ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
The application incorrectly trusts identity data supplied by the user in the 'user' parameter at the /login/oauth2/code/ endpoint. An attacker can manipulate the email address in the JSON object sent to this endpoint by specifying the victim's email address. The platform treats this data as trustworthy and authenticates the attacker as the specified user, bypassing actual identity verification (CWE-290: Authentication Bypass by Spoofing). The attack does not require knowledge of the victim's password, user interaction, or special network configuration.
An attacker gains full access to a selected user account on the ThingsBoard platform, resulting in complete account takeover — including access to data, IoT device configuration, and administrative functions available to the compromised account.
Patches available from the vendor should be applied according to the references. As a temporary measure, consider disabling OAuth2 login or restricting access to the /login/oauth2/code/ endpoint at the firewall/reverse proxy level.
ThingsBoard v4.3.0.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H