CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,407 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 40 of 49
- CVE-2026-10617HIGHCVSS 7.3EG 7.32026-06-02
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. This affects the function resolveAuth of the file internal/http/auth.go of the component Webhook Verification Handler. The manipulation leads to missing au…
- CVE-2026-10711HIGHCVSS 8.8EG 8.82026-06-23
Missing authentication for critical function vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. CafePlus allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects CafePlus: from 12.05.0…
- CVE-2026-11238MEDIUMCVSS 5.9EG 5.92026-06-04
Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome…
- CVE-2026-11420CRITICALCVSS 9.8EG 9.82026-06-05
Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read packa…
- CVE-2026-11429CRITICALCVSS 10.0EG 10.02026-06-05
Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user-supplied filename component is used to construct the destination path without validation, allowing ar…
- CVE-2026-11535CRITICALCVSS 9.4EG 9.42026-06-12
An unauthorized access vulnerability exists in the PcSuite APP. The vulnerability can be exploited by attackers to Unauthorized access to the victim’s device.
- CVE-2026-11848MEDIUMCVSS 5.3EG 5.32026-06-12
The iRM-IEI Remote Management developed by IEI Integration Corp has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain partial system configuration information.
- CVE-2026-12046CRITICALCVSS 9.0EG 9.02026-06-19
Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> -- were the only routes in the module missing the @pga_log…
- CVE-2026-12183CRITICALCVSS 9.8EG 9.82026-06-13
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (ad…
- CVE-2026-12199HIGHCVSS 7.5EG 7.52026-06-17
A vulnerability in `nltk.app.wordnet_app` up to version 3.9.3 allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. The server listens on all interfaces and processes a specific u…
- CVE-2026-12490HIGHCVSS 7.5EG 7.52026-06-25
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (…
- CVE-2026-12527MEDIUMCVSS 6.0EG 6.02026-06-18
A broken authorization boundary in the RTSP media delivery pipeline of Shenzhen Liandian Communication Technology LTD V380 IP Camera firmware AppFHE1_V1.0.6.020230803 enables unauthenticated network actors to bypass the device’s credenti…
- CVE-2026-12795HIGHCVSS 7.3EG 7.32026-06-21
A vulnerability was determined in BerriAI litellm up to 1.82.2. This affects the function json.dumps of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Debug Flow. Executing a manipulation can lead to missing aut…
- CVE-2026-12819CRITICALCVSS 9.3EG 9.32026-06-30
Delta Electronics DVP12SE PLC exposes a Modbus TCP service over a specified port without authentication or access control, permitting unauthenticated interaction with security-sensitive PLC functions.
- CVE-2026-13007HIGHCVSS 7.5EG 7.52026-06-23
Tenable Identity Exposure contains multiple unauthenticated API endpoints under /w/api/* that expose sensitive application configuration data including cleartext LDAP credentials, SAML configuration, user accounts, and directory settings t…
- CVE-2026-13125HIGHCVSS 8.8EG 8.82026-07-02
GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the cap…
- CVE-2026-13164HIGHCVSS 8.8EG 8.82026-06-24
Missing Authentication for Critical Function (CWE-306) in the RegisterView (apps/accounts/views.py), exposed at POST /api/auth/register/, in MailerUp <1.0.1 allows a remote, unauthenticated attacker to self-register a working account on in…
- CVE-2026-1332MEDIUMCVSS 5.3EG 5.32026-01-22
MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related information.
- CVE-2026-13325HIGHCVSS 8.5EG 8.52026-06-26
A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random por…
- CVE-2026-1341CRITICALCVSS 9.3EG 9.32026-02-03
Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control.
- CVE-2026-13546HIGHCVSS 7.3EG 7.32026-06-29
A vulnerability was found in Feehi CMS up to 2.1.1. This vulnerability affects unknown code of the file /api/articles of the component REST API Endpoint. Performing a manipulation results in missing authentication. The attack may be initia…
- CVE-2026-1364CRITICALCVSS 9.8EG 9.82026-01-23
IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities.
- CVE-2026-1410MEDIUMCVSS 6.4EG 6.42026-01-26
A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. Th…
- CVE-2026-14162CRITICALCVSS 9.8EG 9.82026-06-30
Hospital Queuing Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access a specific URL to obtain API documentation.
- CVE-2026-1453CRITICALCVSS 9.8EG 9.82026-01-29
A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative contr…
- CVE-2026-14622HIGHCVSS 7.3EG 7.32026-07-04
A vulnerability was found in jairiidriss restaurant-website-php-mysql up to 521428b5b612449df0cf4a5d15ee40cba67f3d35. This vulnerability affects unknown code of the file /admin/ajax_files of the component AJAX Endpoint. Performing a manipu…
- CVE-2026-14714MEDIUMCVSS 6.5EG 6.52026-07-05
A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.1.0. This issue affects the function verify_server of the file channel/wechatmp/common.py of the component wx Endpoint. This manipulation of the argument wechatmp_toke…
- CVE-2026-15063MEDIUMCVSS 6.3EG 6.32026-07-08
A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cl…
- CVE-2026-15192MEDIUMCVSS 6.5EG 6.52026-07-09
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to …
- CVE-2026-15491HIGHCVSS 7.3EG 7.32026-07-12
A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipulation causes missing authentication. The attack is possible to be carried out remotely. Th…
- CVE-2026-1579CRITICALCVSS 9.8EG 9.82026-03-31
The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIAL_CONTROL, which provides interactive shell access -- can be sen…
- CVE-2026-1603HIGHCVSS 8.6EG 9.0⚠ KEV2026-02-10
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
- CVE-2026-1632CRITICALCVSS 9.1EG 9.12026-02-03
MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset t…
- CVE-2026-1633CRITICALCVSS 10.0EG 10.02026-02-04
The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify critical device settings or factory reset the device.
- CVE-2026-1670CRITICALCVSS 9.8EG 9.82026-02-17
The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.
- CVE-2026-1729CRITICALCVSS 9.8EG 9.82026-02-12
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sb_login_use…
- CVE-2026-1840HIGHCVSS 7.5EG 7.52026-06-24
The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter o…
- CVE-2026-1900MEDIUMCVSS 6.5EG 6.52026-04-07
The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.
- CVE-2026-1919MEDIUMCVSS 5.3EG 5.32026-03-10
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and includi…
- CVE-2026-1920MEDIUMCVSS 5.3EG 5.32026-03-10
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check…
- CVE-2026-20223CRITICALCVSS 10.0EG 10.02026-05-20
A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. This vulnerability is…
- CVE-2026-20253CRITICALCVSS 9.8EG 9.8⚠ KEV2026-06-10
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL s…
- CVE-2026-2065MEDIUMCVSS 6.3EG 6.32026-02-06
A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. …
- CVE-2026-20803HIGHCVSS 7.2EG 7.22026-01-13
Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network.
- CVE-2026-21445CRITICALCVSS 9.1EG 9.12026-01-02
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to acce…
- CVE-2026-21446CRITICALCVSS 9.8EG 9.82026-01-02
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessi…
- CVE-2026-2165HIGHCVSS 7.3EG 7.32026-02-08
A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument em…
- CVE-2026-21767MEDIUMCVSS 4.0EG 4.02026-04-02
HCL BigFix Platform is affected by insufficient authentication. The application might allow users to access sensitive areas of the application without proper authentication.
- CVE-2026-22096CRITICALCVSS 9.3EG 9.32026-07-13
The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints.
- CVE-2026-22174MEDIUMCVSS 6.8EG 6.82026-03-18
OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback po…
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →