CWE-302 · Authentication Bypass by Assumed-Immutable Data
35 CVEs classified under CWE-302 (Authentication Bypass by Assumed-Immutable Data). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-29813 | Critical | 10.0 | 2025-05-08 | Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. |
CVE-2024-56404 | Critical | 9.9 | 2025-01-24 | In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only On-Premise installa… |
CVE-2023-4669 | Critical | 9.8 | 2023-09-14 | Authentication Bypass by Assumed-Immutable Data vulnerability in Exagate SYSGuard 3001 allows Authentication Bypass. This issue affects SYSGuard 3001: before… |
CVE-2025-47158 | Critical | 9.0 | 2025-07-18 | Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. |
CVE-2026-40285 | High | 8.8 | 2026-04-17 | WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usu… |
CVE-2024-12838 | High | 8.8 | 2024-12-31 | The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote attackers with regu… |
CVE-2026-39429 | High | 8.2 | 2026-04-08 | kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server i… |
CVE-2025-8855 | High | 8.1 | 2025-11-14 | Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vuln… |
CVE-2025-24876 | High | 8.1 | 2025-02-11 | The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal t… |
CVE-2024-22179 | High | 7.5 | 2024-04-18 | The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the a… |
CVE-2024-3741 | High | 7.5 | 2024-04-18 | Electrolink transmitters are vulnerable to an authentication bypass vulnerability affecting the login cookie. An attacker can set an arbitrary value except '… |
CVE-2024-45370 | High | 7.3 | 2025-12-01 | An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database… |
CVE-2024-49056 | High | 7.3 | 2024-11-12 | Authentication bypass by assumed-immutable data on airlift.microsoft.com allows an authorized attacker to elevate privileges over a network. |
CVE-2024-4024 | High | 7.3 | 2024-04-25 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versi… |
CVE-2022-3875 | High | 7.3 | 2022-12-19 | A vulnerability classified as critical was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This vulnerability affects unknown… |
CVE-2022-2503 | Medium | 6.9 | 2022-08-12 | Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root f… |
CVE-2024-8475 | Medium | 6.5 | 2024-12-17 | Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables. This iss… |
CVE-2026-28510 | Medium | 5.9 | 2026-05-05 | eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication… |
CVE-2025-43992 | Medium | 5.6 | 2026-05-11 | Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by assumed-immutable data vulnerabi… |
CVE-2026-34460 | Medium | 5.4 | 2026-06-02 | NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-sid… |