ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
ThingsBoard v4.3.0.1 contains a critical authentication bypass vulnerability in its OAuth implementation that allows attackers to completely hijack user accounts. The flaw exists in the /login/oauth2/code/ endpoint, where the application unsafely trusts user-supplied identity data within the user parameter instead of validating it against OAuth provider responses. By simply manipulating the email address in the JSON payload, an unauthenticated attacker can impersonate any legitimate user and gain full administrative access to the platform. This vulnerability is particularly dangerous because it requires no credentials, no social engineering, and affects all existing user accounts on vulnerable instances. Organizations running ThingsBoard for IoT device management, industrial control systems, or enterprise deployments face immediate risk of complete system compromise.
While MITRE ATT&CK mapping is not yet assigned to this CVE, Casky's Claude-powered analysis engine would identify this as a textbook Credential Access attack pattern (T1110.004 - Credential Stuffing variant, or T1528 - Steal Application Access Token adjacent behavior). Practitioners using Casky would observe detection signals centered on OAuth flow anomalies: suspicious user parameter manipulations in authentication logs, account access from unexpected geographic locations immediately following OAuth exchanges, and privilege escalation patterns where low-privilege or non-existent accounts suddenly gain administrative rights. The platform's extended reasoning capabilities would correlate these signals across authentication, session management, and access control logs to surface the authentication bypass pattern. Practitioners would see findings highlighting the improper trust boundary violation between OAuth provider assertions and application-level user identification, enabling them to quickly identify compromised accounts and trace lateral movement attempts that exploited this initial access vector.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-36537. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation