CWE-290— Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.— MITRE CWE catalog
601 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-290page 12 of 13
- CVE-2026-45045MEDIUMCVSS 5.3EG 5.32026-07-02
Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-su…
- CVE-2026-45223HIGHCVSS 8.8EG 8.82026-05-11
Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate pr…
- CVE-2026-45489MEDIUMCVSS 6.5EG 6.52026-07-03
Microsoft Edge (Chromium-based) Spoofing Vulnerability
- CVE-2026-46356HIGHCVSS 7.5EG 7.52026-05-14
Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force…
- CVE-2026-46414HIGHCVSS 8.8EG 8.82026-05-27
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connectio…
- CVE-2026-47123HIGHCVSS 7.5EG 7.52026-05-29
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply…
- CVE-2026-4728MEDIUMCVSS 6.5EG 6.52026-03-24
Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
- CVE-2026-47381MEDIUMCVSS 6.9EG 6.92026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetc…
- CVE-2026-48567CRITICALCVSS 10.0EG 10.02026-06-04
Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-49231MEDIUMCVSS 5.4EG 5.42026-06-19
Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privilege…
- CVE-2026-49353HIGHCVSS 7.5EG 7.52026-07-02
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING ## Summary The fix for CVE-2026-46339 (unauthenticated RCE via unprotected MCP plugin routes) introduced a local-only access gate in `src/da…
- CVE-2026-49468CRITICALCVSS 9.8EG 9.82026-06-16
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, a Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management r…
- CVE-2026-49757CRITICALCVSS 9.2EG 9.22026-06-15
Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email addres…
- CVE-2026-50141HIGHCVSS 7.1EG 7.12026-06-18
Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `age…
- CVE-2026-52690MEDIUMCVSS 5.9EG 5.92026-06-25
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
- CVE-2026-52845HIGHCVSS 8.1EG 8.12026-06-16
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request late…
- CVE-2026-53811HIGHCVSS 8.8EG 8.82026-06-11
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change d…
- CVE-2026-53817HIGHCVSS 8.8EG 8.82026-06-11
OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insu…
- CVE-2026-53823HIGHCVSS 8.1EG 8.12026-06-12
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potent…
- CVE-2026-53832HIGHCVSS 7.1EG 7.72026-06-12
OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity head…
- CVE-2026-53833MEDIUMCVSS 6.5EG 7.72026-06-12
OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming…
- CVE-2026-53849HIGHCVSS 8.1EG 8.12026-06-16
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can…
- CVE-2026-53857HIGHCVSS 8.1EG 8.12026-06-16
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive ag…
- CVE-2026-54089CRITICALCVSS 9.1EG 9.12026-06-25
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy)…
- CVE-2026-54308HIGHCVSS 7.2EG 7.22026-06-16
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL …
- CVE-2026-54763CRITICALCVSS 10.0EG 10.02026-07-06
Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but…
- CVE-2026-54782CRITICALCVSS 10.0EG 10.02026-06-19
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML 1.1 and SAML 2.0 token validation does not correctly resolve the issuer signing key or require signed toke…
- CVE-2026-55202HIGHCVSS 8.2EG 8.22026-06-17
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection vi…
- CVE-2026-55641HIGHCVSS 8.2EG 8.22026-07-10
9Router is an AI router & token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass …
- CVE-2026-56020HIGHCVSS 8.1EG 8.12026-06-18
The Webmin HTTP server (miniserv.pl) allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any use…
- CVE-2026-56357MEDIUMCVSS 5.3EG 4.02026-02-26
n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to tri…
- CVE-2026-56360MEDIUMCVSS 4.0EG 4.02026-07-08
n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious …
- CVE-2026-56675HIGHCVSS 8.3EG 8.32026-07-10
9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/* access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 cause…
- CVE-2026-5792MEDIUMCVSS 6.5EG 6.52026-06-12
Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force. This issue affects Related Marketing Cloud (RMC): through 12052026.
- CVE-2026-58370HIGHCVSS 8.1EG 8.12026-06-30
Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name (commit.author.name) carried in the webhook payload, w…
- CVE-2026-58593HIGHCVSS 7.5EG 7.52026-07-01
NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo …
- CVE-2026-59224HIGHCVSS 8.0EG 8.02026-07-09
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query …
- CVE-2026-6090HIGHCVSS 7.0EG 7.02026-06-10
A potential authentication bypass was reported in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.
- CVE-2026-61428HIGHCVSS 7.3EG 7.32026-07-11
PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook …
- CVE-2026-6213CRITICALCVSS 10.0EG 10.02026-05-08
A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root on the server side. Depending on implementation the vulnerability can be…
- CVE-2026-6762MEDIUMCVSS 6.3EG 6.32026-04-21
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CVE-2026-7422MEDIUMCVSS 6.5EG 6.52026-04-29
Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own r…
- CVE-2026-7507HIGHCVSS 7.5EG 7.52026-05-19
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link.…
- CVE-2026-7656MEDIUMCVSS 6.8EG 6.82026-06-29
The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong…
- CVE-2026-8644CRITICALCVSS 9.1EG 9.12026-06-01
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.
- CVE-2026-8651HIGHCVSS 7.5EG 3.72026-07-08
Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
- CVE-2026-8676HIGHCVSS 8.8EG 8.82026-05-26
An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond.
- CVE-2026-8951MEDIUMCVSS 6.5EG 6.52026-05-19
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
- CVE-2026-8960HIGHCVSS 7.5EG 7.52026-05-19
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
- CVE-2026-8961MEDIUMCVSS 6.5EG 6.52026-05-19
Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Map vulnerabilities like CWE-290 to your infrastructure
EchelonGraph correlates every CVE — across CWE-290 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →