All news with #authentication bypass tag

⚠️ CISA reports two high-severity authorization and authentication flaws in SpiceJet Online Booking System (CVE-2026-6375, CVE-2026-6376) that permit unauthenticated disclosure of passenger information. Both issues carry a CVSS 3.1 base score of 7.5 and allow PNR enumeration and full booking retrieval without proper access controls. SpiceJet did not respond to coordination requests; CISA recommends defensive network segmentation and other mitigations.

⚠️ A critical authentication bypass (CVE-2025-65856) affects Hangzhou Xiongmai Technology Co., Ltd XM530 IP cameras running firmware V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06. The ONVIF implementation fails to enforce authentication on 31 endpoints, allowing unauthenticated remote attackers to access sensitive device information and live video streams. CISA rates the issue CRITICAL (CVSS 3.1 9.8). The vendor has not cooperated with CISA; users should minimize network exposure, isolate devices behind firewalls, and contact Xiongmai support for guidance.

⚠️ The Carlson VASCO-B GNSS Receiver contains an authentication bypass that allows unauthenticated network access to device configuration and operational functions. Affected firmware builds are versions prior to 1.4.0 (CVE-2026-3893) and the issue carries a CVSS 3.1 base score of 9.4 (Critical). Carlson Software recommends updating to 1.4.0 or later and restricting network exposure. Follow network segmentation and firewall controls to mitigate exposure until you apply the update.

🔒 A high-severity authentication flaw in Azure SRE Agent exposed agent activity streams to unauthorized tenants, researcher Yanir Tsarimi of Enclave AI reported. Tracked as CVE-2026-32173 with a CVSS score of 8.6, the vulnerability stemmed from an Entra ID app registration configured as multi-tenant and a WebSocket hub that accepted tokens without tenant authorization checks. The hub broadcast agent prompts, internal reasoning, commands and outputs to all connected clients. Microsoft applied a server-side fix and says no customer action is required, but organizations that ran the agent during preview should review any credentials or sensitive data that may have traversed agent interactions.

🔒 Siemens has disclosed an authorization bypass vulnerability in Industrial Edge Management that may allow an unauthenticated remote attacker to circumvent authentication and access connected devices using the product's remote connection feature. Tracked as CVE-2026-33892, the flaw has a CVSS v3.1 base score of 7.1 (High). Siemens released patched versions and urges operators to update immediately and restrict network access to affected systems.

⚠️ A vulnerability in Siemens SINEC NMS when used with the User Management Component (UMC) allows an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. Tracked as CVE-2026-24032 and scored CVSS v3.1 7.3 (High), the flaw stems from insufficient validation of user identity in the UMC. Siemens released an update; operators should upgrade to V4.0 SP3 or later. Limit network exposure, isolate control networks behind firewalls, and follow Siemens' industrial security guidance when applying fixes.

🔒 Zero Motorcycles firmware versions 44 and earlier contain a Bluetooth pairing flaw (CVE-2026-1354) that can allow an attacker to forcibly pair with a motorcycle while it is in pairing mode. Once paired and in proximity, an attacker could use over-the-air firmware update capability to upload malicious firmware. The motorcycle must remain paired and within range for the entire update. Zero recommends secure pairing practices, physical key security, and plans a firmware update in May 2026; users should install updates when available.

⚠️ The CISA advisory reports multiple high-severity vulnerabilities in SenseLive X3050 (V1.523) that can allow an attacker on the network to bypass authentication, obtain administrative access, and perform unauthorized firmware operations. Affected issues include hard-coded credentials, missing authentication and authorization, insufficient session handling, cleartext management traffic, CSRF, and unsafe configuration controls that may destabilize device operation. CISA notes no known public exploitation to date; administrators should reduce exposure and contact the vendor.

⚠ Siemens ProductCERT reports an authorization bypass in SINEC NMS prior to V4.0 SP3 that permits an authenticated attacker to reset the password of any user account. The vulnerability arises from improper validation of authorization when processing password reset requests. Siemens has released V4.0 SP3 to remediate the flaw and CISA republished the vendor advisory. Until systems are updated, organizations should apply network restrictions, isolate control networks, and require secure remote access.

🔒 A critical authorization vulnerability (CVE-2026-5387) in AVEVA Pipeline Simulation allows an unauthenticated actor to perform actions reserved for Simulator Instructor or Developer roles, with the potential to modify simulation parameters, training configuration, and training records. Affected versions are <=2025_SP1_build_7.1.9497.6351. AVEVA provides a fix: upgrade to 2025 SP1 P01 (build 7.1.9580.8513) or later; interim mitigations include restricting API network access and enforcing TLS.

⚠️ A critical authentication bypass in nginx-ui (CVE-2026-33032) allows unauthenticated attackers to invoke privileged MCP actions via an unprotected /mcp_message endpoint. Exploitation can write, modify, and reload Nginx configuration files, enabling full server takeover from a single request. NGINX issued fixes (starting with 2.3.4, latest secure build 2.3.6) after disclosures; administrators should update and audit exposed instances immediately.

🔒 A critical authentication bypass in nginx-ui (CVE-2026-33032, CVSS 9.8) is being actively exploited in the wild, allowing a single unauthenticated API request to take full control of exposed servers. The flaw stems from a missing authentication check on the /mcp_message endpoint while the companion /mcp endpoint retained middleware, exposing 12 MCP tools—seven of which enable destructive actions such as injecting configs, reloading services and intercepting traffic. Maintainers issued a fix in v2.3.4 the day after disclosure; organisations should update immediately, disable MCP if they cannot patch, restrict access to management interfaces and review logs and configurations for unauthorized changes.

⚠️ A critical authentication-bypass flaw (CVE-2026-33032) in nginx-ui is being actively exploited to seize control of Nginx services. The issue stems from the MCP integration exposing two endpoints; /mcp_message lacks the AuthRequired() middleware and the default IP whitelist is treated as "allow all," permitting unauthenticated invocation of management tools. Update to v2.3.4 immediately or disable MCP and restrict access as interim mitigations.

🔒 Researchers warn that seven vulnerabilities in IBM WebSphere Liberty can be chained from a pre-authentication SAML Web SSO flaw into full server compromise. The initial defect, tracked as CVE-2026-1561, allows unauthenticated attackers to supply crafted serialized payloads because a String.concat() misuse makes the integrity check ineffective, enabling pre-auth RCE against exposed SAML endpoints. Subsequent AdminCenter weaknesses let low-privileged 'reader' users retrieve keys and sensitive configuration, forge tokens, and abuse an archive-extraction flaw to write arbitrary files; IBM has issued patches and configuration guidance to mitigate the chain.

⚠️Researchers from Cyera disclosed a high-severity authorization bypass in Docker Engine (CVE-2026-34040) that allows attackers with Docker API access to evade third-party AuthZ plug-ins and execute privileged commands on hosts. The flaw, rated 8.8 on the CVSS scale, was fixed in Docker Engine 29.3.1 and Docker Desktop 4.66.1. As an interim mitigation, administrators can filter malicious requests by limiting API request size (for example, blocking requests over 512KB) until patches are deployed.

🔐 Google has made Device Bound Session Credentials (DBSC) generally available to Windows users on Chrome 146, with macOS support planned for a later release. DBSC uses hardware-backed modules like the Trusted Platform Module (TPM) to bind short-lived session cookies to a specific device so exfiltrated cookies cannot be used by attackers. The feature falls back gracefully on devices without secure key storage and was developed with Microsoft as part of efforts to make the approach an open web standard. Google says the architecture is privacy-minded and does not enable cross-site tracking.

🔐 Chrome has enabled Device Bound Session Credentials (DBSC) publicly for Windows users on Chrome 146, with macOS support arriving in a future release. DBSC cryptographically binds short‑lived session cookies to a device's hardware-backed key (TPM or Secure Enclave) so exfiltrated cookies cannot be reused off‑device. The browser handles rotation and the approach preserves privacy by avoiding device identifiers. Web developers can adopt DBSC via the open spec and developer guide.

🚨 Fortinet has released an emergency hotfix for FortiClient EMS to address a critical authentication-bypass vulnerability tracked as CVE-2026-35616 that permits unauthenticated remote code execution. The flaw carries a CVSS score of 9.1 and affects on-premises EMS versions 7.4.5 and 7.4.6; FortiClient Cloud and FortiSASE were patched server-side and a full fix is planned for 7.4.7. Organizations should apply the hotfix to EMS Linux servers, audit API logs and recent configuration changes, and restore or rebuild instances if compromise is suspected.

⚠ A high-severity flaw (CVE-2026-34040, CVSS 8.8) in Docker Engine can allow an attacker with API access to bypass AuthZ plugins by causing the daemon to forward requests without their body. The bug is tied to an incomplete fix for CVE-2024-41110 and arises when oversized, padded HTTP requests are dropped before reaching the authorization plugin. An attacker who pads a container-creation request above the threshold can cause the daemon to create a privileged container that mounts the host filesystem. Docker Engine 29.3.1 contains the patch; mitigations include avoiding body-dependent AuthZ plugins, restricting API access to trusted users, or running Docker in rootless mode.

⚠️ CISA has ordered federal agencies to patch FortiClient EMS instances by April 9 after the discovery of CVE-2026-35616, a pre-authentication API access bypass. Fortinet released emergency hotfixes and said unauthenticated attackers can execute code via specially crafted requests. Administrators are urged to apply hotfixes or upgrade to 7.4.7 immediately to mitigate active exploitation.