External risk intelligence

ThingsBoard v4.3.0.1 Authentication Bypass via OAuth Code Exchange

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-36537

A vulnerability in the platform's OAuth authorization code exchange allows unauthenticated attackers to bypass authentication by manipulating user identity data, leading to full account takeover. This critical issue affects any existing user account accessible through the platform.

5Halo Surface Signal

Authentication Bypass

External exposure likelihood

Halo Surface Signal score for CVE-2026-36537

The vulnerability exists in an OAuth2 authentication endpoint (/login/oauth2/code/). As an identity-related service endpoint designed to handle user authentication and authorization flows, this component is intended to be internet-facing to facilitate user login, making it a highly reachable surface in standard deployments of this platform.

PCI scan relevance

PCI Relevance for CVE-2026-36537

Yes

CVE-2026-36537 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated attackers to bypass login and take over any user account, making it a critical security risk for systems handling sensitive data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts the platform's authentication process, allowing unauthorized access to user accounts by bypassing security controls. The core issue lies in how the system validates identity information provided during a specific login flow. The potential for unauthorized account takeover necessitates a review of its applicability.

Authentication bypass allows unauthorized account access.
Critical for any deployment using this platform.
Confirm relevance and investigate exposure.

Attack Path

How an attacker could exploit the issue

An attacker can compromise user accounts by exploiting a flaw in the platform's handling of OAuth authorization codes. The system incorrectly trusts information provided by the user during this process. By altering specific details, such as an email address, an attacker can impersonate any user and gain full control over their account.

No authentication required.
Manipulates user data in login endpoint.
Results in complete account takeover.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an unauthenticated remote attacker could bypass authentication by manipulating identity data in the OAuth authorization code exchange. This could allow an attacker to gain full access to any existing user account on the platform without the target user's credentials.

User account access.
Manipulate identity data in OAuth.
Complete account takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

An authentication bypass vulnerability in the OAuth authorization code exchange presents a critical risk, enabling attackers to achieve full account takeover by manipulating user identity data. This issue is likely to fall under the purview of the application or platform team responsible for managing ThingsBoard instances. The immediate priority is to identify all deployments, determine their reachability and business criticality, and confirm the accountable owner for each instance.

Confirm application and platform ownership.
Verify affected asset exposure.
Plan phased remediation by risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is ThingsBoard?

ThingsBoard is an open-source IoT platform designed for data collection, processing, visualization, and device management. It provides infrastructure for managing connected devices and allows users to build dashboards and automation workflows. Because it acts as a central hub for managing IoT ecosystems, organizations rely on it to securely control access to device data and operational configurations through its integrated user management and authentication systems.

What does CVE-2026-36537 mean?

This CVE describes an authentication bypass flaw, specifically categorized as CWE-290: Authentication Bypass by Spoofing. In plain terms, the software fails to properly verify the identity claims sent to it during the OAuth login process. Because the application blindly trusts user-provided information, an attacker can impersonate any registered user, gaining full unauthorized access to their account without needing a password or valid credentials.

How does an attacker trigger this vulnerability?

An attacker triggers this bug by interacting directly with the specific OAuth endpoint used for authorization code exchanges. By injecting a modified email address into the user parameter of the JSON object sent to the /login/oauth2/code/ path, the attacker tricks the system into logging them in as that user. Note that this attack does not require any prior valid account or specialized system access; it only requires the ability to reach that specific login endpoint.

Is my ThingsBoard instance at risk?

If you are running version 4.3.0.1, you should consider your instance at risk. According to Halo Surface Signal, this vulnerability resides in an OAuth2 endpoint that is intentionally designed to handle authentication, making it a highly reachable surface. If your deployment makes this login service available to the internet to support remote user access, your platform faces a significant exposure level compared to internal-only configurations.

What should I do to respond to this?

Begin by confirming which systems in your environment are running the affected ThingsBoard version. Prioritize identifying instances that are exposed to the internet, as these present the highest risk of unauthorized access. Once you have located your deployments, coordinate with the platform owners to review the security of your authentication flows and plan for necessary updates or configuration changes to mitigate the risk of account takeover.

References

gist.github.com/KKC73/b9d4efda05693882f1e613c0e0fac78d

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.