How is CVE-2026-6853 exploited?

Network reachability (required): The attacker must reach the Pause+ Mobile App's authentication endpoint over the network; no physical or local access is needed. Authentication (not-required): No credentials or existing session are required; the attacker can interact with the OTP endpoint as an unauthenticated party. Victim interaction (not-required): No user action such as clicking a link or opening a file is needed for the attacker to exploit this vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-6853?

An attacker bypasses OTP authentication and gains full access to user accounts without knowing valid one-time passwords. Account contents including stored personal data, order history, and session tokens become readable to the attacker. An attacker can modify account details, place orders, or alter persisted records within the affected user's profile. The authentication service itself is subject to disruption through uncontrolled repeated request flooding, which the missing rate-limit controls allow.

Back to search

CRITICALCVE-2026-6853Published 2026-06-12Modified 2026-06-12CNA TR-CERT

CVE-2026-6853: OTP Bypass in Başbelen Group's Pause+ Mobile App

Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass. This issue affects Pause+ Mobile App: from v1.0.6 before v1.5.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: v1.5
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in the Pause+ Mobile App by Başbelen Group, caused by improper restriction of excessive authentication attempts on the OTP (one-time password) login flow. The flaw is reachable over the network with no authentication and no user interaction required, meaning any remote attacker can reach it directly. Successful exploitation allows an attacker to bypass the OTP check entirely, gaining full unauthorized access with high impact to confidentiality, integrity, and availability. A patched-image rebuild at v1.5 is available on HarborGuard for environments running an affected version between v1.0.6 and v1.5.

HarborGuard Coverage

Detection

Detection of CVE-2026-6853 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including TR-CERT. Coverage extends to custom-built images that bundle the affected Pause+ Mobile App dependency, not just images pulled directly from public registries.

Available

Triage

Triage is available using the CVSS v3.1 base score of 9.8 (Critical), weighted further against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules and severity thresholds.

Available

Patch

A patched-image rebuild at Pause+ Mobile App v1.5 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Pause+ Mobile App's authentication endpoint over the network; no physical or local access is needed.
AuthenticationNot required
No credentials or existing session are required; the attacker can interact with the OTP endpoint as an unauthenticated party.
Victim interactionNot required
No user action such as clicking a link or opening a file is needed for the attacker to exploit this vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

Blast Radius

An attacker bypasses OTP authentication and gains full access to user accounts without knowing valid one-time passwords.
Account contents including stored personal data, order history, and session tokens become readable to the attacker.
An attacker can modify account details, place orders, or alter persisted records within the affected user's profile.
The authentication service itself is subject to disruption through uncontrolled repeated request flooding, which the missing rate-limit controls allow.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-6853 is active in every ingest cycle, matching the affected Pause+ Mobile App version range (v1.0.6 up to but not including v1.5) against images in customer registries and CI pipelines. Where compliance policy permits, a rebuilt image at v1.5 is made available immediately upon detection of an affected version. For customers who opt into auto-remediation, HarborGuard triggers a full rebuild at the patched version, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with severity-based prioritization and fix-version guidance so engineering teams can act directly.

See how HarborGuard automates this

Fix available

v1.5

Affected packages

Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. / Pause+ Mobile App
< v1.5 (from v1.0.6)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

siberguvenlik.gov.tr

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available