CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
900 vulnerabilities reference this CWE, most recent first.
GHSA-QPCC-RCR6-2CJ9
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2018-19021"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-25T20:29:00Z",
"severity": "MODERATE"
},
"details": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.",
"id": "GHSA-qpcc-rcr6-2cj9",
"modified": "2022-05-13T01:33:36Z",
"published": "2022-05-13T01:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19021"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106522"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRRF-XVCF-P64Q
Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:45In usememos/memos 0.9.0 and prior, an attacker can delete other users' posts via post id, which can be done via brute force.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4797"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T19:53:10Z",
"nvd_published_at": "2022-12-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "In usememos/memos 0.9.0 and prior, an attacker can delete other users\u0027 posts via post id, which can be done via brute force.",
"id": "GHSA-qrrf-xvcf-p64q",
"modified": "2023-01-10T15:45:39Z",
"published": "2022-12-28T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4797"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/5233f76f-016b-4c65-b019-2c5d27802a1b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos vulnerable Improper Restriction of Excessive Authentication Attempts "
}
GHSA-QVQX-7F9M-R2GQ
Vulnerability from github – Published: 2025-11-21 03:31 – Updated: 2025-12-23 03:30EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack.
{
"affected": [],
"aliases": [
"CVE-2025-64310"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-21T03:16:10Z",
"severity": "CRITICAL"
},
"details": "EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user\u0027s password may be identified through a brute force attack.",
"id": "GHSA-qvqx-7f9m-r2gq",
"modified": "2025-12-23T03:30:18Z",
"published": "2025-11-21T03:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64310"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU95021911"
},
{
"type": "WEB",
"url": "https://www.epson.co.uk/en_GB/faq/KA-02041/contents?loc=en-us"
},
{
"type": "WEB",
"url": "https://www.epson.jp/support/misc_t/251120_oshirase.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QW3C-Q5MW-R893
Vulnerability from github – Published: 2024-08-02 21:31 – Updated: 2024-08-07 18:30An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a local attacker to perform a Password Brute Forcing attack due to improper restriction of excessive authentication attempts.
{
"affected": [],
"aliases": [
"CVE-2024-38888"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-02T20:17:00Z",
"severity": "HIGH"
},
"details": "An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a local attacker to perform a Password Brute Forcing attack due to improper restriction of excessive authentication attempts.",
"id": "GHSA-qw3c-q5mw-r893",
"modified": "2024-08-07T18:30:41Z",
"published": "2024-08-02T21:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38888"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/179892/Caterease-Software-SQL-Injection-Command-Injection-Bypass.html"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.273372"
},
{
"type": "WEB",
"url": "http://caterease.com"
},
{
"type": "WEB",
"url": "http://horizon.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QWCH-JRH6-94WH
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31An improper restriction of excessive authentication attempts vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4 all versions, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer Cloud 7.6.2, FortiAnalyzer Cloud 7.4.1 through 7.4.7, FortiAnalyzer Cloud 7.2.1 through 7.2.10, FortiAnalyzer Cloud 7.0.1 through 7.0.14, FortiAnalyzer Cloud 6.4 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4 all versions, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiManager Cloud 7.6.2 through 7.6.3, FortiManager Cloud 7.4.1 through 7.4.7, FortiManager Cloud 7.2.1 through 7.2.10, FortiManager Cloud 7.0.1 through 7.0.14, FortiManager Cloud 6.4 all versions may allow an attacker to bypass bruteforce protections via exploitation of race conditions. The latter raises the complexity of practical exploitation.
{
"affected": [],
"aliases": [
"CVE-2026-22629"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T18:18:12Z",
"severity": "LOW"
},
"details": "An improper restriction of excessive authentication attempts vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4 all versions, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer Cloud 7.6.2, FortiAnalyzer Cloud 7.4.1 through 7.4.7, FortiAnalyzer Cloud 7.2.1 through 7.2.10, FortiAnalyzer Cloud 7.0.1 through 7.0.14, FortiAnalyzer Cloud 6.4 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4 all versions, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiManager Cloud 7.6.2 through 7.6.3, FortiManager Cloud 7.4.1 through 7.4.7, FortiManager Cloud 7.2.1 through 7.2.10, FortiManager Cloud 7.0.1 through 7.0.14, FortiManager Cloud 6.4 all versions may allow an attacker to bypass bruteforce protections via exploitation of race conditions. The latter raises the complexity of practical exploitation.",
"id": "GHSA-qwch-jrh6-94wh",
"modified": "2026-03-10T18:31:19Z",
"published": "2026-03-10T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22629"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-079"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R4C2-GQ3J-7RPJ
Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-18 00:45Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-vcx4-4qxg-mfp4. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2026.3.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-18T00:45:07Z",
"nvd_published_at": "2026-04-09T22:16:31Z",
"severity": "MODERATE"
},
"details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-vcx4-4qxg-mfp4. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.",
"id": "GHSA-r4c2-gq3j-7rpj",
"modified": "2026-04-18T00:45:07Z",
"published": "2026-04-10T00:30:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35628"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret",
"withdrawn": "2026-04-18T00:45:07Z"
}
GHSA-R4QC-5J5J-254J
Vulnerability from github – Published: 2022-05-17 02:58 – Updated: 2022-05-17 02:58An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. An attacker can freely use brute force to determine parameters needed to bypass authentication.
{
"affected": [],
"aliases": [
"CVE-2016-9366"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-13T21:59:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series \u0026 NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. An attacker can freely use brute force to determine parameters needed to bypass authentication.",
"id": "GHSA-r4qc-5j5j-254j",
"modified": "2022-05-17T02:58:46Z",
"published": "2022-05-17T02:58:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9366"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/85965"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R4V7-6WCG-GHJ5
Vulnerability from github – Published: 2026-06-25 18:18 – Updated: 2026-06-25 18:18Summary
The /api/auth/login endpoint does not implement rate limiting, account lockout, or progressive backoff for repeated authentication failures. As a result, an attacker can perform unlimited login attempts against the endpoint. When combined with the username enumeration timing vulnerability, valid accounts can be identified and then brute-forced without restriction. The risk is further increased by a weak default password policy that only enforces a minimum length of five characters.
Details
The authentication endpoint /api/auth/login does not enforce any form of rate limiting, account lockout, or progressive backoff for repeated failed login attempts. Testing confirmed that the endpoint accepts an unlimited number of authentication attempts from the same client without delay or restriction.
This allows attackers to repeatedly attempt password guesses against valid usernames.
Secure authentication systems typically enforce request throttling, temporary account lockout, or progressive delays after repeated failed login attempts to mitigate brute-force attacks.
$ python rate-limit-probe.py
[*] Probing http://localhost/api/auth/login for rate limiting, lockout, and backoff behavior...
Attempt 10: status=401, latency=0.0411s
Attempt 20: status=401, latency=0.0411s
Attempt 30: status=401, latency=0.0402s
Attempt 40: status=401, latency=0.0420s
Attempt 50: status=401, latency=0.0403s
Attempt 60: status=401, latency=0.0423s
Attempt 70: status=401, latency=0.0474s
Attempt 80: status=401, latency=0.0417s
Attempt 90: status=401, latency=0.0407s
Attempt 100: status=401, latency=0.0407s
--- CONCRETE EVIDENCE ---
Attempts completed: 100
Total runtime: 4.17s
Average request rate: 23.98 req/sec
Unique status codes: [401]
Average time (first 5): 0.0447s
Average time (last 5): 0.0408s
Latency delta: -0.0038s
[RESULT] No HTTP 429 responses observed.
[RESULT] No progressive backoff detected: response timing remained effectively constant.
Additional Context
Password validation is implemented in backend/database/storage/bolt/user.go via checkPassword(), which only verifies that the supplied password length is greater than or equal to settings.Config.Auth.Methods.PasswordAuth.MinLength. In backend/common/settings/auth.go, the PasswordAuthConfig documents the default value of MinLength as 5. No additional complexity requirements, such as uppercase, lowercase, numeric, or special character checks, were identified in this code path.
PoC
The script below demonstrates the lack of rate limiting by performing a high volume automated authentication test. The script sends sequential login requests and monitors for HTTP 429 (Too Many Requests) status codes.
import requests
import time
import statistics
URL = "http://localhost/api/auth/login"
USERNAME = "admin"
PASSWORD = "wrong-password"
MAX_ATTEMPTS = 100
TIMEOUT = 10
latencies = []
statuses = []
print(f"[*] Probing {URL} for rate limiting, lockout, and backoff behavior...")
start_total = time.time()
for i in range(1, MAX_ATTEMPTS + 1):
start = time.perf_counter()
resp = requests.post(
URL,
params={"username": USERNAME, "recaptcha": ""},
headers={"X-Password": PASSWORD},
timeout=TIMEOUT
)
duration = time.perf_counter() - start
latencies.append(duration)
statuses.append(resp.status_code)
if resp.status_code == 429:
print(f"[!] Rate limit detected at attempt {i} (HTTP 429)")
break
if i % 10 == 0:
print(f" Attempt {i:3}: status={resp.status_code}, latency={duration:.4f}s")
end_total = time.time()
attempts_completed = len(latencies)
print("\n--- CONCRETE EVIDENCE ---")
first_five_avg = statistics.mean(latencies[:5]) if attempts_completed >= 5 else statistics.mean(latencies)
last_five_avg = statistics.mean(latencies[-5:]) if attempts_completed >= 5 else statistics.mean(latencies)
latency_delta = last_five_avg - first_five_avg
print(f"Attempts completed: {attempts_completed}")
print(f"Total runtime: {end_total - start_total:.2f}s")
print(f"Average request rate: {attempts_completed / (end_total - start_total):.2f} req/sec")
print(f"Unique status codes: {sorted(set(statuses))}")
print(f"Average time (first 5): {first_five_avg:.4f}s")
print(f"Average time (last 5): {last_five_avg:.4f}s")
print(f"Latency delta: {latency_delta:+.4f}s")
if 429 not in statuses:
print("[RESULT] No HTTP 429 responses observed.")
if abs(latency_delta) < 0.05:
print("[RESULT] No progressive backoff detected: response timing remained effectively constant.")
else:
print("[RESULT] Latency variation detected: investigate possible throttling or environmental noise.")
Impact
An attacker can perform unlimited authentication attempts against valid usernames. When combined with the username enumeration timing vulnerability, this enables targeted brute-force attacks against user accounts and increases the likelihood of credential compromise.
Please let me know if you need any additional information or clarification. I'm happy to assist with testing or validating a fix.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gtsteffaniak/filebrowser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260522161427-fa5abc8c67f3a"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T18:18:12Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe `/api/auth/login` endpoint does not implement rate limiting, account lockout, or progressive backoff for repeated authentication failures. As a result, an attacker can perform unlimited login attempts against the endpoint. When combined with the username enumeration timing vulnerability, valid accounts can be identified and then brute-forced without restriction. The risk is further increased by a weak default password policy that only enforces a minimum length of five characters.\n\n\n### Details\nThe authentication endpoint `/api/auth/login` does not enforce any form of rate limiting, account lockout, or progressive backoff for repeated failed login attempts. Testing confirmed that the endpoint accepts an unlimited number of authentication attempts from the same client without delay or restriction.\n\nThis allows attackers to repeatedly attempt password guesses against valid usernames.\n\nSecure authentication systems typically enforce request throttling, temporary account lockout, or progressive delays after repeated failed login attempts to mitigate brute-force attacks.\n```\n$ python rate-limit-probe.py\n[*] Probing http://localhost/api/auth/login for rate limiting, lockout, and backoff behavior...\n Attempt 10: status=401, latency=0.0411s\n Attempt 20: status=401, latency=0.0411s\n Attempt 30: status=401, latency=0.0402s\n Attempt 40: status=401, latency=0.0420s\n Attempt 50: status=401, latency=0.0403s\n Attempt 60: status=401, latency=0.0423s\n Attempt 70: status=401, latency=0.0474s\n Attempt 80: status=401, latency=0.0417s\n Attempt 90: status=401, latency=0.0407s\n Attempt 100: status=401, latency=0.0407s\n\n--- CONCRETE EVIDENCE ---\nAttempts completed: 100\nTotal runtime: 4.17s\nAverage request rate: 23.98 req/sec\nUnique status codes: [401]\nAverage time (first 5): 0.0447s\nAverage time (last 5): 0.0408s\nLatency delta: -0.0038s\n[RESULT] No HTTP 429 responses observed.\n[RESULT] No progressive backoff detected: response timing remained effectively constant.\n```\n#### Additional Context\nPassword validation is implemented in `backend/database/storage/bolt/user.go` via `checkPassword()`, which only verifies that the supplied password length is greater than or equal to settings.Config.Auth.Methods.PasswordAuth.MinLength. In `backend/common/settings/auth.go`, the PasswordAuthConfig documents the default value of MinLength as 5. No additional complexity requirements, such as uppercase, lowercase, numeric, or special character checks, were identified in this code path.