CWE-288

Authentication Bypass Using an Alternate Path or Channel

Parent: CWE-306 - Missing Authentication for Critical Function

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

521 vulnerabilities with CWE-288
CVE-2026-34040 HIGH
Moby: AuthZ plugin bypass with oversized request body
CVSS 8.8
CVE-2026-32678 HIGH
Buffalo Inc. Buffalo Wi-fi Router Products - Authentication Bypass
CVSS 7.5
CVE-2026-3531 MEDIUM
OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
CVSS 6.5
CVE-2026-2745 MEDIUM
Authentication Bypass Using an Alternate Path or Channel in GitLab
CVSS 6.8
CVE-2026-27049 CRITICAL
WordPress Jobica Core plugin <= 1.4.2 - Account Takeover vulnerability
CVSS 9.8
CVE-2026-25406 HIGH
WordPress Tutor LMS Pro plugin <= 3.9.4 - Broken Authentication vulnerability
CVSS 8.1
CVE-2026-25357 HIGH
WordPress Ultimate Membership Pro plugin <= 13.7 - Account Takeover vulnerability
CVSS 8.1
CVE-2026-25035 CRITICAL
WordPress Contest Gallery plugin <= 28.1.2.2 - Account Takeover vulnerability
CVSS 9.8
CVE-2026-25002 HIGH
WordPress LearnPress – Sepay Payment plugin <= 4.0.0 - Broken Authentication vulnerability
CVSS 7.5
CVE-2026-24359 HIGH
WordPress Dokan plugin <= 4.2.4 - Broken Authentication vulnerability
CVSS 8.8
CVE-2026-3214 MEDIUM
CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
CVSS 6.5
CVE-2026-1917 MEDIUM
Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008
CVSS 4.3
CVE-2026-33315 MEDIUM
Vikunja has a 2FA Bypass via Caldav Basic Auth
CVSS 4.3
CVE-2026-4700 CRITICAL
Mitigation bypass in the Networking: HTTP component
CVSS 9.8
CVE-2026-23480 HIGH
Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint
CVSS 8.8
CVE-2026-22733 HIGH
Authentication Bypass under Actuator CloudFoundry endpoints
CVSS 8.2
CVE-2026-22731 HIGH
Authentication Bypass under Actuator Health groups paths
CVSS 8.2
CVE-2026-32031 MEDIUM
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway
CVSS 4.8
CVE-2026-32004 MEDIUM
OpenClaw < 2026.3.2 - Authentication Bypass via Encoded Path in /api/channels Route
CVSS 6.5
CVE-2026-25471 HIGH
WordPress Admin Safety Guard plugin <= 1.2.6 - Broken Authentication vulnerability
CVSS 8.1
CVE-2026-3930 MEDIUM
Google Chrome iOS <146.0.7680.71 - Auth Bypass
CVSS 5.3
CVE-2026-32130 HIGH
ZITADEL 2.68.0-3.4.7/4.12.0-4.12.1 - Auth Bypass
CVSS 7.5
CVE-2026-0602 MEDIUM
GitLab CE/EE - Info Disclosure
CVSS 4.3
CVE-2026-27842 CRITICAL
MR-GM5L-S1 & MR-GM5A-L1 - Auth Bypass
CVSS 9.8
CVE-2026-26117 HIGH
Azure Windows Virtual Machine Agent - Privilege Escalation
CVSS 7.8
Details
Vulnerabilities 521
Links
MITRE CWE Entry Search this CWE With Exploits