CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 43 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-30824 | 0.02 | — | 0.36 | Mar 7, 2026 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container… | |||
| CVE-2007-0956 | 0.02 | — | 0.30 | Apr 6, 2007 | The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882. | |||
| CVE-2026-27944 | 0.01 | — | 0.22 | Mar 5, 2026 | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an… | |||
| CVE-2026-56266 | 0.00 | — | 0.00 | Jun 22, 2026 | Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4… | |||
| CVE-2026-55837 | 0.00 | — | — | Jun 19, 2026 | ## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without any form of authentication or host-origin validation. After a user completes… | |||
| CVE-2026-54776 | 0.00 | — | — | Jun 19, 2026 | ### Impact A CoreWCF service hosted on Unix Domain Sockets with the PosixIdentity client credential type (UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity) does not require the client to perform the… | |||
| CVE-2026-48814 | 0.00 | — | 0.00 | Jun 17, 2026 | Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing… | |||
| CVE-2026-53869 | 0.00 | — | 0.01 | Jun 17, 2026 | Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events… | |||
| CVE-2026-47671 | 0.00 | — | 0.00 | Jun 4, 2026 | ### Summary The hidden `nhost configserver` used by `nhost dev` exposes the Mimir GraphQL API with dummy authorization directives and permissive CORS. When a developer is running the local development environment, any process that can reach the developer's localhost service,… | |||
| CVE-2026-47122 | 0.00 | — | 0.00 | May 29, 2026 | ## Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. ## Details `Autoupdate/AppInstaller.m`'s `shouldAcceptNewConnection:` only enforces `SUCodeSigningVerifier validateConnection:` before stage 1… | |||
| CVE-2026-33159 | 0.00 | — | 0.00 | Mar 24, 2026 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions… | |||
| CVE-2026-33719 | 0.00 | — | 0.00 | Mar 23, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key… | |||
| CVE-2026-33231 | 0.00 | — | 0.01 | Mar 20, 2026 | NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet… | |||
| CVE-2026-33203 | 0.00 | — | 0.01 | Mar 20, 2026 | SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type… | |||
| CVE-2026-33038 | 0.00 | — | 0.00 | Mar 20, 2026 | WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin… | |||
| CVE-2026-32041 | 0.00 | — | 0.00 | Mar 19, 2026 | OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control… | |||
| CVE-2026-22174 | 0.00 | — | 0.00 | Mar 18, 2026 | OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes… | |||
| CVE-2026-2603 | 0.00 | — | 0.00 | Mar 18, 2026 | A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when… | |||
| CVE-2026-32594 | 0.00 | — | 0.00 | Mar 13, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication,… | |||
| CVE-2026-31882 | 0.00 | — | 0.01 | Mar 13, 2026 | Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to… |
- CVE-2026-30824Mar 7, 2026risk 0.02cvss —epss 0.36
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router (/api/v1/nvidia-nim/*) is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container…
- CVE-2007-0956Apr 6, 2007risk 0.02cvss —epss 0.30
The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.
- CVE-2026-27944Mar 5, 2026risk 0.01cvss —epss 0.22
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an…
- CVE-2026-56266Jun 22, 2026risk 0.00cvss —epss 0.00
Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4…
- CVE-2026-55837Jun 19, 2026risk 0.00cvss —epss —
## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without any form of authentication or host-origin validation. After a user completes…
- CVE-2026-54776Jun 19, 2026risk 0.00cvss —epss —
### Impact A CoreWCF service hosted on Unix Domain Sockets with the PosixIdentity client credential type (UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity) does not require the client to perform the…
- CVE-2026-48814Jun 17, 2026risk 0.00cvss —epss 0.00
Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool invocation due to an empty default secret. This issue was partially addressed by CVE-2026-46701 in version 5.4.5 by closing…
- CVE-2026-53869Jun 17, 2026risk 0.00cvss —epss 0.01
Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events…
- CVE-2026-47671Jun 4, 2026risk 0.00cvss —epss 0.00
### Summary The hidden `nhost configserver` used by `nhost dev` exposes the Mimir GraphQL API with dummy authorization directives and permissive CORS. When a developer is running the local development environment, any process that can reach the developer's localhost service,…
- CVE-2026-47122May 29, 2026risk 0.00cvss —epss 0.00
## Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. ## Details `Autoupdate/AppInstaller.m`'s `shouldAcceptNewConnection:` only enforces `SUCodeSigningVerifier validateConnection:` before stage 1…
- CVE-2026-33159Mar 24, 2026risk 0.00cvss —epss 0.00
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions…
- CVE-2026-33719Mar 23, 2026risk 0.00cvss —epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key…
- CVE-2026-33231Mar 20, 2026risk 0.00cvss —epss 0.01
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet…
- CVE-2026-33203Mar 20, 2026risk 0.00cvss —epss 0.01
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type…
- CVE-2026-33038Mar 20, 2026risk 0.00cvss —epss 0.00
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin…
- CVE-2026-32041Mar 19, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control…
- CVE-2026-22174Mar 18, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes…
- CVE-2026-2603Mar 18, 2026risk 0.00cvss —epss 0.00
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when…
- CVE-2026-32594Mar 13, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication,…
- CVE-2026-31882Mar 13, 2026risk 0.00cvss —epss 0.01
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to…