diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json
index 6f00745..75d8265 100644
--- a/mappings/cvss_v3/cvss_v3.json
+++ b/mappings/cvss_v3/cvss_v3.json
@@ -240,6 +240,10 @@
       "id": "broken_access_control",
       "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
       "children": [
+        {
+          "id": "bypass_of_password_confirmation",
+          "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
+        },
         {
           "id": "privilege_escalation",
           "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json
index 1373d06..8489fb8 100644
--- a/mappings/remediation_advice/remediation_advice.json
+++ b/mappings/remediation_advice/remediation_advice.json
@@ -358,6 +358,13 @@
     {
       "id": "broken_access_control",
       "children": [
+        {
+          "id": "bypass_of_password_confirmation",
+          "remediation_advice": "Ensure that password confirmation checks are enforced server-side for all sensitive operations. Do not rely solely on client-side enforcement, as it can be bypassed. Use middleware or access control logic to validate the user's current password before processing the request.",
+          "references": [
+            "https://portswigger.net/web-security/access-control"
+          ]
+        },
         {
           "id": "exposed_sensitive_android_intent",
           "remediation_advice": "1. If you use an intent to bind to a Service, ensure that your app is secure by using an explicit intent. Using an implicit intent to start a service is a security risk as you can't be certain what service will respond to the intent, and the user can't see which service starts.\n2. If data within a broadcast intent may be sensitive, you should consider applying a permission to make sure that malicious applications can't register to receive those messages without appropriate permissions. In these circumstances you may also consider invoking the receiver directly rather than raising a broadcast.\n3. By default, receivers are exported and can be invoked by any other application. If your BroadcastReceiver is intended for use by other applications, you may want to apply security permissions to receivers using the <receiver> element within the application manifest. This prevents applications without appropriate permissions from sending an intent to the BroadcastReceiver.\n",
diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json
index b89dee9..72397ae 100644
--- a/vulnerability-rating-taxonomy.json
+++ b/vulnerability-rating-taxonomy.json
@@ -378,6 +378,19 @@
       "name": "Broken Access Control (BAC)",
       "type": "category",
       "children": [
+        {
+          "id": "bypass_of_password_confirmation",
+          "name": "Bypass of Password Confirmation",
+          "type": "subcategory",
+          "children": [
+            {
+              "id": "change_password",
+              "name": "Change Password",
+              "type": "variant",
+              "priority": 4
+            }
+          ]
+        },
         {
           "id": "exposed_sensitive_android_intent",
           "name": "Exposed Sensitive Android Intent",