CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 40 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-6949 | Med | 0.34 | 5.2 | 0.00 | Apr 2, 2024 | A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any… | ||
| CVE-2024-21824 | Med | 0.34 | 5.3 | 0.00 | Mar 18, 2024 | Improper authentication vulnerability in exists in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. If this vulnerability is exploited, a network-adjacent user who can access the product may impersonate an administrative… | ||
| CVE-2026-42303 | Med | 0.33 | — | 0.00 | May 12, 2026 | Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request… | ||
| CVE-2026-4582 | Med | 0.33 | 5.0 | 0.00 | Mar 23, 2026 | A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the… | ||
| CVE-2026-2756 | Med | 0.33 | 5.0 | 0.00 | Mar 21, 2026 | A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308. This affects an unknown function of the component BLE Interface. Such manipulation leads to missing authentication. The attack can only be initiated within the local network. This attack is… | ||
| CVE-2025-60251 | Med | 0.33 | 5.0 | 0.00 | Sep 26, 2025 | Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring. | ||
| CVE-2025-5719 | — | Med | 0.33 | — | 0.00 | Jun 6, 2025 | The wallet has an authentication bypass vulnerability that allows access to specific pages. | |
| CVE-2024-57055 | Med | 0.33 | 5.0 | 0.00 | Feb 18, 2025 | Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and… | ||
| CVE-2024-6895 | Med | 0.33 | — | 0.00 | Jul 19, 2024 | Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and access to application can modify… | ||
| CVE-2025-25265 | — | Med | 0.32 | 4.9 | 0.00 | Jun 16, 2025 | A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure. | |
| CVE-2024-22513 | Med | 0.32 | 5.5 | 0.01 | Mar 16, 2024 | djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing user validation checks via the for_user method. | ||
| CVE-2020-12491 | — | Med | 0.31 | — | 0.00 | Nov 25, 2024 | Improper control of framework service permissions with possibility of some sensitive device information leakage. | |
| CVE-2024-35342 | — | Med | 0.30 | 4.6 | 0.00 | May 28, 2024 | Certain Anpviz products allow unauthenticated users to modify or disable camera related settings such as microphone volume, speaker volume, LED lighting, NTP, motion detection, etc. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380,… | |
| CVE-2017-2708 | Med | 0.30 | 4.6 | 0.00 | Nov 22, 2017 | The 'Find Phone' function in Nice smartphones with software versions earlier before Nice-AL00C00B0135 has an authentication bypass vulnerability. An unauthenticated attacker may wipe and factory reset the phone by special steps. Due to missing authentication of the 'Find Phone'… | ||
| CVE-2026-7113 | Med | 0.29 | 5.6 | 0.00 | Apr 27, 2026 | A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication.… | ||
| CVE-2026-3194 | Med | 0.29 | 4.5 | 0.00 | Feb 25, 2026 | A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's… | ||
| CVE-2025-47272 | Med | 0.29 | 5.5 | 0.00 | Jun 2, 2025 | The CE Phoenix eCommerce platform, starting in version 1.0.9.7 and prior to version 1.1.0.3, allowed logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session (e.g., on a shared/public… | ||
| CVE-2026-45397 | Med | 0.28 | 5.3 | 0.01 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every… | ||
| CVE-2023-47232 | Med | 0.28 | 4.3 | 0.00 | Dec 21, 2025 | Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6. | ||
| CVE-2024-8057 | Med | 0.28 | 4.3 | 0.00 | Mar 20, 2025 | In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basic account and perform actions that… |
- risk 0.34cvss 5.2epss 0.00
A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any…
- risk 0.34cvss 5.3epss 0.00
Improper authentication vulnerability in exists in multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. If this vulnerability is exploited, a network-adjacent user who can access the product may impersonate an administrative…
- risk 0.33cvss —epss 0.00
Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request…
- risk 0.33cvss 5.0epss 0.00
A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the…
- risk 0.33cvss 5.0epss 0.00
A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308. This affects an unknown function of the component BLE Interface. Such manipulation leads to missing authentication. The attack can only be initiated within the local network. This attack is…
- risk 0.33cvss 5.0epss 0.00
Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring.
- risk 0.33cvss —epss 0.00
The wallet has an authentication bypass vulnerability that allows access to specific pages.
- risk 0.33cvss 5.0epss 0.00
Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client (not the general-use JSON services) and…
- risk 0.33cvss —epss 0.00
Insufficient authentication in user account management in Yugabyte Platform allows local network attackers with a compromised user session to change critical security information without re-authentication. An attacker with user session and access to application can modify…
- risk 0.32cvss 4.9epss 0.00
A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure.
- risk 0.32cvss 5.5epss 0.01
djangorestframework-simplejwt version 5.3.1 and before is vulnerable to information disclosure. A user can access web application resources even after their account has been disabled due to missing user validation checks via the for_user method.
- risk 0.31cvss —epss 0.00
Improper control of framework service permissions with possibility of some sensitive device information leakage.
- risk 0.30cvss 4.6epss 0.00
Certain Anpviz products allow unauthenticated users to modify or disable camera related settings such as microphone volume, speaker volume, LED lighting, NTP, motion detection, etc. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380,…
- risk 0.30cvss 4.6epss 0.00
The 'Find Phone' function in Nice smartphones with software versions earlier before Nice-AL00C00B0135 has an authentication bypass vulnerability. An unauthenticated attacker may wipe and factory reset the phone by special steps. Due to missing authentication of the 'Find Phone'…
- risk 0.29cvss 5.6epss 0.00
A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication.…
- risk 0.29cvss 4.5epss 0.00
A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's…
- risk 0.29cvss 5.5epss 0.00
The CE Phoenix eCommerce platform, starting in version 1.0.9.7 and prior to version 1.1.0.3, allowed logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session (e.g., on a shared/public…
- risk 0.28cvss 5.3epss 0.01
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every…
- risk 0.28cvss 4.3epss 0.00
Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6.
- risk 0.28cvss 4.3epss 0.00
In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basic account and perform actions that…