CVE & Exploit Intelligence Database

CVE-2026-30824 EPSS 0.00

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generation endpoints. This issue has been patched in version 3.0.13.

CWE-306 Mar 07, 2026

CVE-2026-25071 EPSS 0.00

XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a missing authentication vulnerability in the /switch_config.src endpoint that allows unauthenticated remote attackers to download device configuration files. Attackers can access this endpoint without credentials to retrieve sensitive configuration information including VLAN settings and IP addressing details.

CWE-306 Mar 07, 2026

CVE-2026-30846 1 Writeup EPSS 0.00

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.

CWE-200 Mar 06, 2026

CVE-2026-26288 9.4 CRITICAL 1 Writeup EPSS 0.00

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CWE-306 Mar 06, 2026

CVE-2026-2754 7.5 HIGH EPSS 0.00

Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on HTTP API endpoints. An unauthenticated remote attacker with network access to the device can execute HTTP GET requests to TCP port 8080 to retrieve internal network parameters including ECDIS & OT Information, device identifiers, and service status logs.

CWE-306 Mar 06, 2026

CVE-2026-26051 9.4 CRITICAL 1 Writeup EPSS 0.00

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CWE-306 Mar 06, 2026

CVE-2026-27603 EPSS 0.00

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions middleware, allowing unauthenticated users to access chart data from any team/project. This issue has been patched in version 4.8.4.

CWE-306 Mar 06, 2026

CVE-2026-22552 9.4 CRITICAL 1 Writeup EPSS 0.00

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CWE-306 Mar 06, 2026

CVE-2026-26125 8.6 HIGH EPSS 0.00

Payment Orchestrator Service Elevation of Privilege Vulnerability

CWE-306 Mar 05, 2026

CVE-2026-29613 5.9 MEDIUM 1 Writeup EPSS 0.00

OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.

CWE-306 Mar 05, 2026

CVE-2026-29606 6.5 MEDIUM 1 Writeup EPSS 0.00

OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks.

CWE-306 Mar 05, 2026

CVE-2026-28485 8.4 HIGH 1 Writeup EPSS 0.00

OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.

CWE-306 Mar 05, 2026

CVE-2026-28472 8.1 HIGH 1 Writeup EPSS 0.00

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.

CWE-306 Mar 05, 2026

CVE-2026-28468 7.7 HIGH 1 Writeup EPSS 0.00

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.

CWE-306 Mar 05, 2026

CVE-2026-28458 8.1 HIGH 1 Writeup EPSS 0.00

OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.

CWE-306 Mar 05, 2026

CVE-2026-28450 6.8 MEDIUM 1 Writeup EPSS 0.00

OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key when the gateway HTTP port is accessible beyond localhost.

CWE-306 Mar 05, 2026

CVE-2026-27944 9.8 CRITICAL EPSS 0.00

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

CWE-306 Mar 05, 2026

CVE-2026-30784 EPSS 0.00

Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding. This issue affects RustDesk Server: through 1.7.5, through 1.1.15.

CWE-306 Mar 05, 2026

CVE-2026-23767 9.8 CRITICAL EPSS 0.00

ESC/POS, a printer control language designed by Seiko Epson Corporation, lacks mechanisms for user authentication and command authorization, does not provide controls to restrict sources or destinations of network communication, and transmits commands without encryption or integrity protection.

CWE-306 Mar 05, 2026

CVE-2026-27446 EPSS 0.00

Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by either of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.

CWE-306 Mar 04, 2026