PatchSiren cyber security CVE debrief

CVE-2026-36537 ThingsBoard CVE debrief

CVE-2026-36537 is an authentication bypass vulnerability in ThingsBoard v4.3.0.1. The vulnerability occurs during the OAuth authorization code exchange, where the application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials, resulting in a complete account takeover.

Vendor: ThingsBoard
Product: ThingsBoard
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-15
Original CVE updated: 2026-06-15
Advisory published: 2026-06-15
Advisory updated: 2026-06-15

Who should care

Users of ThingsBoard v4.3.0.1, administrators of ThingsBoard instances, and security teams responsible for monitoring and mitigating vulnerabilities in their organization's systems.

Technical summary

The vulnerability is caused by the application's improper trust in user-supplied identity data during the OAuth authorization code exchange. Specifically, the /login/oauth2/code/ endpoint does not properly validate the email address in the JSON object, allowing an attacker to manipulate this field and bypass authentication.

Defensive priority

High

Recommended defensive actions

Apply the latest security patches or updates for ThingsBoard v4.3.0.1.
Implement additional security measures, such as monitoring and logging, to detect and respond to potential attacks.
Consider using alternative authentication methods, such as multi-factor authentication, to enhance security.

Evidence notes

The CVE record [cve-org] and NVD detail [nvd] provide official information about the vulnerability. A source reference [ref-4] is also available on GitHub.

Official resources

CVE-2026-36537 was published on 2026-06-15T20:16:25.907Z and has not been modified since then.