CVE-2026-16209
Gerapy · Gerapy
Gerapy is susceptible to authentication bypass and missing authentication vulnerabilities, allowing unauthorized access to application functions.
Executive summary
Gerapy versions 0.9.0 through 0.9.7 contain critical authentication flaws that allow unauthenticated attackers to gain unauthorized access to the application.
Vulnerability
This vulnerability involves missing authentication (CWE-306) and improper authentication (CWE-287). The flaw allows remote, unauthenticated attackers to interact with the application, bypassing intended security controls.
Business impact
Successful exploitation allows unauthorized users to access, modify, or interact with the Gerapy platform without credentials. This can lead to full compromise of the application, unauthorized data exposure, or the manipulation of configured tasks and settings. The CVSS score of 7.3 highlights the high risk associated with this unauthorized access.
Remediation
Immediate Action: Review the Gerapy GitHub repository for any available security patches or configuration changes that enforce authentication. If no patch is available, restrict network access to the Gerapy instance to trusted networks only.
Proactive Monitoring: Audit application logs for unauthorized access patterns or unexpected administrative actions performed by unknown users.
Compensating Controls: Deploy the application behind a reverse proxy that implements strict authentication and authorization checks before forwarding traffic to the Gerapy backend.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Due to the lack of a confirmed patch, users should immediately restrict access to the Gerapy interface via network-level controls. Monitor the project upstream for updates and apply them as soon as they become available to resolve the underlying authentication bypass.