VYPR

CWE-306

Missing Authentication for Critical Function

BaseDraftLikelihood: High

Description

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62

CVEs mapped to this weakness (964)

page 41 of 49
  • CVE-2016-6549MedJul 13, 2018
    risk 0.28cvss 4.3epss 0.01

    The Zizai Tech Nut device allows unauthenticated Bluetooth pairing, which enables unauthenticated connected applications to write data to the device name attribute.

  • CVE-2026-43881MedMay 11, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for…

  • CVE-2026-34999MedApr 1, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream…

  • CVE-2026-34732MedMar 31, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges,…

  • CVE-2026-34411MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and…

  • CVE-2026-1920MedMar 10, 2026
    risk 0.27cvss 5.3epss 0.00

    The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and…

  • CVE-2026-1919MedMar 10, 2026
    risk 0.27cvss 5.3epss 0.00

    The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for…

  • CVE-2025-12348MedDec 12, 2025
    risk 0.27cvss 5.3epss 0.00

    The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in…

  • CVE-2025-67780MedDec 11, 2025
    risk 0.27cvss 4.2epss 0.00

    SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker's ability to…

  • CVE-2025-62607MedOct 22, 2025
    risk 0.27cvss 5.3epss 0.00

    Nautobot Single Source of Truth (SSoT) is an app for Nautobot. Prior to version 3.10.0, an unauthenticated attacker could access this page to view the Service Now public instance name e.g. companyname.service-now.com. This is considered low-value information. This does not…

  • CVE-2025-32782MedApr 15, 2025
    risk 0.27cvss 5.3epss 0.00

    Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may…

  • CVE-2026-42095MedApr 24, 2026
    risk 0.26cvss 4.0epss 0.00

    bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.

  • CVE-2026-56270medApr 16, 2026
    risk 0.26cvss epss 0.00

    ### Summary I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response…

  • CVE-2026-21767MedApr 2, 2026
    risk 0.26cvss 4.0epss 0.00

    HCL BigFix Platform is affected by insufficient authentication.  The application might allow users to access sensitive areas of the application without proper authentication.

  • CVE-2024-55538MedJan 2, 2025
    risk 0.26cvss 4.0epss 0.00

    Sensitive information disclosure due to missing authentication. The following products are affected: Acronis True Image (macOS) before build 41725, Acronis True Image (Windows) before build 41736, Acronis True Image OEM (macOS) before build 42571, Acronis True Image OEM…

  • CVE-2024-3219MedJul 29, 2024
    risk 0.26cvss epss 0.00

    The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection …

  • CVE-2025-5715LowJun 6, 2025
    risk 0.25cvss 3.8epss 0.00

    A vulnerability was found in Signal App 7.41.4 on Android. It has been declared as problematic. This vulnerability affects unknown code of the component Biometric Authentication Handler. The manipulation leads to missing critical step in authentication. It is possible to launch…

  • CVE-2026-32896MedMar 21, 2026
    risk 0.24cvss 4.8epss 0.00

    The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by…

  • CVE-2024-31684LowJun 3, 2024
    risk 0.23cvss 3.5epss 0.00

    Incorrect access control in the fingerprint authentication mechanism of Bitdefender Mobile Security v4.11.3-gms allows attackers to bypass fingerprint authentication due to the use of a deprecated API.

  • CVE-2021-39144KEVAug 23, 2021
    risk 0.23cvss epss 0.99

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed…