Authentication-Bypass

vulnerabilities 2026-05-09
Sentry CVE-2026-42354: Incomplete Fix Reopens SAML SSO Account Takeover
Sentry self-hosted is vulnerable again to cross-organization SAML account takeover, three months after CVE-2026-27197 was supposedly patched. Upgrade to 26.4.1.
sentry saml sso cve-2026-42354 incomplete-fix account-takeover authentication-bypass
vulnerability 2026-05-04
MOVEit Automation Hit With CVSS 9.8 Auth Bypass: CVE-2026-4670 Grants Admin Without Credentials
Progress patches a 9.8-severity authentication bypass plus a 7.7 privilege escalation in MOVEit Automation; Airbus reported both, no in-the-wild exploitation yet but the MFT family's track record demands immediate patching.
moveit progress-software cve-2026-4670 cve-2026-5174 authentication-bypass managed-file-transfer airbus
vulnerabilities 2026-04-29
cPanel & WHM CVE-2026-41940: Critical Auth Bypass Triggers Global Hosting Lockdown
An unauthenticated CRLF-injection auth bypass in cPanel & WHM (CVSS 9.8) sent every major hosting provider into emergency port-blocking mode within hours of disclosure. All supported release tracks are affected.
cpanel whm authentication-bypass CVE-2026-41940 web-hosting shared-hosting
vulnerabilities 2026-04-21
Quest KACE SMA CVE-2025-32975: CVSS 10.0 SSO Auth Bypass Added to CISA KEV as Admin Takeover Campaign Continues
CISA added CVE-2025-32975 — a CVSS 10.0 SSO authentication bypass in Quest KACE Systems Management Appliance — to the KEV catalog on April 20, 2026. Federal agencies must patch by May 4. Exploitation has been in progress since March.
quest kace-sma authentication-bypass cisa-kev cve-2025-32975 pre-auth active-exploitation endpoint-management
vulnerabilities 2026-04-16
Two Critical FortiSandbox Flaws Let Unauthenticated Attackers Execute Commands and Bypass Auth
Fortinet discloses CVE-2026-39808 and CVE-2026-39813 — two CVSS 9.1 flaws in FortiSandbox allowing unauthenticated command execution and authentication bypass via crafted HTTP requests.
fortinet fortisandbox cve-2026-39808 cve-2026-39813 command-injection authentication-bypass critical-vulnerability
vulnerabilities 2026-04-05
CVE-2026-33032: Nginx UI MCP Endpoint Lets Anyone Hijack Your Web Server — No Auth Required
Critical 9.8 CVSS flaw in Nginx UI exposes unauthenticated MCP endpoint. Public PoC available, no patch yet. Disable or firewall Nginx UI immediately.
nginx nginx-ui mcp authentication-bypass zero-day cve
Vulnerabilities 2026-04-04
Progress ShareFile Pre-Auth RCE Chain: CVE-2026-2699 and CVE-2026-2701 Give Attackers Full Server Takeover
Two critical Progress ShareFile flaws chain into a pre-authentication RCE — with ~30,000 Storage Zone Controllers exposed and a public POC now available.
sharefile rce authentication-bypass file-transfer progress cve-2026-2699 cve-2026-2701
vulnerabilities 2026-04-03
Cisco Patches Two 9.8 CVSS Flaws in IMC and Smart Software Manager — No Workarounds Available
Critical authentication bypass in Cisco IMC (CVE-2026-20093) and unauthenticated root RCE in SSM On-Prem (CVE-2026-20160) both score CVSS 9.8. Patch immediately — no workarounds exist.
cisco cve-2026-20093 cve-2026-20094 cve-2026-20160 authentication-bypass rce ucs firmware
2026-04-01
Your Firewall Is the Foothold: Q1 2026's Edge Device Exploitation Epidemic
Three months into 2026, edge devices are the dominant entry point for attackers. A deep dive into the FortiGate SSO bypass and Ivanti EPMM RCE chains, and why this pattern shows no signs of stopping.
network-appliance fortinet ivanti vulnerability edge-device authentication-bypass ransomware cve
vulnerabilities 2026-04-01 Critical
CVE-2026-20127: Cisco SD-WAN Zero-Day Exploited for Three Years Before Disclosure
UAT-8616 abused a CVSS 10.0 auth bypass in Cisco Catalyst SD-WAN Controller and Manager since 2023, inserting rogue control-plane peers and escalating to root via a deliberate version-downgrade chain. Cisco disclosed in late February.
cisco sd-wan authentication-bypass zero-day uat-8616 cvss-10 network-security privilege-escalation