CWE-322— Key Exchange without Entity Authentication
The product performs a key exchange with an actor without verifying the identity of that actor.— MITRE CWE catalog
23 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-322page 1 of 1
- CVE-2021-34433HIGHCVSS 7.5EG 7.52021-08-20
In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not i…
- CVE-2022-39246HIGHCVSS 7.5EG 7.52022-09-28
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shie…
- CVE-2022-39248HIGHCVSS 8.6EG 8.62022-09-28
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as…
- CVE-2022-39249HIGHCVSS 7.5EG 7.52022-09-28
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be mar…
- CVE-2022-39250HIGHCVSS 8.6EG 8.62022-09-29
Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, inj…
- CVE-2022-39251HIGHCVSS 8.6EG 8.62022-09-28
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without an…
- CVE-2022-39252HIGHCVSS 8.6EG 8.62022-09-29
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their devices, the software correctly rememb…
- CVE-2022-39254HIGHCVSS 8.6EG 8.62022-09-29
matrix-nio is a Python Matrix client library, designed according to sans I/O principles. Prior to version 0.20, when a users requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded…
- CVE-2022-39255HIGHCVSS 8.6EG 8.62022-09-28
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, with…
- CVE-2022-39257HIGHCVSS 7.5EG 7.52022-09-28
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will …
- CVE-2024-47519HIGHCVSS 8.3EG 8.32025-01-10
Backup uploads to ETM subject to man-in-the-middle interception
- CVE-2024-4871MEDIUMCVSS 6.8EG 6.82024-05-14
A vulnerability was found in Satellite. When running a remote execution job on a host, the host's SSH key is not being checked. When the key changes, the Satellite still connects it because it uses "-o StrictHostKeyChecking=no". This flaw …
- CVE-2024-6572HIGHCVSS 7.4EG 7.42024-09-09
Improper host key checking in active check 'Check SFTP Service' and special agent 'VNX quotas and filesystem' in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic
- CVE-2024-7516HIGHCVSS 7.1EG 4.82024-11-12
A vulnerability in Brocade Fabric OS versions before 9.2.2 could allow man-in-the-middle attackers to conduct remote Service Session Hijacking that may arise from the attacker's ability to forge an SSH key while the Brocade Fabric OS Switc…
- CVE-2025-13914HIGHCVSS 8.1EG 8.72026-04-09
A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attac…
- CVE-2025-20163HIGHCVSS 8.7EG 8.72025-06-04
A vulnerability in the SSH implementation of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to impersonate Cisco NDFC-managed devices. This vulnerability is due to insufficient SSH host ke…
- CVE-2025-54422MEDIUMCVSS 5.5EG 5.52025-07-29
Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.1 and below, a critical security vulnerability exists in password handling mechanisms. During encrypted sandbox crea…
- CVE-2025-62501HIGHCVSS 8.1EG 8.12026-02-03
SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. This could enable unauthorized acc…
- CVE-2026-11745HIGHCVSS 8.8EG 8.82026-06-22
A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the…
- CVE-2026-1354MEDIUMCVSS 6.4EG 6.42026-04-21
Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload mali…
- CVE-2026-1709CRITICALCVSS 9.4EG 9.42026-02-06
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network acce…
- CVE-2026-44467MEDIUMCVSS 6.8EG 6.82026-05-13
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname ex…
- CVE-2026-45361HIGHCVSS 8.1EG 8.12026-05-25
Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the ses…
Map vulnerabilities like CWE-322 to your infrastructure
EchelonGraph correlates every CVE — across CWE-322 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →