CWE-603
Use of Client-Side Authentication
BaseDraft
Description
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.
Hierarchy (View 1000)
CVEs mapped to this weakness (7)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-1363 | Cri | 0.64 | 9.8 | 0.00 | Jan 23, 2026 | IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end. | |
| CVE-2025-12868 | Cri | 0.64 | 9.8 | 0.00 | Nov 10, 2025 | New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the frontend code to gain administrator privileges on the website. | |
| CVE-2017-7909 | Cri | 0.64 | 9.8 | 0.02 | May 6, 2017 | A Use of Client-Side Authentication issue was discovered in Advantech B+B SmartWorx MESR901 firmware versions 1.5.2 and prior. The web interface uses JavaScript to check client authentication and redirect unauthorized users. Attackers may intercept requests and bypass authentication to access restricted web pages. | |
| CVE-2025-64119 | Cri | 0.60 | — | 0.00 | Jan 2, 2026 | A vulnerability in Nuvation Battery Management System allows Authentication Bypass.This issue affects Battery Management System: through 2.3.9. | |
| CVE-2026-40551 | Hig | 0.55 | — | 0.00 | Apr 28, 2026 | mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. This issue affects mpGabinet version 23.12.19 and below. | |
| CVE-2025-24517 | Hig | 0.49 | 7.5 | 0.01 | Mar 31, 2025 | Use of client-side authentication issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a remote attacker may obtain the product login password without authentication. | |
| CVE-2024-28627 | Hig | 0.49 | 7.5 | 0.00 | Apr 23, 2024 | An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file. |