VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 52 of 121
  • CVE-2026-2065MedFeb 6, 2026
    risk 0.41cvss 6.3epss 0.01

    A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from…

  • CVE-2026-0842MedJan 11, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published…

  • CVE-2025-10772MedSep 22, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing…

  • CVE-2025-22228HigMar 20, 2025
    risk 0.41cvss 7.4epss 0.01

    BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

  • CVE-2022-24857HigApr 15, 2022
    risk 0.41cvss 7.3epss 0.01

    django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor…

  • CVE-2021-44420HigDec 8, 2021
    risk 0.41cvss 7.3epss 0.02

    In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

  • CVE-2021-39177HigAug 30, 2021
    risk 0.41cvss 7.4epss 0.01

    Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Versions of Geyser prior to 1.4.2-SNAPSHOT allow anyone that can connect to the server to forge a LoginPacket with manipulated JWT token allowing impersonation as any user. Version 1.4.2-SNAPSHOT…

  • CVE-2021-29487HigAug 26, 2021
    risk 0.41cvss 7.4epss 0.01

    octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by…

  • CVE-2020-15240HigOct 21, 2020
    risk 0.41cvss 7.4epss 0.01

    omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by…

  • CVE-2020-15269HigOct 20, 2020
    risk 0.41cvss 7.4epss 0.01

    In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

  • CVE-2018-13434MedAug 16, 2018
    risk 0.41cvss 6.3epss 0.00

    An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The LAContext class for Biometric (TouchID) validation allows authentication bypass by overriding the LAContext return Boolean value to be "true" because the kSecAccessControlUserPresence protection…

  • CVE-2014-0097HigMay 25, 2017
    risk 0.41cvss 7.3epss 0.01

    The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

  • CVE-2026-11618HigJun 9, 2026
    risk 0.40cvss 7.3epss 0.00

    A vulnerability was determined in DTStack Taier up to 1.4.0. The affected element is the function preHandle of the file taier-data-develop/src/main/java/com/dtstack/taier/develop/interceptor/LoginInterceptor.java of the component Source Connection Test Endpoint. Executing a…

  • CVE-2026-10281HigJun 1, 2026
    risk 0.40cvss 7.3epss 0.00

    A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit…

  • CVE-2026-10157HigMay 31, 2026
    risk 0.40cvss 7.3epss 0.00

    A vulnerability was identified in Open5GS up to 2.7.6. This impacts an unknown function of the file src/amf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely.…

  • CVE-2026-44058HigMay 21, 2026
    risk 0.40cvss 7.2epss 0.01

    An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.

  • CVE-2026-8305HigMay 11, 2026
    risk 0.40cvss 7.3epss 0.01

    A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It…

  • CVE-2026-7723HigMay 4, 2026
    risk 0.40cvss 7.3epss 0.00

    A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been…

  • CVE-2026-7630HigMay 2, 2026
    risk 0.40cvss 7.3epss 0.00

    A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper…

  • CVE-2026-41342HigApr 23, 2026
    risk 0.40cvss 7.3epss 0.00

    OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious…