CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,407 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 41 of 49
- CVE-2026-22192CRITICALCVSS 9.9EG 6.12026-03-13
Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify clie…
- CVE-2026-22207CRITICALCVSS 9.8EG 9.82026-02-26
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send r…
- CVE-2026-22238CRITICALCVSS 9.8EG 9.82026-01-14
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to c…
- CVE-2026-2234CRITICALCVSS 9.1EG 9.12026-02-09
C&Cm@il developed by HGiga has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read and modify any user's mail content.
- CVE-2026-2248CRITICALCVSS 9.8EG 9.82026-02-11
METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with…
- CVE-2026-2249CRITICALCVSS 9.8EG 9.82026-02-11
METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with…
- CVE-2026-22552CRITICALCVSS 9.4EG 9.42026-03-06
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint usi…
- CVE-2026-22679CRITICALCVSS 9.8EG 9.82026-04-07
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by…
- CVE-2026-22788HIGHCVSS 8.2EG 8.22026-01-12
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote atta…
- CVE-2026-22812HIGHCVSS 8.8EG 8.82026-01-12
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user…
- CVE-2026-22898CRITICALCVSS 9.8EG 9.82026-03-20
A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the followi…
- CVE-2026-22924CRITICALCVSS 9.1EG 9.12026-05-12
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion conditions. This could allow an attack…
- CVE-2026-2339HIGHCVSS 7.5EG 7.52026-03-10
Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection. This issue affects Liderahenk: before 3.5.1.
- CVE-2026-23662HIGHCVSS 7.5EG 7.52026-03-10
Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
- CVE-2026-23693CRITICALCVSS 10.0EG 10.02026-02-23
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authenticati…
- CVE-2026-23744CRITICALCVSS 9.8EG 9.82026-01-16
MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the ins…
- CVE-2026-23746CRITICALCVSS 9.3EG 9.32026-01-15
Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCa…
- CVE-2026-23751CRITICALCVSS 9.8EG 9.82026-04-23
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and …
- CVE-2026-23944CRITICALCVSS 9.8EG 9.82026-01-19
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without …
- CVE-2026-24062HIGHCVSS 7.8EG 7.82026-03-18
The "Privileged Helper" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privil…
- CVE-2026-24068HIGHCVSS 8.8EG 8.82026-03-26
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not v…
- CVE-2026-24088HIGHCVSS 8.2EG 8.22026-06-01
Cryptographic Issue while processing a specific partition which allows unauthorized write access to load a customized bootloader.
- CVE-2026-24090HIGHCVSS 7.1EG 7.12026-06-01
Cryptographic issue while processing partition table entries allows unauthorized modification of boot flow.
- CVE-2026-24124CRITICALCVSS 9.8EG 9.82026-01-22
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing c…
- CVE-2026-24177HIGHCVSS 7.7EG 7.72026-04-21
NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.
- CVE-2026-24423CRITICALCVSS 9.8EG 9.8⚠ KEV2026-01-23
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the ma…
- CVE-2026-24728CRITICALCVSS 9.3EG 9.32026-01-30
A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authent…
- CVE-2026-24789CRITICALCVSS 9.8EG 9.82026-02-11
An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication.
- CVE-2026-24790HIGHCVSS 8.2EG 8.22026-02-20
The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.
- CVE-2026-25058HIGHCVSS 7.5EG 7.52026-04-20
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns t…
- CVE-2026-25084CRITICALCVSS 9.8EG 9.82026-02-11
Authentication for ZLAN5143D can be bypassed by directly accessing internal URLs.
- CVE-2026-25116HIGHCVSS 7.6EG 7.62026-01-29
Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system's `docker-com…
- CVE-2026-25137CRITICALCVSS 9.1EG 9.12026-02-02
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and…
- CVE-2026-25192CRITICALCVSS 9.4EG 9.42026-03-20
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint usi…
- CVE-2026-25505CRITICALCVSS 9.8EG 9.82026-02-04
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This …
- CVE-2026-25550CRITICALCVSS 9.8EG 9.82026-06-04
Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singlet…
- CVE-2026-25593HIGHCVSS 8.4EG 8.42026-02-06
OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enablin…
- CVE-2026-25599MEDIUMCVSS 6.3EG 6.32026-06-01
Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’…
- CVE-2026-25751HIGHCVSS 7.5EG 7.52026-02-06
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation al…
- CVE-2026-2577CRITICALCVSS 10.0EG 10.02026-02-16
The WhatsApp bridge component in Nanobot binds the WebSocket server to all network interfaces (0.0.0.0) on port 3001 by default and does not require authentication for incoming connections. An unauthenticated remote attacker with network a…
- CVE-2026-25775CRITICALCVSS 9.8EG 9.82026-04-24
A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable ho…
- CVE-2026-25791HIGHCVSS 7.5EG 7.52026-02-09
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even…
- CVE-2026-25848CRITICALCVSS 9.1EG 9.12026-02-09
In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible
- CVE-2026-25878MEDIUMCVSS 5.3EG 5.32026-02-09
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session v…
- CVE-2026-25885HIGHCVSS 7.5EG 7.52026-02-09
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by p…
- CVE-2026-25895CRITICALCVSS 9.8EG 9.82026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affe…
- CVE-2026-25938CRITICALCVSS 9.8EG 9.82026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the…
- CVE-2026-26027HIGHCVSS 7.5EG 7.52026-04-06
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
- CVE-2026-2603HIGHCVSS 8.1EG 8.12026-03-18
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacke…
- CVE-2026-26048HIGHCVSS 7.5EG 7.52026-02-20
The Wi-Fi router is vulnerable to de-authentication attacks due to the absence of management frame protection, allowing forged deauthentication and disassociation frames to be broadcast without authentication or encryption. An attacker …
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →