MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | 描述 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|
| CVE-2026-12112 | A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating authentication tokens and by logging all newly created session IDs to standard logs. This issue can result in privilege escalation and infrastructure-wide code execution. | 7.8 | 无 | 2026-06-23 | 2026-06-23 |
| CVE-2026-54320 | Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted (and declined) by a user whose email matched the invitation but had not been verified. Daytona authenticates users via OIDC and matches an invitation's target email against the email in the caller's token, but the invitation accept and decline paths did not require that email to be verified, unlike organization creation, which al | 8.4 | 0.04% | 2026-06-23 | 2026-06-23 |
| CVE-2026-52845 | Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inj | 8.1 | 0.04% | 2026-06-23 | 2026-06-23 |
| CVE-2026-44961 | The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing. | 0.0 | 无 | 2026-06-23 | 2026-06-23 |
| CVE-2026-34917 | Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably. | 4.3 | 无 | 2026-06-23 | 2026-06-23 |
| CVE-2026-11374 | In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover. | 9.0 | 1.24% | 2026-06-23 | 2026-06-23 |
| CVE-2026-7664 | IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint. | 9.8 | 0.28% | 2026-06-22 | 2026-06-23 |
| CVE-2026-10845 | IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications. | 7.3 | 0.36% | 2026-06-22 | 2026-06-23 |
| CVE-2026-12795 | A vulnerability was determined in BerriAI litellm up to 1.82.2. This affects the function json.dumps of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Debug Flow. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. | 5.5 | 0.39% | 2026-06-21 | 2026-06-23 |
| CVE-2026-12773 | A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation can lead to improper authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure. | 5.5 | 0.39% | 2026-06-21 | 2026-06-22 |
| CVE-2026-56345 | AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through | 9.2 | 0.29% | 2026-06-20 | 2026-06-23 |
| CVE-2026-56294 | capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials. | 4.3 | 0.17% | 2026-06-20 | 2026-06-22 |
| CVE-2026-56080 | Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset prompts, permanently locking the Super Admin out of organization access (organization lockout / denial of service) despite valid authentication. | 6.9 | 0.30% | 2026-06-19 | 2026-06-22 |
| CVE-2026-50559 | Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37 | 7.5 | 0.25% | 2026-06-19 | 2026-06-23 |
| CVE-2026-45480 | Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network. | 10.0 | 0.57% | 2026-06-19 | 2026-06-22 |
| CVE-2026-49872 | Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | 5.3 | 0.33% | 2026-06-19 | 2026-06-23 |
| CVE-2026-32174 | Improper authentication in Azure Bot Service allows an authorized attacker to elevate privileges over a network. | 7.7 | 0.37% | 2026-06-18 | 2026-06-23 |
| CVE-2026-49454 | Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. Versions 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successful authentication result. The XMLDSig trust boundary was incomplete as :public_key.verify over the exclusive-C14N canonicalized SignedInfo was not performed against the configured IdP certificate's public key, DigestValue was not recomputed over the canonicaliz | 9.1 | 0.14% | 2026-06-18 | 2026-06-23 |
| CVE-2026-11718 | An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (is | 9.3 | 0.20% | 2026-06-18 | 2026-06-22 |
| CVE-2026-11717 | An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != ni | 9.3 | 0.19% | 2026-06-18 | 2026-06-22 |