CVE-2026-4522 - Vulnerability Details - OpenCVE

Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception. This issue affects HYPR Passwordless: before 11.1.1.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://www.hypr.com/trust-center/security-advisories

History

Thu, 25 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title		Missing Authentication in HYPR Passwordless Enables Credentials Interception

Thu, 25 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 25 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception. This issue affects HYPR Passwordless: before 11.1.1.
Weaknesses		CWE-306
References		https://www.hypr.com/trust-center/security-advisories
Metrics		cvssV4_0 `{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: HYPR

Published: 2026-06-25T15:39:28.322Z

Updated: 2026-06-25T16:03:39.669Z

Reserved: 2026-03-20T15:46:30.332Z

Link: CVE-2026-4522

Vulnrichment

Updated: 2026-06-25T16:03:23.028Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4522", "assignerOrgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "state": "PUBLISHED", "assignerShortName": "HYPR", "dateReserved": "2026-03-20T15:46:30.332Z", "datePublished": "2026-06-25T15:39:28.322Z", "dateUpdated": "2026-06-25T16:03:39.669Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "shortName": "HYPR", "dateUpdated": "2026-06-25T15:39:28.322Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-117", "descriptions": [{"lang": "en", "value": "CAPEC-117 Interception"}]}], "affected": [{"vendor": "HYPR", "product": "Passwordless", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "0", "lessThan": "11.1.1", "versionType": "patch"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception.\n\nThis issue affects HYPR Passwordless: before 11.1.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception.<p>This issue affects HYPR Passwordless: before 11.1.1.</p>"}]}], "references": [{"url": "https://www.hypr.com/trust-center/security-advisories"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.7, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-25T16:03:16.387341Z", "id": "CVE-2026-4522", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T16:03:39.669Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4522", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-25T16:03:16.387341Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T16:03:23.028Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-117", "descriptions": [{"lang": "en", "value": "CAPEC-117 Interception"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HYPR", "product": "Passwordless", "versions": [{"status": "affected", "version": "0", "lessThan": "11.1.1", "versionType": "patch"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.hypr.com/trust-center/security-advisories"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception.\n\nThis issue affects HYPR Passwordless: before 11.1.1.", "supportingMedia": [{"type": "text/html", "value": "Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception.<p>This issue affects HYPR Passwordless: before 11.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function"}]}], "providerMetadata": {"orgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "shortName": "HYPR", "dateUpdated": "2026-06-25T15:39:28.322Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4522", "state": "PUBLISHED", "dateUpdated": "2026-06-25T16:03:39.669Z", "dateReserved": "2026-03-20T15:46:30.332Z", "assignerOrgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "datePublished": "2026-06-25T15:39:28.322Z", "assignerShortName": "HYPR"}, "dataVersion": "5.2"}