CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 29 of 49
- CVE-2024-46506CRITICALCVSS 10.0EG 10.02025-05-13
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settin…
- CVE-2024-47130HIGHCVSS 8.8EG 6.52024-09-26
The goTenna Pro App allows unauthenticated attackers to remotely update the local public keys used for P2P and group messages. It is advised to update your app to the current release for enhanced encryption protocols.
- CVE-2024-47138CRITICALCVSS 9.8EG 9.82024-11-22
The administrative interface listens by default on all interfaces on a TCP port and does not require authentication when being accessed.
- CVE-2024-47406CRITICALCVSS 9.1EG 9.12024-10-25
Sharp and Toshiba Tec MFPs improperly process HTTP authentication requests, resulting in an authentication bypass vulnerability.
- CVE-2024-47555HIGHCVSS 8.3EG 8.32024-10-07
Missing Authentication - User & System Configuration
- CVE-2024-47574HIGHCVSS 7.8EG 7.82024-11-13
A authentication bypass using an alternate path or channel in Fortinet FortiClientWindows version 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0 allows low privilege attacker to execute arbitra…
- CVE-2024-47575CRITICALCVSS 9.8EG 9.8⚠ KEV2024-10-23
A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.…
- CVE-2024-47865MEDIUMCVSS 5.3EG 5.32024-11-20
Missing authentication for critical function vulnerability exists in Rakuten Turbo 5G firmware version V1.3.18 and earlier. If this vulnerability is exploited, a remote unauthenticated attacker may update or downgrade the firmware on the d…
- CVE-2024-47902HIGHCVSS 7.2EG 7.22024-10-23
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The…
- CVE-2024-47912HIGHCVSS 8.2EG 8.22024-10-21
A vulnerability in the AWV (Audio, Web, and Video) Conferencing component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to perform unauthorized data-access attacks due to missing authentication m…
- CVE-2024-48442MEDIUMCVSS 6.5EG 6.52024-10-24
Incorrect access control in Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 allows attackers to access the SSH protocol without authentication.
- CVE-2024-48768HIGHCVSS 7.5EG 7.52024-10-11
An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process
- CVE-2024-48771HIGHCVSS 7.5EG 7.52024-10-11
An issue in almando GmbH Almando Play APP (com.almando.play) 1.8.2 allows a remote attacker to obtain sensitive information via the firmware update process
- CVE-2024-48773HIGHCVSS 7.5EG 7.52024-10-11
An issue in WoFit v.7.2.3 allows a remote attacker to obtain sensitive information via the firmware update process
- CVE-2024-48774HIGHCVSS 7.5EG 7.52024-10-11
An issue in Fermax Asia Pacific Pte Ltd com.fermax.vida 2.4.6 allows a remote attacker to obtain sensitve information via the firmware update process.
- CVE-2024-48775HIGHCVSS 7.5EG 7.52024-10-11
An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process.
- CVE-2024-48776HIGHCVSS 7.5EG 7.52024-10-11
An issue in Shelly com.home.shelly 1.0.4 allows a remote attacker to obtain sensitive information via the firmware update process
- CVE-2024-48777HIGHCVSS 7.5EG 7.52024-10-11
LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process.
- CVE-2024-48791HIGHCVSS 7.5EG 7.52024-10-14
An issue in Plug n Play Camera com.starvedia.mCamView.zwave 5.5.1 allows a remote attacker to obtain sensitive information via the firmware update process
- CVE-2024-48882HIGHCVSS 8.6EG 8.62025-12-01
A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this…
- CVE-2024-48920CRITICALCVSS 9.1EG 9.12024-10-17
PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially co…
- CVE-2024-48950HIGHCVSS 7.5EG 7.52024-11-07
An issue was discovered in Logpoint before 7.5.0. An endpoint used by Distributed Logpoint Setup was exposed, allowing unauthenticated attackers to bypass CSRF protections and authentication.
- CVE-2024-48952MEDIUMCVSS 6.4EG 6.42024-11-07
An issue was discovered in Logpoint before 7.5.0. SOAR uses a static JWT secret key to generate tokens that allow access to SOAR API endpoints without authentication. This static key vulnerability enables attackers to create custom JWT sec…
- CVE-2024-48953HIGHCVSS 7.5EG 7.52024-11-07
An issue was discovered in Logpoint before 7.5.0. Endpoints for creating, editing, or deleting third-party authentication modules lacked proper authorization checks. This allowed unauthenticated users to register their own authentication p…
- CVE-2024-48966CRITICALCVSS 10.0EG 10.02024-11-14
The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. An attacker with access to the Service PC where the tools are installed could obtain diagnostic information through the tes…
- CVE-2024-49052HIGHCVSS 8.2EG 8.22024-11-26
Missing authentication for critical function in Microsoft Azure PolicyWatch allows an unauthorized attacker to elevate privileges over a network.
- CVE-2024-49328CRITICALCVSS 9.8EG 9.82024-10-20
Authentication Bypass Using an Alternate Path or Channel vulnerability in vivek2tamrakar WP REST API FNS rest-api-fns allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through <= 1.0.0.
- CVE-2024-49399HIGHCVSS 8.7EG 8.72024-10-17
The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information.
- CVE-2024-49572HIGHCVSS 7.2EG 7.22025-12-01
A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credenti…
- CVE-2024-49604CRITICALCVSS 9.8EG 9.82024-10-20
Authentication Bypass Using an Alternate Path or Channel vulnerability in N-Media Simple User Registration wp-registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a through <= 6.7.
- CVE-2024-50375CRITICALCVSS 9.8EG 9.82024-11-26
A CWE-306 "Missing Authentication for Critical Function" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can …
- CVE-2024-50381HIGHCVSS 8.8EG 8.82024-12-02
A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaim devices. The attacker only needs to provide the MAC address of the targeted device and can make a request t…
- CVE-2024-50477CRITICALCVSS 9.8EG 9.82024-10-28
Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through <= 5.2.3.
- CVE-2024-50486CRITICALCVSS 9.8EG 9.82024-10-28
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API acnoo-flutter-api allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through <= 1.0.5.
- CVE-2024-50487CRITICALCVSS 9.8EG 9.82024-10-28
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo MaanStore API maanstore-api allows Authentication Bypass.This issue affects MaanStore API: from n/a through <= 1.0.1.
- CVE-2024-50488HIGHCVSS 8.8EG 8.82024-10-28
Authentication Bypass Using an Alternate Path or Channel vulnerability in yespbs Token Login token-login allows Authentication Bypass.This issue affects Token Login: from n/a through <= 1.0.3.
- CVE-2024-50489CRITICALCVSS 9.8EG 9.82024-10-28
Authentication Bypass Using an Alternate Path or Channel vulnerability in realtyworkstation Realty Workstation realty-workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through <= 1.0.45.
- CVE-2024-50589HIGHCVSS 7.5EG 7.52024-11-08
An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR).
- CVE-2024-50630HIGHCVSS 7.5EG 7.52025-03-19
Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspec…
- CVE-2024-51362MEDIUMCVSS 6.5EG 6.52024-11-05
The LSC Smart Connect Indoor IP Camera V7.6.32 is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized use…
- CVE-2024-5143MEDIUMCVSS 6.8EG 6.82024-05-23
A user with device administrative privileges can change existing SMTP server settings on the device, without having to re-enter SMTP server credentials. By redirecting send-to-email traffic to the new server, the original SMTP server cred…
- CVE-2024-51493MEDIUMCVSS 5.3EG 5.32024-11-05
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's Octo…
- CVE-2024-51567CRITICALCVSS 10.0EG 10.0⚠ KEV2024-10-29
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is …
- CVE-2024-52285MEDIUMCVSS 5.3EG 5.32025-03-11
A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.8), SiPass integrated ACC-AP (All versions < V6.4.8). Affected devices expose several MQTT URLs without authentication. This could allow an unaut…
- CVE-2024-52437HIGHCVSS 8.8EG 8.82024-11-20
Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System banner-system allows Privilege Escalation.This issue affects Banner System: from n/a through <= 1.0.0.
- CVE-2024-52438HIGHCVSS 8.8EG 8.82024-11-20
Missing Authentication for Critical Function vulnerability in deco.agency de:branding debranding allows Privilege Escalation.This issue affects de:branding: from n/a through <= 1.0.2.
- CVE-2024-53623HIGHCVSS 7.5EG 7.52024-11-29
Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information.
- CVE-2024-53701LOWCVSS 3.1EG 3.12024-11-29
Multiple FCNT Android devices provide the original security features such as "privacy mode" where arbitrary applications can be set not to be displayed, etc. Under certain conditions, and when an attacker can directly operate the device w…
- CVE-2024-54013HIGHCVSS 8.8EG 8.72026-04-28
Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has re…
- CVE-2024-54153LOWCVSS 3.1EG 3.12024-12-04
In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →