Cyber Resilience

CVE-2026-0650

CriticalPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0650 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials.…

more

Unauthorized access may allow modification of feature flags and export of sensitive data.

CWE(s)

Related Threats

CVEs Like This One

CVE-2025-52024Shared CWE-306, CWE-425
CVE-2022-43110Shared CWE-306, CWE-425
CVE-2026-4810Shared CWE-306
CVE-2025-59695Shared CWE-306
CVE-2025-25224Shared CWE-306
CVE-2023-53968Shared CWE-306
CVE-2026-27843Shared CWE-306
CVE-2025-13030Shared CWE-306
CVE-2026-34731Shared CWE-306
CVE-2025-53847Shared CWE-306

Affected Assets

OpenFlagr
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-425 CWE-306

Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks.

addresses: CWE-306 CWE-425

Decoy implementations of critical functions without authentication lure and record attackers probing for missing auth checks.

addresses: CWE-425 CWE-306

Blocks unauthorized direct requests or forced browsing by denying input access to non-authorized actors.

addresses: CWE-306

Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.

addresses: CWE-306

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-306

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

addresses: CWE-425

Forcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths.

addresses: CWE-425

Enforcing access for all logical requests prevents unauthorized direct access to protected resources.

References