CVE-2022-40494

CRITICAL

ehang-io nps 0.19.0-0.26.9 - Authentication Bypass via Auth Key and Timestamp Parameters

Title source: llm

Description

NPS before v0.26.10 was discovered to contain an authentication bypass vulnerability via constantly generating and sending the Auth key and Timestamp parameters.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://blog.carrot2.cn/2022/08/cve-2022-40494.html

Broken Link

https://github.com/1security/Vulnerability/blob/main/web/nps/1.md

Scores

CVSS v3 9.8

EPSS 0.0156

EPSS Percentile 72.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (1)

ehang-io/nps 0.19.0 - 0.26.10

Published Oct 06, 2022

Tracked Since Feb 18, 2026