CWE-294— Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).— MITRE CWE catalog
234 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-294page 5 of 5
- CVE-2026-1743LOWCVSS 3.1EG 3.12026-02-02
A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass …
- CVE-2026-20779HIGHCVSS 7.1EG 7.12026-07-03
Gitea versions from 1.5.0 before 1.26.3 have a TOTP single-use enforcement defect that allows a valid TOTP code to be accepted more than once across web two-factor authentication flows and the Basic Auth X-Gitea-OTP path.
- CVE-2026-24027MEDIUMCVSS 5.3EG 5.32026-02-09
Crafted zones can lead to increased incoming network traffic.
- CVE-2026-2540HIGHCVSS 8.4EG 8.42026-02-15
The Micca KE700 system contains flawed resynchronization logic and is vulnerable to replay attacks. This attack requires sending two previously captured codes in a specific sequence. As a result, the system can be forced to accept previous…
- CVE-2026-26232CRITICALCVSS 9.1EG 9.12026-07-03
Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.
- CVE-2026-27855MEDIUMCVSS 6.8EG 6.82026-03-27
Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to obser…
- CVE-2026-28449MEDIUMCVSS 6.5EG 6.52026-03-19
OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook r…
- CVE-2026-28564CRITICALCVSS 9.8EG 0.02026-07-10
Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are reco…
- CVE-2026-30080HIGHCVSS 7.5EG 7.52026-04-08
OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterfa…
- CVE-2026-30789CRITICALCVSS 9.8EG 9.82026-03-05
Use of Password Hash With Insufficient Computational Effort, Improper Restriction of Excessive Authentication Attempts vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, p…
- CVE-2026-32053MEDIUMCVSS 6.5EG 6.52026-03-21
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio web…
- CVE-2026-32987CRITICALCVSS 9.8EG 9.82026-03-29
OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairi…
- CVE-2026-34021HIGHCVSS 8.6EG 8.62026-06-15
The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path b…
- CVE-2026-35618MEDIUMCVSS 6.5EG 6.52026-04-09
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full …
- CVE-2026-37982MEDIUMCVSS 6.8EG 6.82026-05-19
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an a…
- CVE-2026-41000LOWCVSS 3.7EG 3.72026-06-11
Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements,…
- CVE-2026-41351MEDIUMCVSS 5.3EG 5.32026-04-23
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass …
- CVE-2026-42602HIGHCVSS 8.1EG 8.12026-05-13
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configur…
- CVE-2026-44946HIGHCVSS 7.4EG 7.42026-06-30
A SAML authentication replay vulnerability in Rancher's Assertion Consumer Service (ACS) handler did not enforce one-time use of SAML assertion, potentially allowing person in the middle attacks against Rancher, affecting Rancher 2.14.0 …
- CVE-2026-46538MEDIUMCVSS 5.9EG 5.92026-05-27
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id only and does not verify that a TASK_END me…
- CVE-2026-47341MEDIUMCVSS 6.5EG 6.52026-06-19
Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.…
- CVE-2026-49319MEDIUMCVSS 6.5EG 6.52026-06-25
Remote Keyless Entry System (RKES), using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD., is vulnerable to a roll-back attack against its rolling-code authentication. An attacker within RF range who …
- CVE-2026-49322MEDIUMCVSS 4.3EG 4.32026-05-29
Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by pass…
- CVE-2026-51597CRITICALCVSS 9.1EG 0.02026-07-09
MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response va…
- CVE-2026-54779MEDIUMCVSS 5.9EG 5.92026-06-19
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML token replay protection is inoperative because DefaultTokenReplayCache.TryAdd does not reject duplicate to…
- CVE-2026-54783HIGHCVSS 7.4EG 7.42026-06-19
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security endorsing and supporting signature verification does not ensure the selected ds:Signature covers th…
- CVE-2026-55370MEDIUMCVSS 6.4EG 6.42026-07-10
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window becau…
- CVE-2026-55759HIGHCVSS 7.4EG 7.42026-06-24
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any…
- CVE-2026-56130LOWCVSS 2.0EG 2.02026-06-25
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro ve…
- CVE-2026-57574HIGHCVSS 7.4EG 7.42026-07-10
Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a vulnerability in Time-based One-Time Password (TOTP) authentication in UserAuthService where insufficient validation of used tokens allows th…
- CVE-2026-7168MEDIUMCVSS 5.3EG 5.32026-05-13
Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wron…
- CVE-2026-8927CRITICALCVSS 9.1EG 9.12026-07-03
When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against …
- CVE-2026-9095HIGHCVSS 8.1EG 8.12026-05-28
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. …
- CVE-2026-9398LOWCVSS 3.1EG 3.12026-05-24
A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be car…
Map vulnerabilities like CWE-294 to your infrastructure
EchelonGraph correlates every CVE — across CWE-294 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →