CWE-290 · Authentication Bypass by Spoofing
594 CVEs classified under CWE-290 (Authentication Bypass by Spoofing). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-48567 | Critical | 10.0 | 2026-06-04 | Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network. |
CVE-2026-39858 | Critical | 10.0 | 2026-04-30 | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerabi… |
CVE-2025-66570 | Critical | 10.0 | 2025-12-05 | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to i… |
CVE-2023-22814 | Critical | 10.0 | 2023-07-01 | An authentication bypass issue via spoofing was discovered in the token-based authentication mechanism that could allow an attacker to carry out an impersonati… |
CVE-2023-34157 | Critical | 10.0 | 2023-06-16 | Vulnerability of HwWatchHealth being hijacked.Successful exploitation of this vulnerability may cause repeated pop-up windows of the app. |
CVE-2022-36331 | Critical | 10.0 | 2023-06-12 | Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthentica… |
CVE-2022-2310 | Critical | 10.0 | 2022-07-27 | An authentication bypass vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.12, 9.x prior to 9.2.23, 8.x prior to 8.2.28, and controlled release… |
CVE-2022-29165 | Critical | 10.0 | 2022-05-20 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 a… |
CVE-2020-7388 | Critical | 10.0 | 2021-07-22 | Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can b… |
CVE-2020-26276 | Critical | 10.0 | 2020-12-17 | Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutate… |
CVE-2020-5415 | Critical | 10.0 | 2020-08-12 | Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a… |
CVE-2026-22797 | Critical | 9.9 | 2026-01-19 | An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. T… |
CVE-2025-21415 | Critical | 9.9 | 2025-01-29 | Authentication bypass by spoofing in Azure AI Face Service allows an authorized attacker to elevate privileges over a network. |
CVE-2024-6678 | Critical | 9.9 | 2024-09-12 | An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 p… |
CVE-2026-49468 | Critical | 9.8 | 2026-06-22 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0. |
CVE-2026-36537 | Critical | 9.8 | 2026-06-15 | ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied id… |
CVE-2026-44649 | Critical | 9.8 | 2026-05-29 | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-… |
CVE-2026-44183 | Critical | 9.8 | 2026-05-12 | Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9… |
CVE-2021-47923 | Critical | 9.8 | 2026-05-10 | OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie… |
CVE-2018-25318 | Critical | 9.8 | 2026-04-29 | Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insu… |