CRITICAL🇵🇱 Wersja polska

CVE-2026-36537

CVSS 9.8pub. 2026-06-15upd. 2026-06-16

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.

🤖 AI Analysis
How it works

The application incorrectly trusts identity data supplied by the user in the 'user' parameter at the /login/oauth2/code/ endpoint. An attacker can manipulate the email address in the JSON object sent to this endpoint by specifying the victim's email address. The platform treats this data as trustworthy and authenticates the attacker as the specified user, bypassing actual identity verification (CWE-290: Authentication Bypass by Spoofing). The attack does not require knowledge of the victim's password, user interaction, or special network configuration.

Impact

An attacker gains full access to a selected user account on the ThingsBoard platform, resulting in complete account takeover — including access to data, IoT device configuration, and administrative functions available to the compromised account.

Mitigation & patch

Patches available from the vendor should be applied according to the references. As a temporary measure, consider disabling OAuth2 login or restricting access to the /login/oauth2/code/ endpoint at the firewall/reverse proxy level.

Who is affected

ThingsBoard v4.3.0.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References