VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 37 of 49
  • CVE-2024-8530MedOct 11, 2024
    risk 0.38cvss 5.9epss 0.01

    CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause exposure of private data when an already generated “logcaptures” archive is accessed directly by HTTPS.

  • CVE-2024-1573MedJul 4, 2024
    risk 0.38cvss 5.9epss 0.01

    Missing Authentication for Critical Function vulnerability in the mobile monitoring feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 and prior, Mitsubishi Electric Hyper Historian versions 10.97.2 and prior,…

  • CVE-2011-4190MedJun 8, 2018
    risk 0.38cvss 5.9epss 0.01

    The kdump implementation is missing the host key verification in the kdump and mkdumprd OpenSSH integration of kdump prior to version 2012-01-20. This is similar to CVE-2011-3588, but different in that the kdump implementation is specific to SUSE. A remote malicious kdump server…

  • CVE-2026-45610MedMay 29, 2026
    risk 0.37cvss 5.7epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the…

  • CVE-2026-9212MedJun 9, 2026
    risk 0.36cvss epss 0.00

    Insufficient authentication and input validation in the listed NETGEAR models allow users connected to the local network to execute commands impacting the product's confidentiality or change certain configurations.

  • CVE-2026-9371MedMay 24, 2026
    risk 0.36cvss 5.6epss 0.00

    A security vulnerability has been detected in ItzCrazyKns Vane up to 1.12.1. Affected by this issue is some unknown functionality of the file route.ts of the component API. The manipulation leads to missing authentication. The attack may be initiated remotely. The attack's…

  • CVE-2026-6369MedApr 20, 2026
    risk 0.36cvss 5.5epss 0.00

    An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain…

  • CVE-2025-15515MedMar 13, 2026
    risk 0.36cvss 5.5epss 0.00

    The authentication mechanism for a specific feature in the EasyShare module contains a vulnerability. If specific conditions are met on a local network, it can cause data leakage

  • CVE-2026-3192MedFeb 25, 2026
    risk 0.36cvss 5.6epss 0.01

    A security vulnerability has been detected in Chia Blockchain 2.1.0. This issue affects the function _authenticate of the file rpc_server_base.py of the component RPC Credential Handler. The manipulation leads to improper authentication. The attack is possible to be carried out…

  • CVE-2024-45355MedMar 27, 2025
    risk 0.36cvss 5.5epss 0.00

    A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods.

  • CVE-2026-47672MedMay 26, 2026
    risk 0.35cvss 6.5epss 0.00

    epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured…

  • CVE-2026-7714MedMay 4, 2026
    risk 0.35cvss 6.5epss 0.00

    A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the…

  • CVE-2026-34839MedApr 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy…

  • CVE-2026-35584MedApr 7, 2026
    risk 0.35cvss 6.5epss 0.00

    FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given…

  • CVE-2025-9214MedSep 11, 2025
    risk 0.35cvss 5.4epss 0.00

    A missing authentication vulnerability was reported in some Lenovo printers that could allow a user to view limited device information or modify network settings via the CUPS service.

  • CVE-2025-24271MedApr 29, 2025
    risk 0.35cvss 5.4epss 0.00

    An access issue was addressed with improved access restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. An unauthenticated user on the same network as a signed-in Mac…

  • CVE-2024-41968MedNov 18, 2024
    risk 0.35cvss 5.4epss 0.00

    A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS.

  • CVE-2018-1757MedSep 7, 2018
    risk 0.35cvss 5.3epss 0.02

    IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 could allow an attacker to obtain sensitive information due to missing authentication in IGI for the survey application. IBM X-Force ID: 148601.

  • CVE-2026-8694MedJun 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.

  • CVE-2026-11848MedJun 12, 2026
    risk 0.34cvss 5.3epss 0.00

    The iRM-IEI Remote Management developed by IEI Integration Corp has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain partial system configuration information.