VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 57 of 121
  • CVE-2026-41081MedApr 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default…

  • CVE-2026-40910MedApr 21, 2026
    risk 0.35cvss 6.5epss 0.00

    frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the…

  • CVE-2026-34500MedApr 9, 2026
    risk 0.35cvss 6.5epss 0.00

    CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are…

  • CVE-2026-34531MedApr 1, 2026
    risk 0.35cvss 6.5epss 0.00

    Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the…

  • CVE-2026-4829MedApr 1, 2026
    risk 0.35cvss 5.4epss 0.00

    Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.

  • CVE-2026-34389MedMar 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a…

  • CVE-2025-58065MedSep 11, 2025
    risk 0.35cvss 6.5epss 0.00

    Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in…

  • CVE-2025-53889MedJul 15, 2025
    risk 0.35cvss 6.5epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload…

  • CVE-2024-38825MedJun 13, 2025
    risk 0.35cvss 6.4epss 0.00

    The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for…

  • CVE-2025-46548MedJun 3, 2025
    risk 0.35cvss 6.5epss 0.01

    If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version…

  • CVE-2025-3910MedApr 29, 2025
    risk 0.35cvss 5.4epss 0.00

    A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

  • CVE-2025-27112MedFeb 24, 2025
    risk 0.35cvss 6.5epss 0.01

    Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not…

  • CVE-2025-0604MedJan 22, 2025
    risk 0.35cvss 5.4epss 0.01

    A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in…

  • CVE-2024-10511MedDec 11, 2024
    risk 0.35cvss 5.3epss 0.01

    CWE-287: Improper Authentication vulnerability exists that could cause Denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

  • CVE-2024-43409MedAug 20, 2024
    risk 0.35cvss 6.5epss 0.00

    Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains…

  • CVE-2024-40794MedJul 29, 2024
    risk 0.35cvss 5.3epss 0.01

    This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authentication.

  • CVE-2024-32868MedApr 26, 2024
    risk 0.35cvss 6.5epss 0.00

    ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there…

  • CVE-2023-5675MedApr 25, 2024
    risk 0.35cvss 6.5epss 0.00

    A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is…

  • CVE-2023-39196MedFeb 7, 2024
    risk 0.35cvss 5.3epss 0.01

    Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage…

  • CVE-2024-23647MedJan 30, 2024
    risk 0.35cvss 6.5epss 0.01

    Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the…