CWE-307
Improper Restriction of Excessive Authentication Attempts
Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (225)
page 9 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-1409 | Low | 0.13 | 2.0 | 0.00 | Jan 26, 2026 | A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the… | ||
| CVE-2025-24806 | Low | 0.08 | — | 0.00 | Feb 19, 2025 | Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. If users are allowed to sign in via both username and email the regulation system treats these as separate login… | ||
| CVE-2026-44596 | 0.03 | — | 0.00 | May 27, 2026 | ### Summary The authentication endpoint `POST /auth/token` in `yamcs-core` lacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account. … | |||
| CVE-2026-55795 | 0.00 | — | — | Jun 19, 2026 | ### Summary The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided. ### Details When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate… | |||
| CVE-2026-47380 | low | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. ### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a… | ||
| CVE-2025-61081 | — | 0.00 | — | 0.00 | May 19, 2026 | Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | ||
| CVE-2026-34508 | — | 0.00 | — | — | Mar 31, 2026 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||
| CVE-2026-32025 | 0.00 | — | 0.00 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform… | |||
| CVE-2026-31863 | 0.00 | — | 0.00 | Mar 11, 2026 | Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and… | |||
| CVE-2026-30959 | — | 0.00 | — | 0.00 | Mar 10, 2026 | OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects… | ||
| CVE-2026-27801 | 0.00 | — | 0.00 | Mar 4, 2026 | Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can… | |||
| CVE-2025-67853 | 0.00 | — | 0.00 | Feb 3, 2026 | A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts. | |||
| CVE-2025-66482 | 0.00 | — | 0.00 | Dec 15, 2025 | Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been… | |||
| CVE-2025-62257 | 0.00 | — | 0.00 | Oct 29, 2025 | Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows… | |||
| CVE-2025-10928 | 0.00 | — | 0.00 | Oct 29, 2025 | Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5. | |||
| CVE-2025-64102 | 0.00 | — | 0.00 | Oct 29, 2025 | Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or… | |||
| CVE-2025-26862 | Non | 0.00 | — | 0.00 | Oct 27, 2025 | Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks. | ||
| CVE-2025-62399 | 0.00 | — | 0.00 | Oct 23, 2025 | Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks. | |||
| CVE-2025-57816 | 0.00 | — | 0.00 | Sep 8, 2025 | Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected… | |||
| CVE-2025-57815 | 0.00 | — | 0.00 | Sep 8, 2025 | Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could… |
- risk 0.13cvss 2.0epss 0.00
A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the…
- risk 0.08cvss —epss 0.00
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. If users are allowed to sign in via both username and email the regulation system treats these as separate login…
- CVE-2026-44596May 27, 2026risk 0.03cvss —epss 0.00
### Summary The authentication endpoint `POST /auth/token` in `yamcs-core` lacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account. …
- CVE-2026-55795Jun 19, 2026risk 0.00cvss —epss —
### Summary The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided. ### Details When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate…
- risk 0.00cvss —epss 0.00
### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. ### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a…
- CVE-2025-61081May 19, 2026risk 0.00cvss —epss 0.00
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
- CVE-2026-34508Mar 31, 2026risk 0.00cvss —epss —
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
- CVE-2026-32025Mar 19, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform…
- CVE-2026-31863Mar 11, 2026risk 0.00cvss —epss 0.00
Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and…
- CVE-2026-30959Mar 10, 2026risk 0.00cvss —epss 0.00
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects…
- CVE-2026-27801Mar 4, 2026risk 0.00cvss —epss 0.00
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can…
- CVE-2025-67853Feb 3, 2026risk 0.00cvss —epss 0.00
A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.
- CVE-2025-66482Dec 15, 2025risk 0.00cvss —epss 0.00
Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been…
- CVE-2025-62257Oct 29, 2025risk 0.00cvss —epss 0.00
Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows…
- CVE-2025-10928Oct 29, 2025risk 0.00cvss —epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5.
- CVE-2025-64102Oct 29, 2025risk 0.00cvss —epss 0.00
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or…
- risk 0.00cvss —epss 0.00
Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.
- CVE-2025-62399Oct 23, 2025risk 0.00cvss —epss 0.00
Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.
- CVE-2025-57816Sep 8, 2025risk 0.00cvss —epss 0.00
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected…
- CVE-2025-57815Sep 8, 2025risk 0.00cvss —epss 0.00
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could…