CWE-306
Missing Authentication for Critical Function
BaseDraftLikelihood: High
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (650)
page 5 of 33| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22207 | Cri | 0.64 | 9.8 | 0.00 | Feb 26, 2026 | OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration. | |
| CVE-2025-30410 | Cri | 0.64 | 9.8 | 0.00 | Feb 20, 2026 | Sensitive data disclosure and manipulation due to missing authentication. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 39870, Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 41800. | |
| CVE-2025-8350 | Cri | 0.64 | 9.8 | 0.00 | Feb 19, 2026 | Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting.This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2026-1670 | Cri | 0.64 | 9.8 | 0.00 | Feb 17, 2026 | The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address. | |
| CVE-2026-1729 | Cri | 0.64 | 9.8 | 0.00 | Feb 12, 2026 | The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sb_login_user_with_otp_fun' function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators. | |
| CVE-2026-25084 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2026 | Authentication for ZLAN5143D can be bypassed by directly accessing internal URLs. | |
| CVE-2026-24789 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2026 | An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication. | |
| CVE-2026-2249 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2026 | METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services. | |
| CVE-2026-2248 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2026 | METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations | |
| CVE-2025-8025 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2026 | Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2022-50981 | Cri | 0.64 | 9.8 | 0.00 | Feb 2, 2026 | An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. | |
| CVE-2026-1453 | Cri | 0.64 | 9.8 | 0.00 | Jan 29, 2026 | A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over the product. | |
| CVE-2021-47891 | Cri | 0.64 | 9.8 | 0.00 | Jan 23, 2026 | Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads. | |
| CVE-2026-1364 | Cri | 0.64 | 9.8 | 0.00 | Jan 23, 2026 | IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities. | |
| CVE-2025-14346 | Cri | 0.64 | 9.8 | 0.00 | Jan 5, 2026 | WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction. | |
| CVE-2019-25240 | Cri | 0.64 | 9.8 | 0.00 | Dec 24, 2025 | Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication. | |
| CVE-2019-25236 | Cri | 0.64 | 9.8 | 0.00 | Dec 24, 2025 | iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication. | |
| CVE-2018-25134 | Cri | 0.64 | 9.8 | 0.00 | Dec 24, 2025 | Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create administrative accounts and gain unauthorized control over power supply management. | |
| CVE-2025-43428 | Cri | 0.64 | 9.8 | 0.00 | Dec 17, 2025 | A configuration issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Photos in the Hidden Photos Album may be viewed without authentication. | |
| CVE-2025-11007 | Cri | 0.64 | 9.8 | 0.00 | Nov 4, 2025 | The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API settings including a secret key used for authentication. This allows unauthenticated attackers to create new admin accounts on an affected site. |