CVE-2026-40551
Authentication Bypass in mpGabinet via Client-Side Verification Flaw
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mpgabinet | mpgabinet | to 23.12.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-603 | A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in mpGabinet involves client-side authentication, where the login verification process is performed on the client rather than the server.
An attacker who has access to any instance of the application connected to the backend server can manipulate the application binary to bypass the login verification.
This allows the attacker to authenticate as any arbitrary user without proper credentials.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows unauthorized users to gain access to the system by bypassing authentication.
An attacker could impersonate any user, potentially accessing sensitive data or performing unauthorized actions within the application.
Since the authentication is bypassed, it undermines the security model of the application and can lead to data breaches or unauthorized system control.