CWE-305
Authentication Bypass by Primary Weakness
Description
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (72)
page 1 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-50478 | Cri | 0.66 | 9.8 | 0.01 | Oct 28, 2024 | Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: 1.4.5. | ||
| CVE-2025-4320 | Cri | 0.65 | 10.0 | 0.00 | Jan 23, 2026 | Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation. This issue affects Sufirmam: through… | ||
| CVE-2025-24522 | Cri | 0.65 | 10.0 | 0.01 | May 1, 2025 | KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying… | ||
| CVE-2026-25555 | Cri | 0.64 | 9.8 | 0.02 | Jun 8, 2026 | OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison… | ||
| CVE-2026-4670 | Cri | 0.64 | 9.8 | 0.06 | Apr 30, 2026 | Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0. | ||
| CVE-2025-46801 | Cri | 0.64 | 9.8 | 0.01 | May 19, 2025 | Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the… | ||
| CVE-2025-32011 | Cri | 0.64 | 9.8 | 0.22 | May 1, 2025 | KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal. | ||
| CVE-2023-41920 | — | Cri | 0.64 | 9.8 | 0.00 | Jul 2, 2024 | The vulnerability allows attackers access to the root account without having to authenticate. Specifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in. | |
| CVE-2023-6153 | Cri | 0.64 | 9.8 | 0.01 | Mar 27, 2024 | Authentication Bypass by Primary Weakness vulnerability in TeoSOFT Software TeoBASE allows Authentication Bypass. This issue affects TeoBASE: through 20240327. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||
| CVE-2024-1202 | Cri | 0.64 | 9.8 | 0.01 | Mar 21, 2024 | Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass. This issue affects Octopod: before v1. NOTE: The vendor was contacted and it was learned that the product is not supported. | ||
| CVE-2023-7103 | Cri | 0.64 | 9.8 | 0.01 | Mar 5, 2024 | Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows Authentication Bypass. This issue affects UFace 5: through 12022024. | ||
| CVE-2023-1833 | Cri | 0.64 | 9.8 | 0.01 | Apr 14, 2023 | Authentication Bypass by Primary Weakness vulnerability in DTS Electronics Redline Router firmware allows Authentication Bypass. This issue affects Redline Router: before 7.17. | ||
| CVE-2024-49587 | Cri | 0.59 | 9.1 | 0.00 | Dec 19, 2025 | Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to… | ||
| CVE-2024-12802 | Cri | 0.59 | 9.1 | 0.00 | Jan 9, 2025 | SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each… | ||
| CVE-2026-6266 | — | Hig | 0.54 | 8.3 | 0.00 | May 4, 2026 | A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to… | |
| CVE-2025-31965 | Hig | 0.53 | 8.2 | 0.00 | Jul 29, 2025 | Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages. | ||
| CVE-2025-41450 | Hig | 0.53 | 8.2 | 0.00 | May 8, 2025 | Improper Authentication vulnerability in Danfoss AKSM8xxA Series.This issue affects Danfoss AK-SM 8xxA Series prior to version 4.2 | ||
| CVE-2026-40582 | Cri | 0.52 | — | 0.01 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and… | ||
| CVE-2021-45031 | Hig | 0.50 | 7.7 | 0.01 | Mar 30, 2022 | A vulnerability in MEPSAN's USC+ before version 3.0 has a weakness in login function which lets attackers to generate high privileged accounts passwords. | ||
| CVE-2026-9047 | Hig | 0.49 | 7.6 | 0.00 | May 22, 2026 | Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue… |
- risk 0.66cvss 9.8epss 0.01
Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: 1.4.5.
- risk 0.65cvss 10.0epss 0.00
Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation. This issue affects Sufirmam: through…
- risk 0.65cvss 10.0epss 0.01
KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying…
- risk 0.64cvss 9.8epss 0.02
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison…
- risk 0.64cvss 9.8epss 0.06
Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.
- risk 0.64cvss 9.8epss 0.01
Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the…
- risk 0.64cvss 9.8epss 0.22
KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.
- risk 0.64cvss 9.8epss 0.00
The vulnerability allows attackers access to the root account without having to authenticate. Specifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in.
- risk 0.64cvss 9.8epss 0.01
Authentication Bypass by Primary Weakness vulnerability in TeoSOFT Software TeoBASE allows Authentication Bypass. This issue affects TeoBASE: through 20240327. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- risk 0.64cvss 9.8epss 0.01
Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass. This issue affects Octopod: before v1. NOTE: The vendor was contacted and it was learned that the product is not supported.
- risk 0.64cvss 9.8epss 0.01
Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows Authentication Bypass. This issue affects UFace 5: through 12022024.
- risk 0.64cvss 9.8epss 0.01
Authentication Bypass by Primary Weakness vulnerability in DTS Electronics Redline Router firmware allows Authentication Bypass. This issue affects Redline Router: before 7.17.
- risk 0.59cvss 9.1epss 0.00
Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to…
- risk 0.59cvss 9.1epss 0.00
SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each…
- risk 0.54cvss 8.3epss 0.00
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to…
- risk 0.53cvss 8.2epss 0.00
Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages.
- risk 0.53cvss 8.2epss 0.00
Improper Authentication vulnerability in Danfoss AKSM8xxA Series.This issue affects Danfoss AK-SM 8xxA Series prior to version 4.2
- risk 0.52cvss —epss 0.01
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and…
- risk 0.50cvss 7.7epss 0.01
A vulnerability in MEPSAN's USC+ before version 3.0 has a weakness in login function which lets attackers to generate high privileged accounts passwords.
- risk 0.49cvss 7.6epss 0.00
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue…