CWE-302(Authentication Bypass by Assumed-Immutable Data)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Not Technology-Specific | Undetermined | — |
| technology | — | Web Based | Sometimes | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-48781 | 2026-06-17 | Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_S… |
| CVE-2026-34460 | 2026-06-02 | NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization cod… |
| CVE-2025-43992 | 2026-05-11 | Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by assumed-immutable data vulnerability in Geo replication. An unauthenticat… |
| CVE-2026-28510 | 2026-05-05 | eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under … |
| CVE-2026-40285 | 2026-04-17 | WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the sessio… |
| CVE-2026-39429 | 2026-04-08 | kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.30.3 and 0.29.3, the cache server is directly exposed by the root shard and … |
| CVE-2026-27840 | 2026-02-26 | ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are sti… |
| CVE-2024-45370 | 2025-12-01 | An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database record can lead to unauthorized access. A… |
| CVE-2025-63210 | 2025-11-19 | The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. An attacker can exploit this issue by modifying intercepted respon… |
| CVE-2025-8855 | 2025-11-14 | Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage A… |
| CVE-2025-47158 | 2025-07-18 | Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2025-20285 | 2025-07-16 | A vulnerability in the IP Access Restriction feature of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to bypass configured IP access restrictions and log in to the device f… |
| CVE-2025-46647 | 2025-07-02 | A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection … |
| CVE-2025-29813 | 2025-05-08 | Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. |
| CVE-2025-26522 | 2025-02-14 | This vulnerability exists in RupeeWeb trading platform due to improper implementation of OTP validation mechanism in certain API endpoints. A remote attacker with valid credentials could exploit this … |
| CVE-2025-24876 | 2025-02-11 | The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting mal… |
| CVE-2024-56404 | 2025-01-24 | In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only On-Premise installations are affected. |
| CVE-2024-12838 | 2024-12-31 | The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote attackers with regular privileges to send a crafted request … |
| CVE-2024-43441 | 2024-12-24 | Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0. Users are recommended to upgrade to ver… |
| CVE-2024-8475 | 2024-12-17 | Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables. This issue affects WiFiBurada: before 1.0.5. |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Sean Eidemiller | 1.0 | — | added/updated demonstrative examples |
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Taxonomy_Mappings |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Demonstrative_Examples, Description |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Relationships |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Potential_Mitigations, Relationships |
| 2010-04-05 | CWE Content Team | 1.8.1 | — | updated Related_Attack_Patterns |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences, Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships, Taxonomy_Mappings |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Demonstrative_Examples, Relationships |
| 2017-05-03 | CWE Content Team | 2.11 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Modes_of_Introduction, Relationships |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Taxonomy_Mappings |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Demonstrative_Examples |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Type |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |