VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 35 of 49
  • CVE-2025-62619MedMay 14, 2026
    risk 0.41cvss epss 0.00

    Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality.

  • CVE-2026-8185MedMay 9, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade…

  • CVE-2026-7844MedMay 5, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component…

  • CVE-2026-41603HigApr 28, 2026
    risk 0.41cvss 7.4epss 0.01

    Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

  • CVE-2026-5724MedApr 10, 2026
    risk 0.41cvss epss 0.01

    The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endp…

  • CVE-2026-4476MedMar 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is…

  • CVE-2026-2065MedFeb 6, 2026
    risk 0.41cvss 6.3epss 0.01

    A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from…

  • CVE-2026-0842MedJan 11, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published…

  • CVE-2025-10772MedSep 22, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing…

  • CVE-2025-36757MedSep 10, 2025
    risk 0.41cvss epss 0.00

    It is possible to bypass the administrator login screen on SolaX Cloud. An attacker could use parameter tampering to bypass the login screen and gain limited access to the system.

  • CVE-2021-26278MedDec 17, 2024
    risk 0.41cvss 6.3epss 0.00

    The wifi module exposes the interface and has improper permission control, leaking sensitive information about the device.

  • CVE-2024-39364MedSep 27, 2024
    risk 0.41cvss 6.3epss 0.00

    Advantech ADAM-5630 has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by…

  • CVE-2017-12155MedDec 12, 2017
    risk 0.41cvss 6.3epss 0.00

    A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker…

  • CVE-2026-10281HigJun 1, 2026
    risk 0.40cvss 7.3epss 0.00

    A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit…

  • CVE-2026-44320HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to…

  • CVE-2026-44338HigMay 8, 2026
    risk 0.40cvss 7.3epss 0.27

    PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured…

  • CVE-2026-7723HigMay 4, 2026
    risk 0.40cvss 7.3epss 0.00

    A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been…

  • CVE-2026-6129HigApr 12, 2026
    risk 0.40cvss 7.3epss 0.00

    A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an unknown function of the component Agent Mode Service. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and…

  • CVE-2026-5616HigApr 6, 2026
    risk 0.40cvss 7.3epss 0.00

    A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such…

  • CVE-2026-27846MedFeb 25, 2026
    risk 0.40cvss 6.2epss 0.00

    Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network  to gain access to sensitive information, including the password for admin access to the web interface and the Wi-Fi…