CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 33 of 49
- CVE-2025-21623HIGHCVSS 7.5EG 7.52025-01-07
ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service.
- CVE-2025-22252CRITICALCVSS 9.8EG 9.82025-05-28
A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and version 7.6.0 may allow an attacker with knowledge of an exi…
- CVE-2025-23194MEDIUMCVSS 5.3EG 5.32025-03-11
SAP NetWeaver Enterprise Portal OBN does not perform proper authentication check for a particular configuration setting. As result, a non-authenticated user can set it to an undesired value causing low impact on integrity. There is no impa…
- CVE-2025-23293HIGHCVSS 8.7EG 8.72025-09-30
NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may lead to information disclosure.
- CVE-2025-23356HIGHCVSS 8.4EG 8.42025-10-14
NVIDIA Isaac Lab contains a vulnerability in SB3 configuration parsing. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.
- CVE-2025-23417HIGHCVSS 8.6EG 8.62025-12-01
A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to tri…
- CVE-2025-2344MEDIUMCVSS 5.3EG 5.32025-03-16
A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing au…
- CVE-2025-2407CRITICALCVSS 9.3EG 9.32025-05-27
Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5.
- CVE-2025-24271MEDIUMCVSS 5.4EG 6.22025-04-29
An access issue was addressed with improved access restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. An unauthenticated use…
- CVE-2025-24456MEDIUMCVSS 6.7EG 6.72025-01-21
In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping
- CVE-2025-24472HIGHCVSS 8.1EG 9.0⚠ KEV2025-02-11
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior kn…
- CVE-2025-24865CRITICALCVSS 10.0EG 10.02025-02-13
The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.
- CVE-2025-24924CRITICALCVSS 9.8EG 9.82025-03-05
Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username
- CVE-2025-25060HIGHCVSS 8.2EG 8.22025-04-02
Missing authentication for critical function vulnerability exists in AssetView and AssetView CLOUD. If exploited, the files on the server where the product is running may be obtained and/or deleted by a remote unauthenticated attacker.
- CVE-2025-25068HIGHCVSS 7.5EG 7.52025-03-21
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
- CVE-2025-25224HIGHCVSS 7.5EG 5.32025-02-18
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
- CVE-2025-25265MEDIUMCVSS 4.9EG 7.52025-06-16
A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure.
- CVE-2025-25268HIGHCVSS 8.8EG 8.82025-07-08
An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication.
- CVE-2025-2567CRITICALCVSS 9.8EG 9.82025-04-15
An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation.
- CVE-2025-25736MEDIUMCVSS 6.8EG 9.82025-08-26
Kapsch TrafficCom RIS-9260 RSU LEO v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 were discovered to contain Android Debug Bridge (ADB) pre-installed (/mnt/c3platpersistent/opt/platform-tools/adb) and enabled by default, allowing unauth…
- CVE-2025-26339CRITICALCVSS 9.8EG 9.82025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availa…
- CVE-2025-26341CRITICALCVSS 9.8EG 9.82025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP …
- CVE-2025-26342CRITICALCVSS 9.8EG 9.82025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators…
- CVE-2025-26344CRITICALCVSS 9.8EG 9.82025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTT…
- CVE-2025-26345CRITICALCVSS 9.8EG 9.82025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP request…
- CVE-2025-26347CRITICALCVSS 9.8EG 9.82025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.
- CVE-2025-26359CRITICALCVSS 9.8EG 9.82025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests.
- CVE-2025-26360MEDIUMCVSS 5.3EG 5.32025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests.
- CVE-2025-26361CRITICALCVSS 9.1EG 9.12025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.
- CVE-2025-26362HIGHCVSS 7.5EG 7.52025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via …
- CVE-2025-26363HIGHCVSS 7.5EG 7.52025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted…
- CVE-2025-26364HIGHCVSS 7.5EG 7.52025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafte…
- CVE-2025-26365HIGHCVSS 7.5EG 7.52025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP …
- CVE-2025-26366HIGHCVSS 7.5EG 7.52025-02-12
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP…
- CVE-2025-26468HIGHCVSS 7.5EG 7.52025-06-09
CyberData 011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption.
- CVE-2025-27019CRITICALCVSS 9.8EG 9.82025-12-08
Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows an attacker to utilize password-less user accounts and obtain system access by activating a reverse shell.This issue affects MTC-9: from R22.1.1.0275 before R23.0.
- CVE-2025-27020CRITICALCVSS 9.8EG 9.82025-12-08
Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system . This issue affects MTC-9: from R22.1.1.0275 before R23.0.
- CVE-2025-27214CRITICALCVSS 9.8EG 9.82025-08-21
A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset. Affected Products: UniFi Con…
- CVE-2025-27256HIGHCVSS 8.3EG 8.32025-03-10
Missing Authentication for Critical Function vulnerability in GE Vernova Enervista UR Setup application allows Authentication Bypass due to a missing SSH server authentication. Since the client connection is not authenticated, an attacker …
- CVE-2025-27538LOWCVSS 2.2EG 2.22025-04-16
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or…
- CVE-2025-27642CRITICALCVSS 9.8EG 9.82025-03-05
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.933 Application 20.0.2368 allows Unauthenticated Driver Package Editing V-2024-008.
- CVE-2025-27647CRITICALCVSS 9.8EG 9.82025-03-05
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.913 Application 20.0.2253 allows Addition of Partial Admin Users Without Authentication V-2024-002.
- CVE-2025-27803MEDIUMCVSS 6.5EG 6.52025-05-21
The devices do not implement any authentication for the web interface or the MQTT server. An attacker who has network access to the device immediately gets administrative access to the devices and can perform arbitrary administrative actio…
- CVE-2025-27853HIGHCVSS 7.3EG 7.32026-05-13
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate wit…
- CVE-2025-27935HIGHCVSS 8.6EG 8.62025-12-04
The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication.
- CVE-2025-29870HIGHCVSS 7.5EG 7.52025-04-09
Missing authentication for critical function vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a remote unauthenticated attacker may obtain the product configuration information including authentication information.
- CVE-2025-30035CRITICALCVSS 9.0EG 9.02026-03-02
The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID i…
- CVE-2025-30037HIGHCVSS 8.8EG 8.82025-08-27
The system exposes several endpoints, typically including "/int/" in their path, that should be restricted to internal services, but are instead publicly accessible without authentication to any host able to reach the application server on…
- CVE-2025-30039CRITICALCVSS 9.0EG 9.02025-08-27
Unauthenticated access to the "/cgi-bin/CliniNET.prd/GetActiveSessions.pl" endpoint allows takeover of any user session logged into the system, including users with admin privileges.
- CVE-2025-30040CRITICALCVSS 9.0EG 9.02025-08-27
The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the "/cgi-bin/CliniNET.prd/utils/userlogxls.pl" endpoint.
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →