CWE-287— Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.— MITRE CWE catalog
4,483 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-287page 89 of 90
- CVE-2026-5570HIGHCVSS 7.3EG 7.32026-04-05
A vulnerability was determined in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. The affected element is the function index_config of the file /LoginCB. This manipulation causes improper authentication. It is possible to initiate the attack…
- CVE-2026-55727HIGHCVSS 7.5EG 7.52026-07-06
A flaw in the authentication mechanism for video stream requests in Genetec Security Center 5.14.0.0 prior to build 5.14.178.18 may allow an unauthenticated attacker to access live video streams.
- CVE-2026-55759HIGHCVSS 7.4EG 7.42026-06-24
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any…
- CVE-2026-55761MEDIUMCVSS 5.9EG 5.92026-07-08
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, una…
- CVE-2026-55955MEDIUMCVSS 6.5EG 6.52026-06-29
Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, f…
- CVE-2026-55962MEDIUMCVSS 6.5EG 6.52026-06-25
TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth exemption that allows an empty/absent pee…
- CVE-2026-56080MEDIUMCVSS 4.9EG 4.92026-06-19
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As …
- CVE-2026-5616HIGHCVSS 7.3EG 7.32026-04-06
A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java o…
- CVE-2026-56169HIGHCVSS 8.1EG 8.12026-07-14
Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
- CVE-2026-56185MEDIUMCVSS 6.5EG 6.52026-07-14
Improper authentication in Windows Admin Center allows an authorized attacker to disclose information over a network.
- CVE-2026-56219HIGHCVSS 7.5EG 7.52026-07-01
Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper…
- CVE-2026-56223HIGHCVSS 8.7EG 8.72026-06-24
Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorizat…
- CVE-2026-56237CRITICALCVSS 9.1EG 9.12026-06-24
Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authen…
- CVE-2026-56294MEDIUMCVSS 4.8EG 4.82026-06-20
capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function …
- CVE-2026-56312MEDIUMCVSS 6.5EG 6.52026-07-10
Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with i…
- CVE-2026-5632HIGHCVSS 7.3EG 7.32026-04-06
A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the atta…
- CVE-2026-56345HIGHCVSS 8.1EG 8.12026-06-20
AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of t…
- CVE-2026-56353MEDIUMCVSS 4.8EG 4.82026-07-15
n8n contains an authentication bypass in the Chat Trigger node when configured with n8n User Auth (a non-default configuration). In affected releases — before 1.123.22, the 2.0.0 through 2.9.2 line, and 2.10.0 — the authentication chec…
- CVE-2026-56666MEDIUMCVSS 4.8EG 4.82026-07-10
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same …
- CVE-2026-56675HIGHCVSS 8.3EG 8.32026-07-10
9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/* access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 cause…
- CVE-2026-5676HIGHCVSS 7.3EG 7.32026-04-06
A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack c…
- CVE-2026-57107HIGHCVSS 7.8EG 7.82026-07-14
Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges locally.
- CVE-2026-57216CRITICALCVSS 10.0EG 10.02026-07-10
RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, AMQP 0-9-1, AMQP 1.0, and Stream Protocol authentication can allow a loopback-restricted user such as guest to connect remotely when traffic is acce…
- CVE-2026-5722CRITICALCVSS 9.8EG 9.82026-05-05
The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the…
- CVE-2026-5795HIGHCVSS 7.4EG 7.42026-04-08
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator c…
- CVE-2026-58029MEDIUMCVSS 6.5EG 6.52026-07-01
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiChangeAuthenticationData.Php, includes/Api/ApiLinkAccount.Php, includes/Api/ApiRemoveAuthenticationData.Php, includes/Sp…
- CVE-2026-58253HIGHCVSS 8.8EG 8.82026-07-08
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could als…
- CVE-2026-58399HIGHCVSS 8.7EG 8.72026-06-18
@acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers. The validateT…
- CVE-2026-58423HIGHCVSS 7.7EG 7.72026-07-03
LFS authentication bypass via malformed SSH sub-verb allows unauthorized read access to private repositories
- CVE-2026-59151CRITICALCVSS 9.6EG 9.62026-07-10
Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant should receive the final token, and the ACS finish logic in api/src/ba…
- CVE-2026-59208MEDIUMCVSS 6.8EG 6.82026-07-09
n8n is an open source workflow automation platform. Prior to 2.27.4 and from 2.28.0 prior to 2.28.1, n8n instances configured with more than one trusted token-exchange issuer resolved external identities to local accounts using only the JW…
- CVE-2026-59224HIGHCVSS 8.0EG 8.02026-07-09
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query …
- CVE-2026-5959MEDIUMCVSS 6.6EG 6.62026-04-09
A security flaw has been discovered in GL.iNet GL-RM1, GL-RM10, GL-RM10RC and GL-RM1PE 1.8.1. Affected by this issue is some unknown functionality of the component Factory Reset Handler. Performing a manipulation results in improper authen…
- CVE-2026-59822HIGHCVSS 8.2EG 8.22026-07-08
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, LiteLLM's MCP Streamable HTTP endpoint allowed an unauthenticated attacker to use a fabricated Authorization header to trigger an OAuth2…
- CVE-2026-59954HIGHCVSS 7.5EG 7.52026-07-13
Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to configuration data when AccessKey or management key au…
- CVE-2026-59955HIGHCVSS 7.5EG 7.52026-07-13
Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to raw configuration data when AccessKey or management ke…
- CVE-2026-6126HIGHCVSS 7.3EG 7.32026-04-12
A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to init…
- CVE-2026-6129HIGHCVSS 7.3EG 7.32026-04-12
A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an unknown function of the component Agent Mode Service. Performing a manipulation results in missing authentication. The attack can be initiated…
- CVE-2026-61435HIGHCVSS 8.2EG 8.22026-07-15
PraisonAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints (src/praisonai/praisonai/api/agent_invoke.py) when PRAISONAI_CALL_AUTH=disabled is configured. The safeguard intended to restrict the disa…
- CVE-2026-61436HIGHCVSS 8.6EG 8.62026-07-15
PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke conf…
- CVE-2026-61740CRITICALCVSS 9.3EG 9.32026-07-15
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAG_API_KEY set but AUTH_ACCOUNTS unset, X-API-Key protection can be bypassed because lightrag/api/auth.py falls back to …
- CVE-2026-6274CRITICALCVSS 9.8EG 9.82026-06-05
Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and Trade Ltd. Co. Redline WR3200 allows Accessing Functionality Not Properly Constrained by ACLs. This i…
- CVE-2026-6456HIGHCVSS 8.8EG 8.82026-05-20
The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` REST API endpoint using a loose comparison (`!=` instead of `!==`) for secret v…
- CVE-2026-6569HIGHCVSS 7.3EG 7.32026-04-19
A vulnerability was identified in kodcloud KodExplorer up to 4.52. This impacts the function fileGet of the file /app/controller/share.class.php of the component fileGet Endpoint. Such manipulation of the argument fileUrl leads to improper…
- CVE-2026-6577HIGHCVSS 7.3EG 7.32026-04-19
A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The …
- CVE-2026-6579MEDIUMCVSS 6.5EG 6.52026-04-19
A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing authentication. The attack may be initiat…
- CVE-2026-6582HIGHCVSS 7.3EG 7.32026-04-19
A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing …
- CVE-2026-6588MEDIUMCVSS 6.5EG 6.52026-04-20
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can l…
- CVE-2026-6635HIGHCVSS 7.3EG 7.32026-04-20
A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tool…
- CVE-2026-6729MEDIUMCVSS 6.3EG 6.32026-04-20
HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that l…
Map vulnerabilities like CWE-287 to your infrastructure
EchelonGraph correlates every CVE — across CWE-287 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →