CVE-2026-36537

216.73.216.233

· Published 15/06/2026 22:16 · Modified 16/06/2026 15:51 · Author: The MITRE Corporation

Labels: CVE-2026-36537 2026-06-15 CVE-2026-36537 CWE-290 [email protected]

Essential information

Published: 15/06/2026 22:16
Modified: 16/06/2026 15:51
Author: The MITRE Corporation
Creator: The MITRE Corporation
CVSS: 9.8 CRITICAL (v3.1)
CISA KEV: No
CWE: CWE-290
EPSS (First): P13.6% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00230)
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
thingsboard / thingsboard	`cpe:2.3:a:thingsboard:thingsboard:4.3.0.1:::::::*`