unauthenticated

CVE-2026-44671 (CVSS 7.5): ZITADEL identity platform fails to escape usernames in LDAP filters, letting unauthenticated attackers inject arbitrary filter logic during login.

CVE-2026-44671
3 min read
Aegra IDOR CVE-2026-44504 Exposes Cross-Tenant Data in SharedHIGH
Vulnerabilities

Aegra IDOR CVE-2026-44504 Exposes Cross-Tenant Data in Shared

CVE-2026-44504: Aegra prior to 0.9.7 allows authenticated attackers to read checkpoint state and inject messages into other users' threads via cross-tenant IDOR. Patch available.

CVE-2026-44504
3 min read
Cisco Catalyst SD-WAN Controller Flaw CVE-2026-20182 Scores PerfectCRITICAL
Vulnerabilities

Cisco Catalyst SD-WAN Controller Flaw CVE-2026-20182 Scores Perfect

Rapid7 discovered CVE-2026-20182, a 10.0-CVSS authentication bypass in Cisco Catalyst SD-WAN Controller. Unauthenticated attackers can inject SSH keys and issue NETCONF commands.

CVE-2026-20182CVE-2026-20127
4 min read
Hackers Exploit PraisonAI Auth Bypass Hours After DisclosureHIGH
Vulnerabilities

Hackers Exploit PraisonAI Auth Bypass Hours After Disclosure

Sysdig detected CVE-2026-44338 exploitation attempts within 3 hours 44 minutes of public advisory — attackers probed /agents on exposed PraisonAI instances.

CVE-2026-44338
3 min read
Casdoor LFS Flaw CVE-2026-6815 Lets Admins Write Files AnywhereCRITICAL
Vulnerabilities

Casdoor LFS Flaw CVE-2026-6815 Lets Admins Write Files Anywhere

CVE-2026-6815 in Casdoor's Local File System storage provider lets authenticated admins traverse paths to write arbitrary files outside the sandbox. No patch yet.

CVE-2026-6815
3 min read
pgAdmin 4 Brute-Force Flaw CVE-2026-7820 Bypasses Account LockoutMEDIUM
Vulnerabilities

pgAdmin 4 Brute-Force Flaw CVE-2026-7820 Bypasses Account Lockout

CVE-2026-7820 (CVSS 6.5) in pgAdmin 4 lets attackers brute-force passwords via Flask-Security's default /login view, bypassing MAXLOGINATTEMPTS enforcement.

CVE-2026-7820
3 min read
WSO2 API Manager Flaw CVE-2025-8325 Lets Low-Privilege Users BypassMEDIUM
Vulnerabilities

WSO2 API Manager Flaw CVE-2025-8325 Lets Low-Privilege Users Bypass

CVE-2025-8325 (CVSS 6.3) in WSO2 API Manager lets users with the Internal/Everyone role invoke Gateway and Internal Service APIs without authorization, affecting APIM 3.x...

CVE-2025-8325
3 min read
Yeti JWT Flaw CVE-2024-46508 Lets Attackers Forge Auth TokensHIGH
Vulnerabilities

Yeti JWT Flaw CVE-2024-46508 Lets Attackers Forge Auth Tokens

CVE-2024-46508 (CVSS 7.5) in Yeti platform before 2.1.12 lets attackers forge valid JWT tokens when the default secret key is unchanged — full account takeover risk.

CVE-2024-46508
3 min read
cPanel & WHM Authentication Bypass CVE-2026-41940: CVSS 9.8CRITICAL
Vulnerabilities

cPanel & WHM Authentication Bypass CVE-2026-41940: CVSS 9.8

CVE-2026-41940: Unauthenticated remote attackers can bypass authentication in cPanel & WHM and WP Squared. CVSS 9.8. Patch released April 28, 2026.

CVE-2026-41940
3 min read
Flowise Auth Bypass CVE-2026-41276 Lets Attackers Reset PasswordsHIGH
Vulnerabilities

Flowise Auth Bypass CVE-2026-41276 Lets Attackers Reset Passwords

CVE-2026-41276 (CVSS 8.1) in Flowise AccountService resetPassword lets unauthenticated attackers bypass authentication. ZDI advisory warns no auth required.

CVE-2026-41276
2 min read
Siemens SINEC NMS Authentication Bypass CVE-2026-24032 Gets 7.3 CVSSHIGH
Vulnerabilities

Siemens SINEC NMS Authentication Bypass CVE-2026-24032 Gets 7.3 CVSS

ZDI disclosed CVE-2026-24032, a 7.3-CVSS authentication bypass in Siemens SINEC NMS that requires no authentication to exploit. Affects industrial network management systems.

CVE-2026-24032
3 min read
Critical etcd Authentication Bypass Exposes Kubernetes Cluster SecretsCRITICAL
Vulnerabilities

Critical etcd Authentication Bypass Exposes Kubernetes Cluster Secrets

A critical authentication bypass flaw in etcd, CVE-2026-33413 (CVSS 8.8), allows unauthorized access to sensitive cluster APIs, potentially exposing secrets and configurations in Kubernetes and cloud-native environments.

CVE-2026-33413
4 min read
Critical WordPress Plugin Flaw Allows Unauthenticated Admin TakeoverCRITICAL
Vulnerabilities

Critical WordPress Plugin Flaw Allows Unauthenticated Admin Takeover

A critical flaw (CVE-2026-1492) in the User Registration & Membership WordPress plugin allows unauthenticated attackers to bypass login and gain full administrator access, impacting thousands of sites.

CVE-2026-1492
3 min read

Stay Updated

Get the latest cybersecurity news delivered to your inbox.