CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 30 of 49
- CVE-2024-54155LOWCVSS 3.7EG 3.72024-12-04
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
- CVE-2024-54176MEDIUMCVSS 4.3EG 4.32025-02-08
IBM DevOps Deploy 8.0 through 8.0.1.4, 8.1 through 8.1.0.0 and IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14 and 7.3 through 7.3.2 could allow an authenticated user to obtain sensitive informat…
- CVE-2024-54983CRITICALCVSS 9.8EG 9.82024-12-19
An issue in Quectel BC95-CNV V100R001C00SPC051 allows attackers to bypass authentication via a crafted NAS message.
- CVE-2024-54984CRITICALCVSS 9.8EG 9.82024-12-19
An issue in Quectel BG96 BG96MAR02A08M1G allows attackers to bypass authentication via a crafted NAS message. NOTE: this is disputed by the supplier.
- CVE-2024-55538MEDIUMCVSS 4.0EG 4.02025-01-02
Sensitive information disclosure due to missing authentication. The following products are affected: Acronis True Image (macOS) before build 41725, Acronis True Image (Windows) before build 41736, Acronis True Image OEM (macOS) before buil…
- CVE-2024-55585CRITICALCVSS 9.0EG 9.02025-06-07
In the moPS App through 1.8.618, all users can access administrative API endpoints without additional authentication, resulting in unrestricted read and write access, as demonstrated by /api/v1/users/resetpassword.
- CVE-2024-56469MEDIUMCVSS 6.3EG 6.32025-03-27
IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.22, 7.2 through 7.2.3.15, and 7.3 through 7.3.2.10 / IBM DevOps Deploy 8.0 through 8.0.1.5 and 8.1 through 8.1.0.1 could allow unauthorized access to other services or potential exposure of sens…
- CVE-2024-56799CRITICALCVSS 10.0EG 10.02024-12-30
Simofa is a tool to help automate static website building and deployment. Prior to version 0.2.7, due to a design mistake in the RouteLoader class, some API routes may be publicly accessible when they should require authentication. This vu…
- CVE-2024-57055MEDIUMCVSS 5.0EG 5.02025-02-18
Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not …
- CVE-2024-5718HIGHCVSS 8.1EG 8.12024-11-22
Logsign Unified SecOps Platform Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Authentication i…
- CVE-2024-5721HIGHCVSS 8.1EG 8.12024-11-22
Logsign Unified SecOps Platform Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Authentication i…
- CVE-2024-5749HIGHCVSS 7.5EG 7.52024-10-15
Certain HP DesignJet products may be vulnerable to credential reflection which allow viewing SMTP server credentials.
- CVE-2024-57725MEDIUMCVSS 6.5EG 5.12025-02-14
An issue in the Arcadyan Livebox Fibra PRV3399B_B_LT allows a remote or local attacker to modify the GPON link value without authentication, causing an internet service disruption via the /firstconnection.cgi endpoint.
- CVE-2024-58300HIGHCVSS 8.7EG 8.72025-12-11
Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded comman…
- CVE-2024-58336MEDIUMCVSS 5.3EG 9.82025-12-30
Akuvox Smart Intercom S539 contains an unauthenticated vulnerability that allows remote attackers to access live video streams by requesting the video.cgi endpoint on port 8080. Attackers can retrieve video stream data without authenticati…
- CVE-2024-5910CRITICALCVSS 9.8EG 9.8⚠ KEV2024-07-10
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration…
- CVE-2024-5947MEDIUMCVSS 6.5EG 6.52024-06-13
Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Elec…
- CVE-2024-5951MEDIUMCVSS 6.5EG 7.12024-06-13
Deep Sea Electronics DSE855 Factory Reset Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Deep Sea Electronics DSE855 device…
- CVE-2024-5952MEDIUMCVSS 6.5EG 4.32024-06-13
Deep Sea Electronics DSE855 Restart Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Deep Sea Electronics DSE855 devices. Aut…
- CVE-2024-6347MEDIUMCVSS 6.5EG 6.52024-08-15
* Unprotected privileged mode access through UDS session in the Blind Spot Detection Sensor ECU firmware in Nissan Altima (2022) allows attackers to trigger denial-of-service (DoS) by unauthorized access to the ECU's programming session. …
- CVE-2024-6406HIGHCVSS 8.5EG 8.52024-09-18
Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data. This issue affects Mobile Library Application: before 5…
- CVE-2024-6422CRITICALCVSS 9.8EG 9.82024-07-10
An unauthenticated remote attacker can manipulate the device via Telnet, stop processes, read, delete and change data.
