CVE-2026-36537
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint.
Risk Assessment
An attacker can bypass authentication and gain full access to any existing user account on the platform, resulting in a complete account takeover.
Recommendation
It is recommended to update to the latest version of ThingsBoard and implement additional identity verification mechanisms for user data.
Original NVD description (English source)
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.

