VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 45 of 121
  • CVE-2017-1000433HigJan 2, 2018
    risk 0.46cvss 8.1epss 0.03

    pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

  • CVE-2017-8028HigNov 27, 2017
    risk 0.46cvss 8.1epss 0.03

    In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication…

  • CVE-2017-10623HigOct 13, 2017
    risk 0.46cvss 7.1epss 0.01

    Lack of authentication and authorization of cluster messages in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to intercept, inject or disrupt Junos Space cluster operations between two nodes. Affected releases are Juniper Networks Junos Space all…

  • CVE-2017-14623HigSep 20, 2017
    risk 0.46cvss 8.1epss 0.02

    In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine…

  • CVE-2015-3206HigAug 25, 2017
    risk 0.46cvss 8.1epss 0.02

    The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.

  • CVE-2015-6817HigMay 23, 2017
    risk 0.46cvss 8.1epss 0.02

    PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username.

  • CVE-2026-11345MedJun 5, 2026
    risk 0.45cvss epss 0.00

    An Improper Authentication vulnerability in the /api/Cdn/GetFile endpoint of linqi allows unauthenticated, remote attackers to bypass file access controls. The ValidateAnonFileAccess function incorrectly grants access if an 'AnonFile' query parameter containing exactly 256…

  • CVE-2026-44720MedMay 27, 2026
    risk 0.45cvss epss 0.00

    OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in…

  • CVE-2026-30762higApr 4, 2026
    risk 0.45cvss epss 0.00

    Subject: Security Vulnerability Report Hardcoded JWT Secret (CVE-2026-30762) Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type:…

  • CVE-2025-41023MedFeb 19, 2026
    risk 0.45cvss epss 0.00

    An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms. Once inside the web application, the attacker can use any of its features regardless of the authorisation method used.

  • CVE-2025-13427MedDec 18, 2025
    risk 0.45cvss epss 0.00

    An authentication bypass vulnerability in Google Cloud Dialogflow CX Messenger allowed unauthenticated users to interact with restricted chat agents, gaining access to the agents' knowledge and the ability to trigger their intents, by manipulating initialization parameters or…

  • CVE-2026-44711HigMay 27, 2026
    risk 0.44cvss 7.9epss 0.00

    pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption. This vulnerability is fixed in 0.8.7.

  • CVE-2026-34990HigApr 3, 2026
    risk 0.44cvss 7.8epss 0.00

    OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local…

  • CVE-2025-24292MedJun 29, 2025
    risk 0.44cvss 6.8epss 0.00

    A misconfigured query in UniFi Network (v9.1.120 and earlier) could allow users to authenticate to Enterprise WiFi or VPN Server (l2tp and OpenVPN) using a device’s MAC address from 802.1X or MAC Authentication, if both services are enabled and share the same RADIUS profile.

  • CVE-2025-31228MedMay 12, 2025
    risk 0.44cvss 6.8epss 0.00

    The issue was addressed with improved authentication. This issue is fixed in iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7. An attacker with physical access to a device may be able to access notes from the lock screen.

  • CVE-2025-0813MedMar 12, 2025
    risk 0.44cvss 6.8epss 0.00

    CWE-287: Improper Authentication vulnerability exists that could cause an Authentication Bypass when an unauthorized user without permission rights has physical access to the EPAS-UI computer and is able to reboot the workstation and interrupt the normal boot process.

  • CVE-2024-12510MedFeb 3, 2025
    risk 0.44cvss 6.7epss 0.01

    If LDAP settings are accessed, authentication could be redirected to another server, potentially exposing credentials. This requires admin access and an active LDAP setup.

  • CVE-2022-33862MedNov 25, 2024
    risk 0.44cvss 6.7epss 0.00

    IPP software prior to v1.71 is vulnerable to default credential vulnerability. This could lead attackers to identify and access vulnerable systems.

  • CVE-2024-4601MedMay 7, 2024
    risk 0.44cvss 6.7epss 0.00

    An incorrect authentication vulnerability has been found in Socomec Net Vision affecting version 7.20. This vulnerability allows an attacker to perform a brute force attack on the application and recover a valid session, because the application uses a five-digit integer value.

  • CVE-2022-3916MedSep 20, 2023
    risk 0.44cvss 6.8epss 0.01

    A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This…