CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,409 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 43 of 49
- CVE-2026-33032CRITICALCVSS 9.8EG 9.82026-03-30
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and a…
- CVE-2026-3323HIGHCVSS 7.5EG 7.52026-04-28
An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes.
- CVE-2026-33231HIGHCVSS 7.5EG 7.52026-03-20
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticat…
- CVE-2026-33543CRITICALCVSS 9.3EG 9.32026-06-24
FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, th…
- CVE-2026-33715HIGHCVSS 7.2EG 7.22026-04-14
Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does n…
- CVE-2026-33788HIGHCVSS 7.8EG 7.82026-04-09
A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FP…
- CVE-2026-33951HIGHCVSS 7.5EG 7.52026-04-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorit…
- CVE-2026-34072CRITICALCVSS 9.8EG 9.82026-04-01
Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid sessio…
- CVE-2026-34160HIGHCVSS 8.6EG 8.62026-04-14
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a …
- CVE-2026-34266MEDIUMCVSS 6.5EG 6.52026-04-21
Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attack…
- CVE-2026-34275CRITICALCVSS 9.8EG 9.82026-04-21
Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthentica…
- CVE-2026-34279CRITICALCVSS 9.1EG 9.12026-04-21
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privile…
- CVE-2026-34280MEDIUMCVSS 6.5EG 6.52026-04-21
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Job Profile Manager). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker…
- CVE-2026-34285CRITICALCVSS 9.1EG 9.12026-04-21
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with net…
- CVE-2026-34286CRITICALCVSS 9.1EG 9.12026-04-21
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with net…
- CVE-2026-34288MEDIUMCVSS 5.9EG 5.92026-04-21
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with n…
- CVE-2026-34289MEDIUMCVSS 5.9EG 5.92026-04-21
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with n…
- CVE-2026-34411MEDIUMCVSS 5.3EG 5.32026-03-27
Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configurati…
- CVE-2026-34472HIGHCVSS 7.1EG 7.12026-03-30
Unauthenticated credential disclosure in the wizard interface in ZTE ZXHN H188A V6.0.10P2_TE and V6.0.10P3N3_TE allows unauthenticated attackers on the local network to retrieve sensitive credentials from the router's web management interf…
- CVE-2026-34758CRITICALCVSS 9.1EG 9.12026-04-02
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. …
- CVE-2026-34839MEDIUMCVSS 6.5EG 6.52026-04-21
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due …
- CVE-2026-34952CRITICALCVSS 9.1EG 9.12026-04-03
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate regist…
- CVE-2026-34999MEDIUMCVSS 5.3EG 5.32026-04-01
OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/…
- CVE-2026-35053CRITICALCVSS 9.8EG 9.82026-04-02
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints (GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowI…
- CVE-2026-35064HIGHCVSS 7.5EG 7.52026-04-24
A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and management interfaces…
- CVE-2026-35065HIGHCVSS 8.8EG 8.82026-06-17
Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to…
- CVE-2026-35265HIGHCVSS 8.8EG 8.82026-06-17
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with net…
- CVE-2026-35267HIGHCVSS 8.8EG 8.82026-06-17
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker …
- CVE-2026-35273CRITICALCVSS 9.8EG 9.8⚠ KEV2026-06-11
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticate…
- CVE-2026-35274HIGHCVSS 8.2EG 8.22026-06-17
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attac…
- CVE-2026-35276HIGHCVSS 8.1EG 8.12026-06-17
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Application Server). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated att…
- CVE-2026-35278CRITICALCVSS 9.8EG 9.82026-06-17
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated atta…
- CVE-2026-35279HIGHCVSS 8.1EG 8.12026-06-17
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated at…
- CVE-2026-35286CRITICALCVSS 9.8EG 9.82026-06-17
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated at…
- CVE-2026-35289HIGHCVSS 8.1EG 8.12026-06-17
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated att…
- CVE-2026-35292CRITICALCVSS 10.0EG 10.02026-06-17
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with netw…
- CVE-2026-35293CRITICALCVSS 9.8EG 9.82026-06-17
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with net…
- CVE-2026-35295HIGHCVSS 7.5EG 7.52026-06-17
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows low privileged at…
- CVE-2026-35296CRITICALCVSS 9.8EG 9.82026-06-17
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated att…
- CVE-2026-35299HIGHCVSS 8.8EG 8.82026-06-17
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with netwo…
- CVE-2026-35301CRITICALCVSS 10.0EG 10.02026-06-17
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with netw…
- CVE-2026-35303HIGHCVSS 8.8EG 8.82026-06-17
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with netwo…
- CVE-2026-35304CRITICALCVSS 9.8EG 9.82026-06-17
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthentica…
- CVE-2026-35450MEDIUMCVSS 5.3EG 5.32026-04-06
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling F…
- CVE-2026-35514MEDIUMCVSS 6.5EG 6.52026-04-30
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or …
- CVE-2026-35523HIGHCVSS 7.5EG 7.52026-04-07
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a …
- CVE-2026-35546CRITICALCVSS 9.8EG 9.82026-04-17
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell.
- CVE-2026-3558HIGHCVSS 8.1EG 8.12026-03-16
Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authen…
- CVE-2026-35584MEDIUMCVSS 6.5EG 6.52026-04-07
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread…
- CVE-2026-3611CRITICALCVSS 10.0EG 10.02026-03-12
The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a S…
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →