CVE-2026-16209

Gerapy · Gerapy

Gerapy is susceptible to authentication bypass and missing authentication vulnerabilities, allowing unauthorized access to application functions.

Executive summary

Gerapy versions 0.9.0 through 0.9.7 contain critical authentication flaws that allow unauthenticated attackers to gain unauthorized access to the application.

Vulnerability

This vulnerability involves missing authentication (CWE-306) and improper authentication (CWE-287). The flaw allows remote, unauthenticated attackers to interact with the application, bypassing intended security controls.

Business impact

Successful exploitation allows unauthorized users to access, modify, or interact with the Gerapy platform without credentials. This can lead to full compromise of the application, unauthorized data exposure, or the manipulation of configured tasks and settings. The CVSS score of 7.3 highlights the high risk associated with this unauthorized access.

Remediation

Immediate Action: Review the Gerapy GitHub repository for any available security patches or configuration changes that enforce authentication. If no patch is available, restrict network access to the Gerapy instance to trusted networks only.

Proactive Monitoring: Audit application logs for unauthorized access patterns or unexpected administrative actions performed by unknown users.

Compensating Controls: Deploy the application behind a reverse proxy that implements strict authentication and authorization checks before forwarding traffic to the Gerapy backend.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the lack of a confirmed patch, users should immediately restrict access to the Gerapy interface via network-level controls. Monitor the project upstream for updates and apply them as soon as they become available to resolve the underlying authentication bypass.