CVE-2026-36537
CRITICAL · 9.8Real vuln signal (high CVSS, widespread exposure) but no PoC, patch, or KEV validates weaponization.
What: OAuth authorization code exchange bypass in ThingsBoard v4.3.0.1 allowing authentication bypass (CVSS 9.8).
Why it matters: FOFA scanning reports 14K+ exposed instances detected over the past year, suggesting widespread deployment. High CVSS score and authentication bypass class indicate critical impact if exploited, though no KEV listing, vendor advisory, or public PoC confirmed yet.
Where it's seen: FOFA-driven threat intel chatter flagging exposed instances; scanning/reconnaissance activity but no reported active exploitation or vendor response visible in provided posts.
RISK: HIGH — CVSS 9.8 auth bypass, 14K+ exposed instances, but no patch or KEV confirmation yet.
Description
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High