CVE-2026-36537

EPSS 0.51%
Veröffentlicht 15.06.2026 00:00:00
Zuletzt bearbeitet 16.06.2026 15:51:29
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 0 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.51%	0.394

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://gist.github.com/KKC73/b9d4efda05693882f1e613c0e0fac78d

https://nvd.nist.gov/vuln/detail/CVE-2026-36537

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-36537

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-36537

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-36537