Description
Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass.

This issue affects Pause+ Mobile App: from v1.0.6 before v1.5.
Published: 2026-06-12
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an improper restriction of excessive authentication attempts in the Pause+ Mobile App, enabling an attacker to bypass the one‑time password (OTP) verification process. Exploitation lets an unauthorized user gain access to a target account without submitting a valid OTP, thereby compromising account confidentiality and potentially revealing sensitive user data or transactional information. The flaw corresponds to CWE‑307 and is quantified with a CVSS score of 9.8, indicating a critical potential for exploitation.

Affected Systems

Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. has identified the Pause+ Mobile App as affected. Any deployment of the app from version 1.0.6 up to, but not including, 1.5 is vulnerable. Versions prior to 1.0.6 are assumed secure, and 1.5 or newer contain the fix.

Risk and Exploitability

The CVSS score of 9.8 marks this issue as a high‑severity authentication bypass that could be leveraged remotely via the app’s authentication API. While EPSS data is not available, the lack of an EPSS score does not diminish the risk; the flaw is actively disclosed in a security advisory and is not cataloged in the CISA KEV list. Attackers can trigger the bypass by sending crafted authentication requests that reset or ignore OTP checks, thereby achieving privileged access without further authorization.

Generated by OpenCVE AI on June 12, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pause+ Mobile App to version 1.5 or later, which contains the vendor‑supplied OTP verification fix.
  • Implement strict rate limiting on authentication attempts to prevent brute‑force or threshold‑reset attacks.
  • Validate that the OTP mechanism is enforced server‑side and cannot be bypassed by client‑side manipulation.

Generated by OpenCVE AI on June 12, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Basbelen Group
Basbelen Group pause+ Mobile App
Vendors & Products Basbelen Group
Basbelen Group pause+ Mobile App

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass. This issue affects Pause+ Mobile App: from v1.0.6 before v1.5.
Title OTP Bypass in Başbelen Group's Pause+ Mobile App
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Basbelen Group Pause+ Mobile App
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-06-12T15:21:04.399Z

Reserved: 2026-04-22T12:02:04.280Z

Link: CVE-2026-6853

cve-icon Vulnrichment

Updated: 2026-06-12T15:20:49.449Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T15:16:32.160

Modified: 2026-06-12T15:51:52.407

Link: CVE-2026-6853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:20:19Z

Weaknesses
  • CWE-307

    Improper Restriction of Excessive Authentication Attempts