#authentication-bypass
16 articles
Between April and June 2026, ZCyberNews covered 18 articles on authentication-bypass vulnerabilities, with the most critical flaws including CVE-2026-20127, CVE-2026-20182, and CVE-2026-20223, each carrying a CVSS score of 10. High-severity CVEs CVE-2019-25763 and CVE-2026-41940, both rated 9.8, also featured prominently. The coverage spanned eight critical, seven high, and three medium-severity issues, affecting the technology, financial services, government, healthcare, and software development sectors globally.
CRITICALCVE-2019-25763: WordPress Beaver Builder Plugin Authentication Bypass
CVE-2019-25763 (CVSS 9.8) allows unauthenticated attackers to hijack admin sessions in WordPress Ultimate Addons for Beaver Builder 1.2.4.1 via a crafted POST request to...
CRITICALCVE-2026-20223 (CVSS 10): Unauthenticated API Access in Cisco Secure
CVE-2026-20223 (CVSS 10.0): Unauthenticated attackers can access internal REST APIs in Cisco Secure Workload with Site Admin privileges. No authentication required.
HIGHOpen WebUI Patches Three Flaws: XSS, SVG Injection, Auth Bypass
Open WebUI fixes CVE-2026-45314 (SVG XSS), CVE-2026-45303 (iframe script injection), and CVE-2026-44567 (pending role auth bypass) — all in self-hosted AI platform.
HIGHZITADEL LDAP Filter Injection CVE-2026-44671 Allows Unauthenticated
CVE-2026-44671 (CVSS 7.5): ZITADEL identity platform fails to escape usernames in LDAP filters, letting unauthenticated attackers inject arbitrary filter logic during login.
HIGHAegra IDOR CVE-2026-44504 Exposes Cross-Tenant Data in Shared
CVE-2026-44504: Aegra prior to 0.9.7 allows authenticated attackers to read checkpoint state and inject messages into other users' threads via cross-tenant IDOR. Patch available.
CRITICALCisco Catalyst SD-WAN Controller Flaw CVE-2026-20182 Scores Perfect
Rapid7 discovered CVE-2026-20182, a 10.0-CVSS authentication bypass in Cisco Catalyst SD-WAN Controller. Unauthenticated attackers can inject SSH keys and issue NETCONF commands.
HIGHHackers Exploit PraisonAI Auth Bypass Hours After Disclosure
Sysdig detected CVE-2026-44338 exploitation attempts within 3 hours 44 minutes of public advisory — attackers probed /agents on exposed PraisonAI instances.
CRITICALCasdoor LFS Flaw CVE-2026-6815 Lets Admins Write Files Anywhere
CVE-2026-6815 in Casdoor's Local File System storage provider lets authenticated admins traverse paths to write arbitrary files outside the sandbox. No patch yet.
MEDIUMpgAdmin 4 Brute-Force Flaw CVE-2026-7820 Bypasses Account Lockout
CVE-2026-7820 (CVSS 6.5) in pgAdmin 4 lets attackers brute-force passwords via Flask-Security's default /login view, bypassing MAXLOGINATTEMPTS enforcement.
MEDIUMWSO2 API Manager Flaw CVE-2025-8325 Lets Low-Privilege Users Bypass
CVE-2025-8325 (CVSS 6.3) in WSO2 API Manager lets users with the Internal/Everyone role invoke Gateway and Internal Service APIs without authorization, affecting APIM 3.x...
HIGHYeti JWT Flaw CVE-2024-46508 Lets Attackers Forge Auth Tokens
CVE-2024-46508 (CVSS 7.5) in Yeti platform before 2.1.12 lets attackers forge valid JWT tokens when the default secret key is unchanged — full account takeover risk.
CRITICALcPanel & WHM Authentication Bypass CVE-2026-41940: CVSS 9.8
CVE-2026-41940: Unauthenticated remote attackers can bypass authentication in cPanel & WHM and WP Squared. CVSS 9.8. Patch released April 28, 2026.
HIGHFlowise Auth Bypass CVE-2026-41276 Lets Attackers Reset Passwords
CVE-2026-41276 (CVSS 8.1) in Flowise AccountService resetPassword lets unauthenticated attackers bypass authentication. ZDI advisory warns no auth required.
HIGHSiemens SINEC NMS Authentication Bypass CVE-2026-24032 Gets 7.3 CVSS
ZDI disclosed CVE-2026-24032, a 7.3-CVSS authentication bypass in Siemens SINEC NMS that requires no authentication to exploit. Affects industrial network management systems.
CRITICALCritical etcd Authentication Bypass Exposes Kubernetes Cluster Secrets
A critical authentication bypass flaw in etcd, CVE-2026-33413 (CVSS 8.8), allows unauthorized access to sensitive cluster APIs, potentially exposing secrets and configurations in Kubernetes and cloud-native environments.
CRITICALCritical WordPress Plugin Flaw Allows Unauthenticated Admin Takeover
A critical flaw (CVE-2026-1492) in the User Registration & Membership WordPress plugin allows unauthenticated attackers to bypass login and gain full administrator access, impacting thousands of sites.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.