#authorization-bypass
6 articles
Technology and cloud infrastructure sectors faced a concentrated wave of authorization bypass vulnerabilities between May 8 and May 17, 2026, with six articles covering critical flaws including CVE-2026-7813 (CVSS 9.9), CVE-2026-42880 (CVSS 9.6), CVE-2026-44574 (CVSS 8.1), CVE-2026-44575 (CVSS 8.1), and CVE-2026-33357 (CVSS 7.5). The two critical and three high-severity issues impacted consumer IoT, database management, and mobile network operators, while one medium-severity vulnerability was also documented.
MEDIUMOpen5GS AMF Flaw CVE-2026-8743 Enables Remote Authorization Bypass
CVE-2026-8743 (CVSS 6.5) in Open5GS up to 2.7.6 lets remote attackers bypass authorization via the AMF/MME ranuefindbyamfuengap_id function. Exploit public.
HIGHNext.js Patches Two Authorization Bypass Flaws in App Router
CVE-2026-44574 (CVSS 8.1) and CVE-2026-44575 (CVSS 7.5) let attackers bypass middleware-based auth checks in Next.js App Router via crafted .rsc URLs and query parameter...
HIGHMeari SDK Flaw CVE-2026-33357 Leaks WAN IP of IoT Cameras
CVE-2026-33357 (CVSS 7.5) in Meari SDK lets attackers retrieve WAN IPs for any device via CloudEdge, Arenti, and white-label apps — no authentication required.
CRITICALCVE-2026-7813: pgAdmin 4 Server Mode Flaw Lets Users Access Private
CVE-2026-7813 (CVSS 9.9) in pgAdmin 4 server mode lets authenticated users access private servers, groups, and debugger data from other users by guessing object IDs.
CRITICALArgo CD Flaw CVE-2026-42880 Leaks Kubernetes Secrets via Dry-Run
CVE-2026-42880 (CVSS 9.6) in Argo CD lets read-only attackers extract plaintext Kubernetes Secrets via ServerSideDiff endpoint using Server-Side Apply dry-run.
HIGHCVE-2026-7891: DIVD VerySecureApp Leaks All Records to Anonymous Users
CVE-2026-7891 in DIVD's VerySecureApp (Mendix Studio Pro 11.8.0 Beta) exposes all stored records to anonymous users via an authorization misconfiguration — no access rights...
Stay Updated
Get the latest cybersecurity news delivered to your inbox.