CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 57 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41081 | Med | 0.35 | 6.5 | 0.00 | Apr 27, 2026 | Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default… | ||
| CVE-2026-40910 | Med | 0.35 | 6.5 | 0.00 | Apr 21, 2026 | frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the… | ||
| CVE-2026-34500 | Med | 0.35 | 6.5 | 0.00 | Apr 9, 2026 | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are… | ||
| CVE-2026-34531 | Med | 0.35 | 6.5 | 0.00 | Apr 1, 2026 | Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the… | ||
| CVE-2026-4829 | Med | 0.35 | 5.4 | 0.00 | Apr 1, 2026 | Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow. | ||
| CVE-2026-34389 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a… | ||
| CVE-2025-58065 | Med | 0.35 | 6.5 | 0.00 | Sep 11, 2025 | Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in… | ||
| CVE-2025-53889 | Med | 0.35 | 6.5 | 0.00 | Jul 15, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload… | ||
| CVE-2024-38825 | Med | 0.35 | 6.4 | 0.00 | Jun 13, 2025 | The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for… | ||
| CVE-2025-46548 | Med | 0.35 | 6.5 | 0.01 | Jun 3, 2025 | If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version… | ||
| CVE-2025-3910 | Med | 0.35 | 5.4 | 0.00 | Apr 29, 2025 | A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. | ||
| CVE-2025-27112 | Med | 0.35 | 6.5 | 0.01 | Feb 24, 2025 | Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not… | ||
| CVE-2025-0604 | Med | 0.35 | 5.4 | 0.01 | Jan 22, 2025 | A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in… | ||
| CVE-2024-10511 | — | Med | 0.35 | 5.3 | 0.01 | Dec 11, 2024 | CWE-287: Improper Authentication vulnerability exists that could cause Denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL. | |
| CVE-2024-43409 | Med | 0.35 | 6.5 | 0.00 | Aug 20, 2024 | Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains… | ||
| CVE-2024-40794 | Med | 0.35 | 5.3 | 0.01 | Jul 29, 2024 | This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authentication. | ||
| CVE-2024-32868 | Med | 0.35 | 6.5 | 0.00 | Apr 26, 2024 | ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there… | ||
| CVE-2023-5675 | Med | 0.35 | 6.5 | 0.00 | Apr 25, 2024 | A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is… | ||
| CVE-2023-39196 | — | Med | 0.35 | 5.3 | 0.01 | Feb 7, 2024 | Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage… | |
| CVE-2024-23647 | Med | 0.35 | 6.5 | 0.01 | Jan 30, 2024 | Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the… |
- risk 0.35cvss 6.5epss 0.00
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default…
- risk 0.35cvss 6.5epss 0.00
frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the…
- risk 0.35cvss 6.5epss 0.00
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are…
- risk 0.35cvss 6.5epss 0.00
Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the…
- risk 0.35cvss 5.4epss 0.00
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.
- risk 0.35cvss 6.5epss 0.00
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a…
- risk 0.35cvss 6.5epss 0.00
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in…
- risk 0.35cvss 6.5epss 0.00
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload…
- risk 0.35cvss 6.4epss 0.00
The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for…
- risk 0.35cvss 6.5epss 0.01
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version…
- risk 0.35cvss 5.4epss 0.00
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
- risk 0.35cvss 6.5epss 0.01
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not…
- risk 0.35cvss 5.4epss 0.01
A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in…
- risk 0.35cvss 5.3epss 0.01
CWE-287: Improper Authentication vulnerability exists that could cause Denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.
- risk 0.35cvss 6.5epss 0.00
Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains…
- risk 0.35cvss 5.3epss 0.01
This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authentication.
- risk 0.35cvss 6.5epss 0.00
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there…
- risk 0.35cvss 6.5epss 0.00
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is…
- risk 0.35cvss 5.3epss 0.01
Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage…
- risk 0.35cvss 6.5epss 0.01
Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the…