CVE-2026-36537

Name of the Vulnerable Software and Affected Versions ThingsBoard version 4.3.0.1

Description An authentication bypass exists during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the '/login/oauth2/code/' endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials, resulting in a complete account takeover. Over 14,000 devices were identified as potentially affected.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.