CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,410 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 47 of 49
- CVE-2026-49195HIGHCVSS 8.8EG 8.82026-05-29
Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands.
- CVE-2026-49257CRITICALCVSS 10.0EG 10.02026-06-18
mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP …
- CVE-2026-49357HIGHCVSS 8.8EG 8.82026-06-19
Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. `line-desktop-mcp` supports a `--http-mode` Streamable H…
- CVE-2026-49471HIGHCVSS 8.3EG 8.32026-07-07
Serena is a powerful MCP toolkit for coding that provides semantic retrieval and editing capabilities. Prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port, with no authenticati…
- CVE-2026-49973CRITICALCVSS 9.4EG 9.42026-06-11
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any …
- CVE-2026-49980CRITICALCVSS 9.8EG 9.82026-06-16
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path…
- CVE-2026-50082MEDIUMCVSS 5.3EG 6.52026-06-12
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.…
- CVE-2026-50085CRITICALCVSS 9.8EG 8.62026-06-12
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" an…
- CVE-2026-50136MEDIUMCVSS 5.3EG 5.32026-06-22
Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected…
- CVE-2026-50225CRITICALCVSS 9.1EG 9.12026-06-04
The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database.
- CVE-2026-50242CRITICALCVSS 9.8EG 10.02026-06-19
In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible
- CVE-2026-50245HIGHCVSS 7.7EG 7.72026-06-11
Brickcom cameras allow unauthenticated access to live snapshot images via the /ONVIF endpoint and no authentication is required to retrieve still images from the camera feed.
- CVE-2026-50287HIGHCVSS 8.7EG 8.72026-06-01
AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCP_HTTP=1. In that mode, the /mcp endpoint accepts requests with…
- CVE-2026-5029HIGHCVSS 8.7EG 8.72026-05-12
A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke …
- CVE-2026-50507MEDIUMCVSS 6.8EG 6.82026-06-09
Missing authentication for critical function in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
- CVE-2026-50512HIGHCVSS 7.8EG 7.82026-06-09
Missing authentication for critical function in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.
- CVE-2026-51937HIGHCVSS 7.5EG 7.52026-07-07
An issue in Oneblog V2.3.9 allows a remote attacker to obtain sensitive information via the RestApiController.java, JsApiTicketComponent.java, and the GetAccessTokenComponent.java component
- CVE-2026-5300MEDIUMCVSS 5.9EG 5.92026-04-08
Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests
- CVE-2026-5320HIGHCVSS 7.3EG 7.32026-04-02
A vulnerability was detected in vanna-ai vanna up to 2.0.2. Affected by this vulnerability is an unknown functionality of the file /api/vanna/v2/ of the component Chat API Endpoint. Performing a manipulation results in missing authenticati…
- CVE-2026-53469HIGHCVSS 8.1EG 9.12026-06-10
A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all cu…
- CVE-2026-53647MEDIUMCVSS 6.9EG 6.92026-07-06
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest `serviceapikey/get_info` API endpoint is accessible without authentication. Any caller with a valid API key can retrieve al…
- CVE-2026-53868HIGHCVSS 7.5EG 7.52026-06-12
Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can p…
- CVE-2026-53869HIGHCVSS 7.5EG 7.52026-06-17
Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty…
- CVE-2026-53913CRITICALCVSS 9.8EG 9.82026-07-06
Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely ('Failing Open') vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running Keycloak…
- CVE-2026-53981HIGHCVSS 7.6EG 7.62026-06-12
Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as …
- CVE-2026-54036HIGHCVSS 8.1EG 8.12026-06-25
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully…
- CVE-2026-54040HIGHCVSS 7.1EG 7.12026-06-25
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code ver…
- CVE-2026-54061CRITICALCVSS 9.1EG 9.12026-07-08
Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port `:9080` without authentication or authorization. As a result, an unauth…
- CVE-2026-54068MEDIUMCVSS 5.9EG 5.92026-06-24
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router (router.go, "不需要鉴权" -- no auth needed). Whe…
- CVE-2026-54088CRITICALCVSS 9.3EG 9.32026-06-25
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate log…
- CVE-2026-54103CRITICALCVSS 9.8EG 9.82026-06-18
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) does not authenticate password change requests to the '/update-profi…
- CVE-2026-54130CRITICALCVSS 9.8EG 9.82026-06-18
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- CVE-2026-54309CRITICALCVSS 10.0EG 10.02026-06-16
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. A…
- CVE-2026-54317HIGHCVSS 7.6EG 7.62026-06-19
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView (homeassistant/components/konnected/__init__.py), that…
- CVE-2026-54776MEDIUMCVSS 4.4EG 4.42026-06-19
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service hosted on Unix Domain Sockets with PosixIdentity client credentials can accept connections that skip …
- CVE-2026-55196CRITICALCVSS 9.1EG 9.12026-06-17
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMES_WEBUI_PASSKEY=1 is enabled with no exis…
- CVE-2026-55450CRITICALCVSS 9.3EG 9.32026-06-17
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access …
- CVE-2026-55605MEDIUMCVSS 5.3EG 5.32026-07-09
DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.8.0, the self-hosted HTTP transport of `@arikusi/deepseek-mcp-server` exposes `POST /mcp` without any authentication: `createMcpExpressA…
- CVE-2026-55884CRITICALCVSS 9.2EG 9.22026-06-19
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-lo…
- CVE-2026-5616HIGHCVSS 7.3EG 7.32026-04-06
A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java o…
- CVE-2026-56262MEDIUMCVSS 6.5EG 6.52026-06-24
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke the /monitor/actions/cleanup endpoint…
- CVE-2026-56270HIGHCVSS 7.5EG 5.32026-04-16
Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OA…
- CVE-2026-56286HIGHCVSS 8.1EG 8.12026-07-01
Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijack…
- CVE-2026-56299MEDIUMCVSS 5.3EG 5.32026-06-21
Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authe…
- CVE-2026-5632HIGHCVSS 7.3EG 7.32026-04-06
A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the atta…
- CVE-2026-56321MEDIUMCVSS 5.3EG 5.32026-06-22
Capgo (backend Supabase edge functions) before 12.128.2 does not apply the global authentication middleware to the GET /private/role_bindings/:org_id endpoint, unlike the POST and DELETE role_bindings routes, so unauthenticated requests re…
- CVE-2026-56346MEDIUMCVSS 6.5EG 6.52026-06-20
AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passph…
- CVE-2026-56675HIGHCVSS 8.3EG 8.32026-07-10
9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/* access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 cause…
- CVE-2026-5676HIGHCVSS 7.3EG 7.32026-04-06
A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack c…
- CVE-2026-56782CRITICALCVSS 9.8EG 9.82026-06-29
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default confi…
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →