CWE-287— Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.— MITRE CWE catalog
4,486 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-287page 90 of 90
- CVE-2026-6588MEDIUMCVSS 6.5EG 6.52026-04-20
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can l…
- CVE-2026-6635HIGHCVSS 7.3EG 7.32026-04-20
A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tool…
- CVE-2026-6729MEDIUMCVSS 6.3EG 6.32026-04-20
HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exploiting a shared ohmo session key that l…
- CVE-2026-7022HIGHCVSS 7.3EG 7.32026-04-26
A security vulnerability has been detected in SmythOS sre up to 0.0.15. Affected is the function AgentRuntime of the file packages/core/src/subsystems/AgentManager/AgentRuntime.class.ts of the component HTTP Header Handler. Such manipulati…
- CVE-2026-7042HIGHCVSS 7.3EG 7.32026-04-26
A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible …
- CVE-2026-7112MEDIUMCVSS 5.6EG 5.62026-04-27
A vulnerability has been found in NousResearch hermes-agent 0.8.0. Affected by this vulnerability is the function _check_auth of the file gateway/platforms/api_server.py of the component API_SERVER_KEY Handler. The manipulation leads to im…
- CVE-2026-7113MEDIUMCVSS 5.6EG 5.62026-04-27
A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_A…
- CVE-2026-7630HIGHCVSS 7.3EG 7.32026-05-02
A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The…
- CVE-2026-7664CRITICALCVSS 9.8EG 9.82026-06-22
IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
- CVE-2026-7679HIGHCVSS 7.3EG 7.32026-05-03
A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Per…
- CVE-2026-7710HIGHCVSS 7.3EG 7.32026-05-04
A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. This affects the function doFilterInternal of the file JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of the argument mock-…
- CVE-2026-7714MEDIUMCVSS 6.5EG 6.52026-05-04
A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authenticati…
- CVE-2026-7722MEDIUMCVSS 5.3EG 5.32026-05-04
A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possi…
- CVE-2026-7723HIGHCVSS 7.3EG 7.32026-05-04
A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be perform…
- CVE-2026-7844MEDIUMCVSS 6.3EG 6.32026-05-05
A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_…
- CVE-2026-7876CRITICALCVSS 9.1EG 9.12026-05-27
IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19 is affected by an authentication bypass vulnerability. A transfer client may be able to take advantage of this vulnerability to access files in the server's local storage that they should not …
- CVE-2026-8031MEDIUMCVSS 5.3EG 5.32026-05-06
A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing…
- CVE-2026-8181CRITICALCVSS 9.8EG 9.82026-05-14
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `i…
- CVE-2026-8185MEDIUMCVSS 6.3EG 6.32026-05-09
A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on …
- CVE-2026-8214MEDIUMCVSS 5.3EG 5.32026-05-10
A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. This affects the function doAction of the component RMI Interface. The manipulation of the argument sessionId results in improper authentication. It is possi…
- CVE-2026-8216HIGHCVSS 7.3EG 7.32026-05-10
A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This issue affects the function iasServerRemoteInterface.doAction of the component Java RMI Session Management. Such manipulation leads to improper auth…
- CVE-2026-8244MEDIUMCVSS 5.3EG 5.32026-05-10
A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. …
- CVE-2026-8293HIGHCVSS 7.5EG 7.52026-06-02
The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authen…
- CVE-2026-8305HIGHCVSS 7.3EG 7.32026-05-11
A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulatio…
- CVE-2026-8321HIGHCVSS 7.3EG 7.32026-05-11
A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware. Performing a manipulation results in auth…
- CVE-2026-8621HIGHCVSS 8.8EG 8.82026-05-14
Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner a…
- CVE-2026-8737MEDIUMCVSS 5.3EG 5.32026-05-17
A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Add…
- CVE-2026-8979CRITICALCVSS 9.3EG 9.32026-05-28
The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoi…
- CVE-2026-8994HIGHCVSS 8.1EG 8.12026-05-27
The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function — registered as a `wp_ajax_nopriv` action and therefore reachable by unauthen…
- CVE-2026-9084MEDIUMCVSS 6.0EG 6.02026-05-20
MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations whe…
- CVE-2026-9090CRITICALCVSS 9.1EG 9.12026-05-28
Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from …
- CVE-2026-9091MEDIUMCVSS 5.3EG 5.32026-05-28
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without…
- CVE-2026-9371MEDIUMCVSS 5.6EG 5.62026-05-24
A security vulnerability has been detected in ItzCrazyKns Vane up to 1.12.1. Affected by this issue is some unknown functionality of the file route.ts of the component API. The manipulation leads to missing authentication. The attack may b…
- CVE-2026-9373LOWCVSS 3.7EG 3.72026-05-24
A vulnerability has been found in JeecgBoot 3.9.1. This issue affects some unknown processing of the file /openapi/call/ of the component OpenAPI Endpoint. Such manipulation leads to improper authentication. The attack can be executed remo…
- CVE-2026-9398LOWCVSS 3.1EG 3.12026-05-24
A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be car…
- CVE-2026-9695CRITICALCVSS 9.8EG 9.82026-07-08
An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 could allow an attacker to gain privileged access to the server.
Map vulnerabilities like CWE-287 to your infrastructure
EchelonGraph correlates every CVE — across CWE-287 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →