CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 13 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-0129 | Cri | 0.60 | — | 0.00 | Apr 11, 2025 | An improper exception check in Palo Alto Networks Prisma Access Browser allows a low privileged user to prevent Prisma Access Browser from applying it's Policy Rules. This enables the user to use Prisma Access Browser without any restrictions. | ||
| CVE-2024-12371 | Cri | 0.60 | — | 0.01 | Dec 18, 2024 | A device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating… | ||
| CVE-2024-8074 | Cri | 0.60 | — | 0.00 | Nov 12, 2024 | Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users. This issue affects Nomysem: before 13.10.2024. | ||
| CVE-2024-41988 | Cri | 0.60 | — | 0.01 | Oct 3, 2024 | TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to… | ||
| CVE-2026-50225 | Cri | 0.59 | 9.1 | 0.00 | Jun 4, 2026 | The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database. | ||
| CVE-2026-9051 | Cri | 0.59 | 9.1 | 0.01 | May 29, 2026 | There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading to privilege escalation or information disclosure. Successful exploitation requires… | ||
| CVE-2026-8602 | Cri | 0.59 | 9.1 | 0.00 | May 19, 2026 | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings. | ||
| CVE-2026-31071 | Cri | 0.59 | 9.1 | 0.01 | May 19, 2026 | API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access… | ||
| CVE-2026-31242 | — | Cri | 0.59 | 9.1 | 0.00 | May 12, 2026 | The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE… | |
| CVE-2026-22924 | Cri | 0.59 | 9.1 | 0.00 | May 12, 2026 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion conditions. This could allow an attacker to disrupt normal operations or… | ||
| CVE-2026-27843 | Cri | 0.59 | 9.1 | 0.01 | Apr 24, 2026 | A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network… | ||
| CVE-2026-41176 | Cri | 0.59 | 9.8 | 0.35 | Apr 23, 2026 | Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in… | ||
| CVE-2026-34286 | Cri | 0.59 | 9.1 | 0.00 | Apr 21, 2026 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise… | ||
| CVE-2026-34285 | Cri | 0.59 | 9.1 | 0.00 | Apr 21, 2026 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise… | ||
| CVE-2026-34279 | Cri | 0.59 | 9.1 | 0.00 | Apr 21, 2026 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via… | ||
| CVE-2026-32211 | Cri | 0.59 | 9.1 | 0.01 | Apr 3, 2026 | Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-30035 | Cri | 0.59 | — | 0.00 | Mar 2, 2026 | The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and… | ||
| CVE-2026-2234 | Cri | 0.59 | 9.1 | 0.00 | Feb 9, 2026 | C&Cm@il developed by HGiga has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read and modify any user's mail content. | ||
| CVE-2026-1632 | — | Cri | 0.59 | 9.1 | 0.00 | Feb 3, 2026 | MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device. | |
| CVE-2025-30041 | — | Cri | 0.59 | — | 0.00 | Aug 27, 2025 | The paths "/cgi-bin/CliniNET.prd/utils/userlogstat.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl" expose data containing session IDs. |
- risk 0.60cvss —epss 0.00
An improper exception check in Palo Alto Networks Prisma Access Browser allows a low privileged user to prevent Prisma Access Browser from applying it's Policy Rules. This enables the user to use Prisma Access Browser without any restrictions.
- risk 0.60cvss —epss 0.01
A device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating…
- risk 0.60cvss —epss 0.00
Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users. This issue affects Nomysem: before 13.10.2024.
- risk 0.60cvss —epss 0.01
TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to…
- risk 0.59cvss 9.1epss 0.00
The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database.
- risk 0.59cvss 9.1epss 0.01
There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading to privilege escalation or information disclosure. Successful exploitation requires…
- risk 0.59cvss 9.1epss 0.00
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
- risk 0.59cvss 9.1epss 0.01
API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access…
- risk 0.59cvss 9.1epss 0.00
The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE…
- risk 0.59cvss 9.1epss 0.00
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion conditions. This could allow an attacker to disrupt normal operations or…
- risk 0.59cvss 9.1epss 0.01
A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network…
- risk 0.59cvss 9.8epss 0.35
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in…
- risk 0.59cvss 9.1epss 0.00
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise…
- risk 0.59cvss 9.1epss 0.00
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise…
- risk 0.59cvss 9.1epss 0.00
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via…
- risk 0.59cvss 9.1epss 0.01
Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network.
- risk 0.59cvss —epss 0.00
The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and…
- risk 0.59cvss 9.1epss 0.00
C&Cm@il developed by HGiga has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read and modify any user's mail content.
- risk 0.59cvss 9.1epss 0.00
MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device.
- risk 0.59cvss —epss 0.00
The paths "/cgi-bin/CliniNET.prd/utils/userlogstat.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl" expose data containing session IDs.