VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 56 of 121
  • CVE-2025-68712MedMay 27, 2026
    risk 0.36cvss 5.5epss 0.00

    SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to…

  • CVE-2026-9371MedMay 24, 2026
    risk 0.36cvss 5.6epss 0.00

    A security vulnerability has been detected in ItzCrazyKns Vane up to 1.12.1. Affected by this issue is some unknown functionality of the file route.ts of the component API. The manipulation leads to missing authentication. The attack may be initiated remotely. The attack's…

  • CVE-2026-7112MedApr 27, 2026
    risk 0.36cvss 5.6epss 0.00

    A vulnerability has been found in NousResearch hermes-agent 0.8.0. Affected by this vulnerability is the function _check_auth of the file gateway/platforms/api_server.py of the component API_SERVER_KEY Handler. The manipulation leads to improper authentication. The attack can be…

  • CVE-2026-4592MedMar 23, 2026
    risk 0.36cvss 5.6epss 0.00

    A security vulnerability has been detected in kalcaddle kodbox 1.64. This impacts the function loginAfter/tfaVerify of the file /workspace/source-code/plugins/client/controller/tfa/index.class.php of the component Password Login. The manipulation leads to improper…

  • CVE-2026-4349MedMar 17, 2026
    risk 0.36cvss 5.6epss 0.00

    A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is…

  • CVE-2026-3192MedFeb 25, 2026
    risk 0.36cvss 5.6epss 0.01

    A security vulnerability has been detected in Chia Blockchain 2.1.0. This issue affects the function _authenticate of the file rpc_server_base.py of the component RPC Credential Handler. The manipulation leads to improper authentication. The attack is possible to be carried out…

  • CVE-2026-20655MedFeb 11, 2026
    risk 0.36cvss 5.5epss 0.00

    An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.

  • CVE-2026-1203MedJan 20, 2026
    risk 0.36cvss 5.6epss 0.01

    A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication.…

  • CVE-2025-6533MedJun 24, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA…

  • CVE-2021-1725MedJan 12, 2021
    risk 0.36cvss 5.5epss 0.01

    Bot Framework SDK Information Disclosure Vulnerability

  • CVE-2018-16670MedSep 18, 2018
    risk 0.36cvss 5.3epss 0.25

    An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is PLC status disclosure due to lack of authentication for /html/devstat.html.

  • CVE-2018-11770MedAug 13, 2018
    risk 0.36cvss 4.2epss 0.66

    From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests…

  • CVE-2018-1106MedApr 23, 2018
    risk 0.36cvss 5.5epss 0.00

    An authentication bypass flaw has been found in PackageKit before 1.1.10 that allows users without administrator privileges to install signed packages. A local attacker can use this vulnerability to install vulnerable packages to further compromise a system.

  • CVE-2017-12549MedFeb 15, 2018
    risk 0.36cvss 5.6epss 0.00

    A local authentication bypass vulnerability in HPE System Management Homepage for Windows and Linux version prior to v7.6.1 was found.

  • CVE-2014-8180MedJun 6, 2017
    risk 0.36cvss 5.5epss 0.00

    MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.

  • CVE-2016-5410MedApr 19, 2017
    risk 0.36cvss 5.5epss 0.00

    firewalld.py in firewalld before 0.4.3.3 allows local users to bypass authentication and modify firewall configurations via the (1) addPassthrough, (2) removePassthrough, (3) addEntry, (4) removeEntry, or (5) setEntries D-Bus API method.

  • CVE-2016-3176MedJan 31, 2017
    risk 0.36cvss 5.6epss 0.01

    Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient.

  • CVE-2026-40995MedJun 11, 2026
    risk 0.35cvss 5.4epss 0.00

    X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected…

  • CVE-2026-39969MedMay 22, 2026
    risk 0.35cvss 6.5epss 0.00

    TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The…

  • CVE-2026-7714MedMay 4, 2026
    risk 0.35cvss 6.5epss 0.00

    A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the…