- CVE-2024-6582MEDIUMCVSS 4.3EG 4.32024-09-13
A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization…
- CVE-2024-6592CRITICALCVSS 9.1EG 9.12024-09-25
Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows Authentication Byp…
- CVE-2024-6635HIGHCVSS 7.3EG 7.32024-07-20
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the 'woo_slg_login_email' function. This makes it possible for unau…
- CVE-2024-6842HIGHCVSS 7.5EG 7.52025-03-20
In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as AP…
- CVE-2024-6895MEDIUMCVSS 6.1EG 6.12024-07-19
Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and…
- CVE-2024-6981CRITICALCVSS 9.8EG 9.82024-09-27
OMNTEC Proteus Tank Monitoring OEL8000III Series could allow an attacker to perform administrative actions without proper authentication.
- CVE-2024-7007CRITICALCVSS 9.8EG 9.82024-07-25
Positron Broadcast Signal Processor TRA7005 v1.20 is vulnerable to an authentication bypass exploit that could allow an attacker to have unauthorized access to protected areas of the application.
- CVE-2024-7015CRITICALCVSS 9.8EG 9.82024-09-09
Missing Authentication for Critical Function vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse. This issue affects PassBox: before v1.2.
- CVE-2024-7079MEDIUMCVSS 6.5EG 5.42024-07-24
A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithU…
- CVE-2024-7125HIGHCVSS 7.8EG 7.82024-08-27
Authentication Bypass vulnerability in Hitachi Ops Center Common Services.This issue affects Hitachi Ops Center Common Services: from 10.9.3-00 before 11.0.2-01.
- CVE-2024-7154MEDIUMCVSS 4.3EG 4.32024-07-28
A vulnerability, which was classified as problematic, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is an unknown function of the file /wizard.html of the component Password Reset Handler. The manipulation leads to improper …
- CVE-2024-7503CRITICALCVSS 9.8EG 9.82024-08-12
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the 'woo_slg_confirm_email_user' funct…
- CVE-2024-7516HIGHCVSS 7.1EG 4.82024-11-12
A vulnerability in Brocade Fabric OS versions before 9.2.2 could allow man-in-the-middle attackers to conduct remote Service Session Hijacking that may arise from the attacker's ability to forge an SSH key while the Brocade Fabric OS Switc…
- CVE-2024-7628HIGHCVSS 8.1EG 8.12024-08-15
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the 'verify_id_token' func…
- CVE-2024-7726MEDIUMCVSS 6.8EG 6.82024-12-20
There exists an unauthenticated accessible JTAG port on the Kioxia PM6, PM7 and CM6 devices - On the Kioxia CM6, PM6 and PM7 disk drives it was discovered that the 2 main CPU cores of the SoC can be accessed via an open JTAG debug port th…
- CVE-2024-7781HIGHCVSS 8.1EG 8.12024-09-26
The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated atta…
- CVE-2024-7940HIGHCVSS 8.3EG 8.32024-08-27
The product exposes a service that is intended for local only to all network interfaces without any authentication.
- CVE-2024-8012HIGHCVSS 7.8EG 7.82024-09-10
An authentication bypass weakness in the message broker service of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges.
- CVE-2024-8053HIGHCVSS 8.2EG 7.52025-03-20
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST re…
- CVE-2024-8057MEDIUMCVSS 4.3EG 4.32025-03-20
In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basi…
- CVE-2024-8074CRITICALCVSS 9.3EG 7.12024-11-12
Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users. This issue affects Nomysem: before 13.10.2024.
- CVE-2024-8196CRITICALCVSS 9.8EG 9.82025-03-20
In mintplex-labs/anything-llm v1.5.11 desktop version for Windows, the application opens server port 3001 on 0.0.0.0 with no authentication by default. This vulnerability allows an attacker to gain full backend access, enabling them to per…
- CVE-2024-8277CRITICALCVSS 9.8EG 9.82024-09-11
The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the lo…
- CVE-2024-8310CRITICALCVSS 9.8EG 9.82024-09-27
OPW Fuel Management Systems SiteSentinel could allow an attacker to bypass authentication to the server and obtain full admin privileges.
- CVE-2024-8320MEDIUMCVSS 5.3EG 5.32024-09-10
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices.
- CVE-2024-8321MEDIUMCVSS 5.8EG 5.82024-09-10
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network.
- CVE-2024-8419HIGHCVSS 7.5EG 7.52025-06-30
The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication.
- CVE-2024-8456CRITICALCVSS 9.8EG 9.82024-09-30
Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining …
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →