Authentication Bypass in ThingsBoard v4.3.0.1
CVE-2026-36537

9.8CRITICAL

Key Information:

Vendor: ThingsBoard
Status: ThingsBoard
Vendor: CVE Published:; 15 June 2026

🔔 Create ThingsBoard Vulnerability Alert

What is CVE-2026-36537?

ThingsBoard v4.3.0.1 is susceptible to an authentication bypass during the OAuth authorization code exchange process. The application incorrectly trusts user-supplied data received in the user parameter at the /login/oauth2/code/ endpoint. This flaw allows remote attackers to manipulate the email address within the JSON object, enabling them to bypass authentication and gain unauthorized access to any user account on the platform without needing the target user's credentials. This effectively results in a complete compromise of user accounts.

References

https://gist.github.com/KKC73/b9d4efda05693882f1e613c0e0f...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-36537 Data

JSON