CVE-2026-36537 - Vulnerability Details

Description

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.

Published: 2026-06-15

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ThingsBoard versions up to 4.3.0.1 allow a remote attacker to bypass authentication during the OAuth authorization code exchange. The application improperly trusts user‑supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in the JSON payload, an attacker can impersonate any existing user and obtain full access to that account. This vulnerability results in a complete account takeover, compromising confidentiality, integrity, and availability of the platform, while affecting any user account whose credentials are not protected by additional safeguards.

Affected Systems

The affected product is ThingsBoard, specifically version 4.3.0.1. No additional vendor or product variants are listed.

Risk and Exploitability

The CVSS score is 9.8, indicating a critical severity, while the EPSS score is less than 1%, suggesting a low probability of exploitation observed in the wild. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is remote, via the OAuth 2.0 login endpoint. An attacker only needs to craft a modified JSON request containing a forged email address; the application will accept it as a legitimate user. With no authentication or checks on the supplied identity data, the attacker immediately gains all privileges associated with the target account.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Thingsboard

75%

Version	Status	Scheme	Platform
`4.3.0.1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ThingsBoard to a version where the OAuth authorization code exchange flaw is corrected
Restrict or disable the /login/oauth2/code/ endpoint to trusted IP addresses or networks until the patch is applied
Monitor OAuth traffic for anomalous user parameters and review account activity logs for unauthorized access

Generated by OpenCVE AI on June 16, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0023.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://gist.github.com/KKC73/b9d4efda05693882f1e613c0e0fac78d

History

Tue, 16 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-290
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 16 Jun 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thingsboard Thingsboard thingsboard
Vendors & Products		Thingsboard Thingsboard thingsboard

Mon, 15 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
References		https://gist.github.com/KKC73/b9d4efda05693882f1e613c0e0fac78d

Subscriptions

Thingsboard Thingsboard

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-15T00:00:00.000Z

Updated: 2026-06-16T13:19:13.554Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36537

Vulnrichment

Updated: 2026-06-16T13:18:37.563Z

NVD

Status : Deferred

Published: 2026-06-15T20:16:25.907

Modified: 2026-06-16T15:51:29.037

Link: CVE-2026-36537

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses

CWE-290
Authentication Bypass by Spoofing