CWE-287— Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.— MITRE CWE catalog
4,483 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-287page 88 of 90
- CVE-2026-48114CRITICALCVSS 9.8EG 9.82026-06-15
Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() b…
- CVE-2026-48117MEDIUMCVSS 6.8EG 6.82026-06-17
DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attac…
- CVE-2026-4829MEDIUMCVSS 5.4EG 5.42026-04-01
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an extern…
- CVE-2026-4831LOWCVSS 3.7EG 3.72026-03-26
A security flaw has been discovered in kalcaddle kodbox 1.64. Impacted is the function can of the file /workspace/source-code/app/controller/explorer/auth.class.php of the component Password-protected Share Handler. Performing a manipulati…
- CVE-2026-48526HIGHCVSS 7.4EG 7.42026-05-28
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm,…
- CVE-2026-48611CRITICALCVSS 9.8EG 9.82026-06-12
Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations.
- CVE-2026-48780HIGHCVSS 8.2EG 8.22026-06-16
Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deploymen…
- CVE-2026-48896HIGHCVSS 7.5EG 7.52026-05-26
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
- CVE-2026-48897HIGHCVSS 7.5EG 7.52026-05-26
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
- CVE-2026-48929HIGHCVSS 7.5EG 7.52026-06-17
Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring…
- CVE-2026-48991MEDIUMCVSS 5.5EG 5.52026-06-17
XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed l…
- CVE-2026-49186CRITICALCVSS 9.8EG 9.82026-06-04
The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden network devices or publish rogue control commands.
- CVE-2026-49191CRITICALCVSS 9.8EG 9.82026-06-04
The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages.
- CVE-2026-49194HIGHCVSS 8.8EG 8.82026-06-04
The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.
- CVE-2026-49197CRITICALCVSS 9.8EG 9.82026-05-29
Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.
- CVE-2026-49202HIGHCVSS 8.6EG 8.62026-06-04
Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft.
- CVE-2026-49203HIGHCVSS 8.3EG 8.32026-06-04
Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted.
- CVE-2026-49443HIGHCVSS 8.8EG 8.82026-06-02
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This …
- CVE-2026-49448CRITICALCVSS 9.8EG 9.82026-06-02
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1.
- CVE-2026-49454CRITICALCVSS 9.1EG 9.12026-06-18
Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. Versions 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successf…
- CVE-2026-49502HIGHCVSS 8.1EG 7.42026-06-17
Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclos…
- CVE-2026-4959HIGHCVSS 7.3EG 7.32026-03-27
A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function check_user of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument int…
- CVE-2026-49843MEDIUMCVSS 5.3EG 5.32026-06-09
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bo…
- CVE-2026-49848MEDIUMCVSS 4.3EG 4.32026-06-09
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth…
- CVE-2026-49869CRITICALCVSS 10.0EG 10.02026-06-26
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Becau…
- CVE-2026-49872HIGHCVSS 8.1EG 8.12026-06-19
Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 throu…
- CVE-2026-5000HIGHCVSS 7.3EG 7.32026-03-28
A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument B…
- CVE-2026-50338HIGHCVSS 8.2EG 8.22026-07-14
Improper authentication in Azure Spring Apps allows an authorized attacker to elevate privileges over a network.
- CVE-2026-50365HIGHCVSS 8.0EG 8.02026-07-14
Improper authentication in Windows RPC API allows an unauthorized attacker to elevate privileges over an adjacent network.
- CVE-2026-50559HIGHCVSS 7.5EG 7.52026-06-19
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons…
- CVE-2026-50623MEDIUMCVSS 4.8EG 6.52026-06-12
An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed …
- CVE-2026-50751CRITICALCVSS 9.3EG 9.3⚠ KEV2026-06-08
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a…
- CVE-2026-5076CRITICALCVSS 9.8EG 9.82026-06-02
The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user …
- CVE-2026-5229CRITICALCVSS 9.8EG 9.82026-05-15
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a…
- CVE-2026-5270CRITICALCVSS 9.8EG 0.02026-07-14
An authentication bypass vulnerability exists in certain releases of Ciena Navigator Network Control Suite (NCS), Manage Control Plan (MCP), and Blue Planet products. The issue is caused by improper handling of HTTP request paths and head…
- CVE-2026-52830CRITICALCVSS 9.4EG 9.42026-07-02
fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not r…
- CVE-2026-52845HIGHCVSS 8.1EG 8.12026-06-16
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request late…
- CVE-2026-5320HIGHCVSS 7.3EG 7.32026-04-02
A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authenticati…
- CVE-2026-53483CRITICALCVSS 9.8EG 9.82026-07-07
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 an improper authentication…
- CVE-2026-53913CRITICALCVSS 9.8EG 9.82026-07-06
Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely ('Failing Open') vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running Keycloak…
- CVE-2026-54089CRITICALCVSS 9.1EG 9.12026-06-25
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication (auth.method=proxy)…
- CVE-2026-54320HIGHCVSS 8.4EG 8.42026-06-23
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted (and declined) by a user whose email matched the invitation but had no…
- CVE-2026-54781HIGHCVSS 7.4EG 7.42026-06-19
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF SAML token validation does not enforce SubjectConfirmation method URIs or holder-of-key proof keys in SamlSecur…
- CVE-2026-55075HIGHCVSS 7.4EG 7.42026-07-06
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back…
- CVE-2026-55076HIGHCVSS 7.4EG 7.42026-07-06
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked `email_verified` with a direct Go `bool` type assertion. When an IdP…
- CVE-2026-55377HIGHCVSS 8.1EG 8.12026-07-10
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAu…
- CVE-2026-5557MEDIUMCVSS 6.3EG 6.32026-04-05
A vulnerability was detected in badlogic pi-mono up to 0.58.4. This issue affects some unknown processing of the file packages/mom/src/slack.ts of the component pi-mom Slack Bot. The manipulation results in authentication bypass using alte…
- CVE-2026-55666CRITICALCVSS 9.3EG 9.32026-06-24
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by …
- CVE-2026-55672HIGHCVSS 7.4EG 7.42026-06-18
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated th…
- CVE-2026-55689HIGHCVSS 8.1EG 8.12026-06-19
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience …
Map vulnerabilities like CWE-287 to your infrastructure
EchelonGraph correlates every CVE — across CWE-287 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →