Description
Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception.

This issue affects HYPR Passwordless: before 11.1.1.
Published: 2026-06-25
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authentication flaw in a critical function of HYPR Passwordless on Windows. Attackers can invoke this function without credentials, allowing them to intercept user credentials and potentially gain unauthorized access. The weakness falls under CWE-306, indicating that the application fails to enforce proper authentication checks for a sensitive operation. The impact is significant because it permits credential compromise, which can lead to broader system compromise if the stolen credentials have elevated privileges.

Affected Systems

The affected product is HYPR Passwordless, with vulnerable versions defined only as those prior to 11.1.1. Any installation of the application before this version on Windows machines is subject to the missing authentication issue.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate to high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. The attack likely requires the attacker to have local access or some credential to deploy the function, as the flaw permits use of a critical feature without authentication. Given the lack of publicly observed exploits, the risk is moderate, but the potential for credential interception remains high for affected users.

Generated by OpenCVE AI on June 25, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HYPR Passwordless to version 11.1.1 or later, which includes authentication for the affected critical function.
  • If an upgrade cannot be performed immediately, disable or remove the vulnerable critical function to prevent unauthenticated use.
  • Implement strict authentication and role‑based access controls on all sensitive operations to ensure that no function can be invoked without proper credentials.

Generated by OpenCVE AI on June 25, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Missing Authentication in HYPR Passwordless Enables Credentials Interception

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception. This issue affects HYPR Passwordless: before 11.1.1.
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HYPR

Published:

Updated: 2026-06-25T16:03:39.669Z

Reserved: 2026-03-20T15:46:30.332Z

Link: CVE-2026-4522

cve-icon Vulnrichment

Updated: 2026-06-25T16:03:23.028Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:30:15Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function