VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 40 of 49
  • CVE-2023-6949MedApr 2, 2024
    risk 0.34cvss 5.2epss 0.00

    A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any…

  • CVE-2024-21824MedMar 18, 2024
    risk 0.34cvss 5.3epss 0.00

    Improper authentication vulnerability in exists in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. If this vulnerability is exploited, a network-adjacent user who can access the product may impersonate an administrative…

  • CVE-2026-42303MedMay 12, 2026
    risk 0.33cvss epss 0.00

    Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request…

  • CVE-2026-4582MedMar 23, 2026
    risk 0.33cvss 5.0epss 0.00

    A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the…

  • CVE-2026-2756MedMar 21, 2026
    risk 0.33cvss 5.0epss 0.00

    A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308. This affects an unknown function of the component BLE Interface. Such manipulation leads to missing authentication. The attack can only be initiated within the local network. This attack is…

  • CVE-2025-60251MedSep 26, 2025
    risk 0.33cvss 5.0epss 0.00

    Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring.

  • CVE-2025-5719MedJun 6, 2025
    risk 0.33cvss epss 0.00

    The wallet has an authentication bypass vulnerability that allows access to specific pages.

  • CVE-2024-57055MedFeb 18, 2025
    risk 0.33cvss 5.0epss 0.00

    Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and…

  • CVE-2024-6895MedJul 19, 2024
    risk 0.33cvss epss 0.00

    Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and access to application can modify…

  • CVE-2025-25265MedJun 16, 2025
    risk 0.32cvss 4.9epss 0.00

    A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure.

  • CVE-2024-22513MedMar 16, 2024
    risk 0.32cvss 5.5epss 0.01

    djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing user validation checks via the for_user method.

  • CVE-2020-12491MedNov 25, 2024
    risk 0.31cvss epss 0.00

    Improper control of framework service permissions with possibility of some sensitive device information leakage.

  • CVE-2024-35342MedMay 28, 2024
    risk 0.30cvss 4.6epss 0.00

    Certain Anpviz products allow unauthenticated users to modify or disable camera related settings such as microphone volume, speaker volume, LED lighting, NTP, motion detection, etc. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380,…

  • CVE-2017-2708MedNov 22, 2017
    risk 0.30cvss 4.6epss 0.00

    The 'Find Phone' function in Nice smartphones with software versions earlier before Nice-AL00C00B0135 has an authentication bypass vulnerability. An unauthenticated attacker may wipe and factory reset the phone by special steps. Due to missing authentication of the 'Find Phone'…

  • CVE-2026-7113MedApr 27, 2026
    risk 0.29cvss 5.6epss 0.00

    A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication.…

  • CVE-2026-3194MedFeb 25, 2026
    risk 0.29cvss 4.5epss 0.00

    A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's…

  • CVE-2025-47272MedJun 2, 2025
    risk 0.29cvss 5.5epss 0.00

    The CE Phoenix eCommerce platform, starting in version 1.0.9.7 and prior to version 1.1.0.3, allowed logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session (e.g., on a shared/public…

  • CVE-2026-45397MedMay 15, 2026
    risk 0.28cvss 5.3epss 0.01

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every…

  • CVE-2023-47232MedDec 21, 2025
    risk 0.28cvss 4.3epss 0.00

    Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6.

  • CVE-2024-8057MedMar 20, 2025
    risk 0.28cvss 4.3epss 0.00

    In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basic account and perform actions that…