CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,407 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 39 of 49
- CVE-2025-7405HIGHCVSS 7.3EG 7.32025-09-01
Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to read or write the device values of the product and stop the operation o…
- CVE-2025-7635HIGHCVSS 7.7EG 7.72025-09-09
Unauthenticated Telnet access vulnerability in Calix GigaCenter ONT allows root access.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.
- CVE-2025-7679HIGHCVSS 8.1EG 7.42025-08-11
The ASPECT system allows users to bypass authentication. This issue affects all versions of ASPECT
- CVE-2025-7706MEDIUMCVSS 6.1EG 6.12026-02-17
Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion. This issue affects Liderahenk: from 3.0.0 to 3.3.1 before 3.5.0.
- CVE-2025-7774HIGHCVSS 8.8EG 8.82025-08-14
A security issue exists within the 5032 16pt Digital Configurable module’s web server. Intercepted session credentials can be used within a 3-minute timeout window, allowing unauthorized users to perform privileged actions.
- CVE-2025-7862CRITICALCVSS 9.8EG 7.32025-07-20
A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation …
- CVE-2025-7897CRITICALCVSS 9.8EG 7.32025-07-20
A vulnerability was found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this issue is the function verify_token of the file app/controllers/base.py of the component API Endpoint. The manipulation leads …
- CVE-2025-7970HIGHCVSS 7.5EG 7.52025-09-09
A security issue exists within FactoryTalk Activation Manager. An error in the implementation of cryptography within the software could allow attackers to decrypt traffic. This could result in data exposure, session hijacking, or full com…
- CVE-2025-8025CRITICALCVSS 9.8EG 9.82026-02-11
Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dinosoft ERP: from < 3.0.1…
- CVE-2025-8279CRITICALCVSS 9.8EG 8.72025-07-28
Insufficient input validation within GitLab Language Server 7.6.0 and later before 7.30.0 allows arbitrary GraphQL query execution
- CVE-2025-8284CRITICALCVSS 9.8EG 9.82025-08-08
By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions.
- CVE-2025-8286CRITICALCVSS 9.3EG 9.82025-07-31
The affected products expose an unauthenticated Telnet-based command line interface that could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.
- CVE-2025-8350CRITICALCVSS 9.8EG 9.82026-02-19
Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting. This issue affects BiEticaret CMS: f…
- CVE-2025-8450HIGHCVSS 8.2EG 8.22025-08-19
Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.
- CVE-2025-8558MEDIUMCVSS 5.4EG 5.42025-11-03
Insider Threat Management (ITM) Server versions prior to 7.17.2 contain an authentication bypass vulnerability that allows unauthenticated users on an adjacent network to perform agent unregistration when the number of registered agents …
- CVE-2025-8610CRITICALCVSS 9.8EG 9.82025-08-20
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is no…
- CVE-2025-8611CRITICALCVSS 9.8EG 9.82025-08-20
AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is no…
- CVE-2025-8627HIGHCVSS 8.8EG 8.82025-08-25
The TP-Link KP303 Smartplug can be issued unauthenticated protocol commands that may cause unintended power-off condition and potential information leak. This issue affects TP-Link KP303 (US) Smartplug: before 1.1.0.
- CVE-2025-8754HIGHCVSS 7.5EG 7.52025-08-13
Missing Authentication for Critical Function vulnerability in ABB ABB AbilityTM zenon.This issue affects ABB AbilityTM zenon: from 7.50 through 14.
- CVE-2025-8861CRITICALCVSS 9.8EG 9.82025-08-29
TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents.
- CVE-2025-8943CRITICALCVSS 9.8EG 9.82025-08-14
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access contro…
- CVE-2025-8995CRITICALCVSS 9.8EG 9.82025-08-15
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.
- CVE-2025-9152CRITICALCVSS 9.8EG 9.82025-10-16
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this fl…
- CVE-2025-9160HIGHCVSS 7.0EG 7.02025-09-09
A code execution security issue exists in the affected product. An attacker with physical access could abuse the maintenance menu of the controller with a crafted payload. The security issue can result in arbitrary code execution.
- CVE-2025-9214MEDIUMCVSS 5.4EG 5.42025-09-11
A missing authentication vulnerability was reported in some Lenovo printers that could allow a user to view limited device information or modify network settings via the CUPS service.
- CVE-2025-9254CRITICALCVSS 9.8EG 9.82025-08-22
WebITR developed by Uniong has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to log into the system as arbitrary users by exploiting a specific functionality.
- CVE-2025-9312CRITICALCVSS 9.8EG 9.82025-11-18
A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication…
- CVE-2025-9574CRITICALCVSS 10.0EG 9.12025-10-20
Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects . All firmware versions with the Serial Number from 2000 to 5166
- CVE-2025-9815HIGHCVSS 7.8EG 7.82025-09-02
A weakness has been identified in alaneuler batteryKid up to 2.1 on macOS. The affected element is an unknown function of the file PrivilegeHelper/PrivilegeHelper.swift of the component NSXPCListener. This manipulation causes missing authe…
- CVE-2025-9971CRITICALCVSS 9.8EG 9.82025-09-17
Certain models of Industrial Cellular Gateway developed by Planet Technology have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to manipulate the device via a specific functionality.
- CVE-2025-9983HIGHCVSS 7.1EG 7.12025-09-22
GALAYOU G2 cameras stream video output via RTSP streams. By default these streams are protected by randomly generated credentials. However these credentials are not required to access the stream. Changing these values does not change camer…
- CVE-2025-9994CRITICALCVSS 9.8EG 9.82025-09-09
The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.
- CVE-2026-0204HIGHCVSS 8.0EG 8.02026-04-29
A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions.
- CVE-2026-0247MEDIUMCVSS 5.9EG 5.92026-05-13
Multiple authorization bypass vulnerabilities in the Endpoint DLP component of Prisma Access Agent® allow a local attacker to bypass authentication controls and execute privileged operations.
- CVE-2026-0283HIGHCVSS 7.2EG 7.22026-07-09
An authentication bypass vulnerability in Large Scale VPN ( LSVPN) functionality of Palo Alto Networks PAN-OS software allows an attacker with network access to bypass security restrictions and establish an unauthorized site-to-site VPN co…
- CVE-2026-0492HIGHCVSS 8.8EG 8.82026-01-13
SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the sys…
- CVE-2026-0545HIGHCVSS 8.1EG 9.12026-04-03
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job exe…
- CVE-2026-0611CRITICALCVSS 9.8EG 9.82026-06-02
Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x before 11.6.0 contain an unauthenticated remote code execution vulnerability through a deprecated .NET Remoting HTTP channel exposed on port 8989 that allows attackers to …
- CVE-2026-0625CRITICALCVSS 9.3EG 9.32026-01-05
Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly reques…
- CVE-2026-0647HIGHCVSS 0.0EG 0.02026-06-16
An improper authentication security issue exists within the 1794-AENTR adapter's embedded web... An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthentic…
- CVE-2026-0650CRITICALCVSS 9.3EG 9.32026-01-07
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and a…
- CVE-2026-0778HIGHCVSS 8.8EG 8.82026-01-23
Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations.…
- CVE-2026-0842MEDIUMCVSS 6.3EG 6.32026-01-11
A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local …
- CVE-2026-0942MEDIUMCVSS 5.3EG 5.32026-01-16
The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and inc…
- CVE-2026-10054HIGHCVSS 8.8EG 8.82026-07-03
In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin vali…
- CVE-2026-1019CRITICALCVSS 9.8EG 9.82026-01-16
Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality.
- CVE-2026-1023HIGHCVSS 7.5EG 7.52026-01-16
Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents.
- CVE-2026-10243HIGHCVSS 7.3EG 7.32026-06-01
A security vulnerability has been detected in code-projects Smart Parking System 1.0. Affected is an unknown function of the component Admin Endpoint. Such manipulation leads to missing authentication. It is possible to launch the attack r…
- CVE-2026-10281HIGHCVSS 7.3EG 7.32026-06-01
A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attac…
- CVE-2026-10283MEDIUMCVSS 6.3EG 6.32026-06-01
A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible.…
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →