What the vulnerability does
01Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Password Policy Manager password-policy-manager allows Authentication Abuse.This issue affects Password Policy Manager: from n/a through <= 2.0.4.
Explanation of Vulnerability in Simple Terms
02Summary
Password Policy Manager versions 2.0.4 and earlier contain an authentication bypass vulnerability. An attacker with low-level user access can read and modify sensitive data, including user credentials and site configuration. The vulnerability requires network access and a valid user account but no additional user interaction. Organizations should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Read and modify sensitive data including user credentials and site configuration with a low-privilege account.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter password policies, user data, and site settings without admin approval.
Conditions required to exploit
05Prerequisites
Attacker needs a valid user account with low-level privileges on the site.
Key dates
06Disclosure timeline
June 9, 2025
CVE published
April 28, 2026
Record updated