CWE-288

Authentication Bypass Using an Alternate Path or Channel

Parent: CWE-306 - Missing Authentication for Critical Function

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

568 vulnerabilities with CWE-288
CVE-2026-40582 CRITICAL
ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout
CVE-2026-3605 HIGH
Vault KVv2 Metadata and Secret Deletion Policy Bypass Denial-of-Service
CVSS 8.1
CVE-2026-3324 HIGH
ManageEngine Log360 13000-13013 - Authentication Bypass via Improper Filter Configuration
CVSS 8.2
CVE-2026-3461 CRITICAL
Visa Acceptance Solutions <= 2.1.0 - Unauthenticated Authentication Bypass via Billing Email
CVSS 9.8
CVE-2026-35664 MEDIUM
OpenClaw < 2026.3.25 - DM Pairing Bypass via Legacy Card Callbacks
CVSS 5.3
CVE-2026-35661 MEDIUM
OpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass
CVSS 5.3
CVE-2026-35654 MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke
CVSS 5.3
CVE-2026-35647 MEDIUM
OpenClaw < 2026.3.25 - Direct Message Policy Bypass via Verification Notices
CVSS 5.3
CVE-2026-35642 MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in Group Reactions via requireMention Bypass
CVSS 4.3
CVE-2026-35634 MEDIUM
OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway
CVSS 5.1
CVE-2026-31271 CRITICAL
megagao production_ssm 1.0 - Auth Bypass
CVSS 9.8
CVE-2026-30079 CRITICAL
OpenAirInterface V2.2.0 AMF - Auth Bypass
CVSS 9.8
CVE-2026-31151 CRITICAL
Kaleris Yard Management Solutions 7.2.2.1 - Authentication Bypass via Login Mechanism
CVSS 9.8
CVE-2026-5557 MEDIUM
badlogic pi-mono pi-mom Slack Bot slack.ts authentication bypass
CVSS 6.3
CVE-2026-34581 HIGH
goshs has Auth Bypass via Share Token
CVSS 8.1
CVE-2026-33950 CRITICAL
signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
CVSS 9.4
CVE-2026-29139 CRITICAL
SEPPmail Secure Email Gateway - GINA State Confusion Account Takeover
CVSS 9.8
CVE-2026-34372 LOW
Sulu checks fix permissions for subentities endpoints
CVSS 2.7
CVE-2026-34040 HIGH
Moby: AuthZ plugin bypass with oversized request body
CVSS 8.8
CVE-2026-32678 HIGH
BUFFALO Wi-Fi router products - Unauthenticated Authentication Bypass
CVSS 7.5
CVE-2026-3531 MEDIUM
OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
CVSS 6.5
CVE-2026-2745 MEDIUM
Authentication Bypass Using an Alternate Path or Channel in GitLab
CVSS 6.8
CVE-2026-27049 CRITICAL
WordPress Jobica Core plugin <= 1.4.2 - Account Takeover vulnerability
CVSS 9.8
CVE-2026-25406 HIGH
WordPress Tutor LMS Pro plugin <= 3.9.4 - Broken Authentication vulnerability
CVSS 8.1
CVE-2026-25357 HIGH
WordPress Ultimate Membership Pro plugin <= 13.7 - Account Takeover vulnerability
CVSS 8.1
Details
Vulnerabilities 568
Links
MITRE CWE Entry Search this CWE With Exploits