\n\n### PoC\nThe script below demonstrates the lack of rate limiting by performing a high volume automated authentication test. The script sends sequential login requests and monitors for HTTP 429 (Too Many Requests) status codes. \n\n```\nimport requests\nimport time\nimport statistics\n\nURL = \"http://localhost/api/auth/login\"\nUSERNAME = \"admin\"\nPASSWORD = \"wrong-password\"\nMAX_ATTEMPTS = 100\nTIMEOUT = 10\n\nlatencies = []\nstatuses = []\n\nprint(f\"[*] Probing {URL} for rate limiting, lockout, and backoff behavior...\")\n\nstart_total = time.time()\n\nfor i in range(1, MAX_ATTEMPTS + 1):\n start = time.perf_counter()\n\n resp = requests.post(\n URL,\n params={\"username\": USERNAME, \"recaptcha\": \"\"},\n headers={\"X-Password\": PASSWORD},\n timeout=TIMEOUT\n )\n\n duration = time.perf_counter() - start\n latencies.append(duration)\n statuses.append(resp.status_code)\n\n if resp.status_code == 429:\n print(f\"[!] Rate limit detected at attempt {i} (HTTP 429)\")\n break\n\n if i % 10 == 0:\n print(f\" Attempt {i:3}: status={resp.status_code}, latency={duration:.4f}s\")\n\nend_total = time.time()\nattempts_completed = len(latencies)\n\nprint(\"\\n--- CONCRETE EVIDENCE ---\")\n\nfirst_five_avg = statistics.mean(latencies[:5]) if attempts_completed \u003e= 5 else statistics.mean(latencies)\nlast_five_avg = statistics.mean(latencies[-5:]) if attempts_completed \u003e= 5 else statistics.mean(latencies)\nlatency_delta = last_five_avg - first_five_avg\n\nprint(f\"Attempts completed: {attempts_completed}\")\nprint(f\"Total runtime: {end_total - start_total:.2f}s\")\nprint(f\"Average request rate: {attempts_completed / (end_total - start_total):.2f} req/sec\")\nprint(f\"Unique status codes: {sorted(set(statuses))}\")\nprint(f\"Average time (first 5): {first_five_avg:.4f}s\")\nprint(f\"Average time (last 5): {last_five_avg:.4f}s\")\nprint(f\"Latency delta: {latency_delta:+.4f}s\")\n\nif 429 not in statuses:\n print(\"[RESULT] No HTTP 429 responses observed.\")\n\nif abs(latency_delta) \u003c 0.05:\n print(\"[RESULT] No progressive backoff detected: response timing remained effectively constant.\")\nelse:\n print(\"[RESULT] Latency variation detected: investigate possible throttling or environmental noise.\")\n``` \n\n### Impact\nAn attacker can perform unlimited authentication attempts against valid usernames. When combined with the username enumeration timing vulnerability, this enables targeted brute-force attacks against user accounts and increases the likelihood of credential compromise.\n\n\n\nPlease let me know if you need any additional information or clarification.\nI\u0027m happy to assist with testing or validating a fix.",
"id": "GHSA-r4v7-6wcg-ghj5",
"modified": "2026-06-25T18:18:12Z",
"published": "2026-06-25T18:18:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/security/advisories/GHSA-r4v7-6wcg-ghj5"
},
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/pull/2485"
},
{
"type": "WEB",
"url": "https://github.com/gtsteffaniak/filebrowser/commit/fa5abc8c67f3a66ce76e358a3c57981750c76a23"
},
{
"type": "PACKAGE",
"url": "https://github.com/gtsteffaniak/filebrowser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "FileBrowser: Missing Rate Limiting on Authentication Endpoint Enables Brute Force Attacks"
}
GHSA-R564-8356-Q3FH
Vulnerability from github – Published: 2025-06-12 15:31 – Updated: 2026-01-26 21:30The FTP server’s login mechanism does not restrict authentication attempts, allowing an attacker to brute-force user passwords and potentially compromising the FTP server.
{
"affected": [],
"aliases": [
"CVE-2025-49195"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-12T15:15:39Z",
"severity": "MODERATE"
},
"details": "The FTP server\u2019s login mechanism does not restrict authentication attempts, allowing an attacker to brute-force user passwords and potentially compromising the FTP server.",
"id": "GHSA-r564-8356-q3fh",
"modified": "2026-01-26T21:30:30Z",
"published": "2025-06-12T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49195"
},
{
"type": "WEB",
"url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R73W-7GWW-PR94
Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2026-06-01 15:30Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4 could allow a remote attacker to brute-force user credentials.
{
"affected": [],
"aliases": [
"CVE-2023-35697"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-10T16:15:52Z",
"severity": "HIGH"
},
"details": "Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4\ncould allow a remote attacker to brute-force user credentials.",
"id": "GHSA-r73w-7gww-pr94",
"modified": "2026-06-01T15:30:31Z",
"published": "2023-07-10T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35697"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.