KEVIntel
PRO Back to KEVs
9.8
CVSS
Critical

CVE-2019-20933

PUBLISHED

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may...

Not yet in CISA KEV

PoC available Remote Low complexity No user interaction
Vendor
InfluxData
Product
InfluxDB
Published
Nov 19, 2020
EPSS

Automate This Intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

nuclei_scanner

CVSS Scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5 High

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation Status

Proof of concept available

Recorded 2021-04-28 16:25:31 UTC · GitHub

References

Known Exploited Vulnerability Sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) First 2025-07-01 00:00 UTC

Scanner Integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-20933.yaml Apr 25, 2025

Potential Proof of Concepts

These PoCs are unverified and could contain malware. Use at your own risk.

Hydragyrum/CVE-2019-20933

github · Created 2021-07-24 11:12:13 UTC · 1 stars

LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933

github · Created 2021-04-28 16:25:31 UTC · 39 stars

InfluxDB CVE-2019-20933 vulnerability exploit

CVE-2019-20933

nuclei · Created Unknown

Timeline

  • Added to KEVIntel

  • Detected by Nuclei

  • Proof of Concept Exploit Available

  • CVE Published to Public

  • CVE ID Reserved