CVE-2026-36537 | ThingsBoard v4.3.0.1 is vulnerable to an authentication bypa…

Description

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.

Metadata

CVE ID: CVE-2026-36537
State: PUBLISHED
Assigner: mitre
Reserved: 2026-04-06 00:00 UTC
Published: 2026-06-15 00:00 UTC
Last updated: 2026-06-15 18:52 UTC
Vendor / Product: n/a / n/a
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
n/a	n/a	—	n/a

Weakness (CWE)

CWE	Source	Description
—	cna	n/a

References (1)

https://gist.github.com/KKC73/b9d4efda05693882f1e613c0e0fac78d