CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 42 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-11651 | — | 0.23 | — | 0.96 | KEV | Apr 30, 2020 | An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user… | |
| CVE-2025-14058 | Low | 0.21 | 3.2 | 0.00 | Jan 14, 2026 | A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled. | ||
| CVE-2024-53701 | — | Low | 0.20 | 3.1 | 0.00 | Nov 29, 2024 | Multiple FCNT Android devices provide the original security features such as "privacy mode" where arbitrary applications can be set not to be displayed, etc. Under certain conditions, and when an attacker can directly operate the device which its screen is unlocked by a user,… | |
| CVE-2026-40184 | Low | 0.17 | 3.7 | 0.00 | Apr 10, 2026 | TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2. | ||
| CVE-2020-13927 | — | 0.16 | — | 1.00 | KEV | Nov 10, 2020 | The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at… | |
| CVE-2023-4505 | Low | 0.14 | 2.2 | 0.01 | Sep 27, 2023 | The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers,… | ||
| CVE-2025-8943 | 0.10 | — | 0.71 | Aug 14, 2025 | The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise… | |||
| CVE-2014-9195 | 0.09 | — | 0.81 | Jan 17, 2015 | Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic. | |||
| CVE-2014-4872 | 0.09 | — | 0.80 | Oct 10, 2014 | BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2)… | |||
| CVE-2020-12492 | — | Low | 0.07 | — | 0.00 | Nov 25, 2024 | Improper handling of WiFi information by framework services can allow certain malicious applications to obtain sensitive information. | |
| CVE-2023-4506 | Low | 0.07 | 2.2 | 0.01 | Sep 27, 2023 | The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with… | ||
| CVE-2022-45933 | — | 0.07 | — | 0.52 | Nov 27, 2022 | KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for authentication as kube-admin. NOTE: the vendor's position is that KubeView was… | ||
| CVE-2021-41266 | — | 0.07 | — | 0.47 | Nov 15, 2021 | Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and… | ||
| CVE-2021-27358 | — | 0.07 | — | 0.83 | Mar 18, 2021 | The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. | ||
| CVE-2020-9480 | — | 0.07 | — | 0.29 | Jun 23, 2020 | In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the… | ||
| CVE-2022-38817 | — | 0.06 | — | 0.03 | Oct 3, 2022 | Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data. | ||
| CVE-2022-23944 | 0.06 | — | 0.79 | Jan 25, 2022 | User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | |||
| CVE-2021-29442 | — | 0.05 | — | 0.65 | Apr 27, 2021 | Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove… | ||
| CVE-2020-12478 | — | 0.03 | — | 0.07 | Apr 29, 2020 | TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files. | ||
| CVE-2009-1780 | 0.03 | — | 0.04 | May 22, 2009 | admin.php in Frax.dk Php Recommend 1.3 and earlier does not require authentication when the user password is changed, which allows remote attackers to gain administrative privileges via modified form_admin_user and form_admin_pass parameters. |
- risk 0.23cvss —epss 0.96
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user…
- risk 0.21cvss 3.2epss 0.00
A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled.
- risk 0.20cvss 3.1epss 0.00
Multiple FCNT Android devices provide the original security features such as "privacy mode" where arbitrary applications can be set not to be displayed, etc. Under certain conditions, and when an attacker can directly operate the device which its screen is unlocked by a user,…
- risk 0.17cvss 3.7epss 0.00
TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.
- risk 0.16cvss —epss 1.00
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at…
- risk 0.14cvss 2.2epss 0.01
The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers,…
- CVE-2025-8943Aug 14, 2025risk 0.10cvss —epss 0.71
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise…
- CVE-2014-9195Jan 17, 2015risk 0.09cvss —epss 0.81
Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.
- CVE-2014-4872Oct 10, 2014risk 0.09cvss —epss 0.80
BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2)…
- risk 0.07cvss —epss 0.00
Improper handling of WiFi information by framework services can allow certain malicious applications to obtain sensitive information.
- risk 0.07cvss 2.2epss 0.01
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with…
- CVE-2022-45933Nov 27, 2022risk 0.07cvss —epss 0.52
KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for authentication as kube-admin. NOTE: the vendor's position is that KubeView was…
- CVE-2021-41266Nov 15, 2021risk 0.07cvss —epss 0.47
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and…
- CVE-2021-27358Mar 18, 2021risk 0.07cvss —epss 0.83
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
- CVE-2020-9480Jun 23, 2020risk 0.07cvss —epss 0.29
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the…
- CVE-2022-38817Oct 3, 2022risk 0.06cvss —epss 0.03
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
- CVE-2022-23944Jan 25, 2022risk 0.06cvss —epss 0.79
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
- CVE-2021-29442Apr 27, 2021risk 0.05cvss —epss 0.65
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove…
- CVE-2020-12478Apr 29, 2020risk 0.03cvss —epss 0.07
TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files.
- CVE-2009-1780May 22, 2009risk 0.03cvss —epss 0.04
admin.php in Frax.dk Php Recommend 1.3 and earlier does not require authentication when the user password is changed, which allows remote attackers to gain administrative privileges via modified form_admin_user and form_admin_pass parameters.