CWE-287— Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.— MITRE CWE catalog
4,479 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-287page 84 of 90
- CVE-2026-12598HIGHCVSS 8.1EG 8.12026-07-09
The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in versions up to and including 6.2.3 via the Spotify Social Login addon. This is due to the loginpress_on_spotify_login() function trusting the unverified 'ema…
- CVE-2026-12761CRITICALCVSS 9.8EG 9.82026-07-10
The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Complet…
- CVE-2026-12773CRITICALCVSS 9.8EG 7.32026-06-21
A weakness has been identified in BerriAI litellm up to 1.59.8. Affected is the function UserAPIKeyAuth of the file litellm/proxy/_experimental/mcp_server/auth/user_api_key_auth_mcp.py of the component MCP Proxy. Executing a manipulation c…
- CVE-2026-12795HIGHCVSS 7.3EG 7.32026-06-21
A vulnerability was determined in BerriAI litellm up to 1.82.2. This affects the function json.dumps of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Debug Flow. Executing a manipulation can lead to missing aut…
- CVE-2026-1305MEDIUMCVSS 5.3EG 5.32026-02-27
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that uncondition…
- CVE-2026-13208MEDIUMCVSS 6.5EG 6.52026-06-24
A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection…
- CVE-2026-13543MEDIUMCVSS 5.6EG 5.62026-06-29
A vulnerability was detected in Documenso up to 2.11.0. Affected by this vulnerability is an unknown functionality of the file packages/auth/server/lib/utils/handle-oauth-callback-url.ts of the component Google OAuth Login. The manipulatio…
- CVE-2026-13546HIGHCVSS 7.3EG 7.32026-06-29
A vulnerability was found in Feehi CMS up to 2.1.1. This vulnerability affects unknown code of the file /api/articles of the component REST API Endpoint. Performing a manipulation results in missing authentication. The attack may be initia…
- CVE-2026-1368HIGHCVSS 7.5EG 7.52026-02-18
The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve…
- CVE-2026-1410MEDIUMCVSS 6.4EG 6.42026-01-26
A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. Th…
- CVE-2026-14622HIGHCVSS 7.3EG 7.32026-07-04
A vulnerability was found in jairiidriss restaurant-website-php-mysql up to 521428b5b612449df0cf4a5d15ee40cba67f3d35. This vulnerability affects unknown code of the file /admin/ajax_files of the component AJAX Endpoint. Performing a manipu…
- CVE-2026-14627MEDIUMCVSS 5.6EG 5.62026-07-04
A security vulnerability has been detected in NousResearch hermes-agent up to 0.15.2. This affects the function DiscordAdapter._is_allowed_user of the file gateway/platforms/discord.py of the component Discord Platform Integration. Such ma…
- CVE-2026-14714MEDIUMCVSS 6.5EG 6.52026-07-05
A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.1.0. This issue affects the function verify_server of the file channel/wechatmp/common.py of the component wx Endpoint. This manipulation of the argument wechatmp_toke…
- CVE-2026-15087MEDIUMCVSS 5.9EG 0.02026-07-10
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
- CVE-2026-15089CRITICALCVSS 9.1EG 9.12026-07-10
vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.
- CVE-2026-15192MEDIUMCVSS 6.5EG 6.52026-07-09
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to …
- CVE-2026-1524CRITICALCVSS 9.8EG 9.82026-03-11
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or …
- CVE-2026-15491HIGHCVSS 7.3EG 7.32026-07-12
A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipulation causes missing authentication. The attack is possible to be carried out remotely. Th…
- CVE-2026-15542HIGHCVSS 7.3EG 7.32026-07-13
A vulnerability has been found in will-moss Isaiah up to 1.36.9. This affects an unknown function of the file app/main.go of the component Websocket Connection Authentication. The manipulation leads to improper authentication. The attack c…
- CVE-2026-15557HIGHCVSS 7.3EG 7.32026-07-13
A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.…
- CVE-2026-1568CRITICALCVSS 9.6EG 9.62026-02-03
Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Cons…
- CVE-2026-1740HIGHCVSS 7.3EG 7.32026-02-02
A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpcon_check_session_url of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authenticatio…
- CVE-2026-1743LOWCVSS 3.1EG 3.12026-02-02
A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass …
- CVE-2026-20127CRITICALCVSS 10.0EG 10.0⚠ KEV2026-02-25
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an u…
- CVE-2026-20182CRITICALCVSS 10.0EG 10.0⚠ KEV2026-05-14
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection h…
- CVE-2026-2065MEDIUMCVSS 6.3EG 6.32026-02-06
A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. …
- CVE-2026-20655MEDIUMCVSS 5.5EG 5.52026-02-11
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user info…
- CVE-2026-21508HIGHCVSS 7.0EG 7.02026-02-10
Improper authentication in Windows Storage allows an authorized attacker to elevate privileges locally.
- CVE-2026-21633HIGHCVSS 8.8EG 8.82026-01-05
A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6.1.79 and earlier). Affect…
- CVE-2026-2165HIGHCVSS 7.3EG 7.32026-02-08
A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument em…
- CVE-2026-2174HIGHCVSS 7.3EG 7.32026-02-08
A security flaw has been discovered in code-projects Contact Management System 1.0. This affects an unknown part of the component CRUD Endpoint. The manipulation of the argument ID results in improper authentication. The attack may be laun…
- CVE-2026-21854CRITICALCVSS 9.8EG 9.82026-01-07
The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager a…
- CVE-2026-21881CRITICALCVSS 9.1EG 9.12026-01-08
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user aut…
- CVE-2026-21891CRITICALCVSS 9.4EG 9.42026-01-08
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly val…
- CVE-2026-22099HIGHCVSS 8.7EG 8.72026-07-13
The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL.
- CVE-2026-22236CRITICALCVSS 9.8EG 9.82026-01-14
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Succes…
- CVE-2026-2248CRITICALCVSS 9.8EG 9.82026-02-11
METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with…
- CVE-2026-2249CRITICALCVSS 9.8EG 9.82026-02-11
METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with…
- CVE-2026-22594HIGHCVSS 8.1EG 8.12026-01-10
Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and …
- CVE-2026-22764MEDIUMCVSS 4.3EG 4.32026-01-29
Dell OpenManage Network Integration, versions prior to 3.9, contains an Improper Authentication vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
- CVE-2026-23708HIGHCVSS 7.5EG 7.52026-04-14
A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated att…
- CVE-2026-23906CRITICALCVSS 9.8EG 9.82026-02-10
Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured * Underlying L…
- CVE-2026-24003MEDIUMCVSS 4.3EG 4.32026-01-26
EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the c…
- CVE-2026-24038HIGHCVSS 8.1EG 8.12026-01-22
Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits th…
- CVE-2026-24294HIGHCVSS 7.8EG 7.82026-03-10
Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally.
- CVE-2026-25748HIGHCVSS 8.6EG 8.62026-02-12
authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction wi…
- CVE-2026-25804CRITICALCVSS 9.1EG 9.12026-02-06
Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority…
- CVE-2026-25893CRITICALCVSS 9.8EG 9.82026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh AP…
- CVE-2026-25922HIGHCVSS 8.8EG 8.82026-02-12
authentik is an open-source identity provider. Prior to 2025.8.6, 2025.10.4, and 2025.12.4, when using a SAML Source that has the option Verify Assertion Signature under Verification Certificate enabled and not Verify Response Signature, o…
- CVE-2026-26128HIGHCVSS 7.8EG 7.82026-03-10
Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally.
Map vulnerabilities like CWE-287 to your infrastructure
EchelonGraph correlates every CVE — across CWE-287 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →