CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 44 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32231 | — | 0.00 | — | 0.00 | Mar 12, 2026 | ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to… | ||
| CVE-2026-30933 | 0.00 | — | 0.01 | Mar 10, 2026 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in… | |||
| CVE-2026-30885 | 0.00 | — | 0.00 | Mar 9, 2026 | WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist… | |||
| CVE-2026-29613 | 0.00 | — | 0.00 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords.… | |||
| CVE-2026-29606 | 0.00 | — | 0.00 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to… | |||
| CVE-2026-28472 | 0.00 | — | 0.00 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or… | |||
| CVE-2026-28468 | 0.00 | — | 0.00 | Mar 5, 2026 | OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate… | |||
| CVE-2026-28458 | 0.00 | — | 0.00 | Mar 5, 2026 | OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data.… | |||
| CVE-2026-28450 | 0.00 | — | 0.00 | Mar 5, 2026 | OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway… | |||
| CVE-2026-27012 | 0.00 | — | 0.01 | Mar 3, 2026 | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly… | |||
| CVE-2026-28352 | 0.00 | — | 0.00 | Feb 27, 2026 | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint.… | |||
| CVE-2026-24004 | 0.00 | — | 0.00 | Feb 26, 2026 | Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android… | |||
| CVE-2026-27595 | 0.00 | — | 0.00 | Feb 25, 2026 | Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to… | |||
| CVE-2026-27584 | 0.00 | — | 0.00 | Feb 24, 2026 | Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and… | |||
| CVE-2026-27482 | 0.00 | — | 0.00 | Feb 21, 2026 | Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page… | |||
| CVE-2026-26319 | 0.00 | — | 0.00 | Feb 19, 2026 | OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events.… | |||
| CVE-2026-26190 | 0.00 | — | 0.28 | Feb 13, 2026 | Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from… | |||
| CVE-2026-25895 | 0.00 | — | 0.03 | Feb 9, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This… | |||
| CVE-2026-25938 | 0.00 | — | 0.01 | Feb 9, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has… | |||
| CVE-2026-25878 | 0.00 | — | 0.00 | Feb 9, 2026 | FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to… |
- CVE-2026-32231Mar 12, 2026risk 0.00cvss —epss 0.00
ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to…
- CVE-2026-30933Mar 10, 2026risk 0.00cvss —epss 0.01
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in…
- CVE-2026-30885Mar 9, 2026risk 0.00cvss —epss 0.00
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist…
- CVE-2026-29613Mar 5, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords.…
- CVE-2026-29606Mar 5, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to…
- CVE-2026-28472Mar 5, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or…
- CVE-2026-28468Mar 5, 2026risk 0.00cvss —epss 0.00
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate…
- CVE-2026-28458Mar 5, 2026risk 0.00cvss —epss 0.00
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data.…
- CVE-2026-28450Mar 5, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway…
- CVE-2026-27012Mar 3, 2026risk 0.00cvss —epss 0.01
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly…
- CVE-2026-28352Feb 27, 2026risk 0.00cvss —epss 0.00
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint.…
- CVE-2026-24004Feb 26, 2026risk 0.00cvss —epss 0.00
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android…
- CVE-2026-27595Feb 25, 2026risk 0.00cvss —epss 0.00
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (POST `/apps/:appId/agent`) has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to…
- CVE-2026-27584Feb 24, 2026risk 0.00cvss —epss 0.00
Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and…
- CVE-2026-27482Feb 21, 2026risk 0.00cvss —epss 0.00
Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page…
- CVE-2026-26319Feb 19, 2026risk 0.00cvss —epss 0.00
OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events.…
- CVE-2026-26190Feb 13, 2026risk 0.00cvss —epss 0.28
Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from…
- CVE-2026-25895Feb 9, 2026risk 0.00cvss —epss 0.03
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This…
- CVE-2026-25938Feb 9, 2026risk 0.00cvss —epss 0.01
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has…
- CVE-2026-25878Feb 9, 2026risk 0.00cvss —epss 0.00
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to…