CWE-306

Missing Authentication for Critical Function

MITRE

No catalog description on file. The MITRE CWE site has the canonical reference.

CVEs (total)

Critical

High

Medium

Low

Severity distribution

Recent CVEs

showing 50 of 66

CVE-2026-49973Critical· 9.4EPSS 0%3 h ago
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any n
CVE-2026-53868High· 7.59 h ago
Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can pe
CVE-2026-50287—EPSS 0%9 h ago
@agenticmail/mcp Missing Authentication for Critical Function
npm
CVE-2026-53981High· 7.613 h ago
Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as p
CVE-2026-50085High· 8.614 h ago
The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and
CVE-2026-50082Medium· 6.514 h ago
The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1
CVE-2026-41940Critical· 9.8KEVEXPLOITEPSS 91%14 h ago
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
CVE-2023-27532High· 7.5KEVEPSS 84%14 h ago
Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
CVE-2022-1388Critical· 9.8KEVEXPLOITEPSS 94%14 h ago
F5 BIG-IP Missing Authentication Vulnerability
CVE-2025-0108Critical· 9.1KEVEPSS 94%14 h ago
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
CVE-2026-24423Critical· 9.8KEVEPSS 83%14 h ago
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
CVE-2025-3248Critical· 9.8KEVEXPLOITEPSS 93%14 h ago
Langflow Missing Authentication Vulnerability
CVE-2023-28461Critical· 9.8KEVEPSS 89%14 h ago
Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability
CVE-2024-0012Critical· 9.8KEVEXPLOITEPSS 94%14 h ago
Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
CVE-2023-36847Medium· 5.3KEVEPSS 94%14 h ago
Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
CVE-2022-26925High· 8.1KEVEPSS 37%14 h ago
Microsoft Windows LSA Spoofing Vulnerability
CVE-2020-13927Critical· 9.8KEVEXPLOITEPSS 94%14 h ago
Apache Airflow's Experimental API Authentication Bypass
CVE-2026-39987Critical· 9.8KEVEPSS 81%14 h ago
Marimo Remote Code Execution Vulnerability
CVE-2026-35273Critical· 9.8KEVEPSS 0%14 h ago
Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
CVE-2020-6287Critical· 10.0KEVEXPLOITEPSS 94%14 h ago
SAP NetWeaver Missing Authentication for Critical Function Vulnerability
CVE-2019-5591Medium· 6.5KEVEPSS 51%14 h ago
Fortinet FortiOS Default Configuration Vulnerability
CVE-2019-9082High· 8.8KEVEXPLOITEPSS 94%14 h ago
ThinkPHP Remote Code Execution Vulnerability
CVE-2020-3952Critical· 9.8KEVEXPLOITEPSS 94%14 h ago
VMware vCenter Server Information Disclosure Vulnerability
CVE-2024-47575Critical· 9.8KEVEXPLOITEPSS 94%14 h ago
Fortinet FortiManager Missing Authentication Vulnerability
CVE-2025-32433Critical· 10.0KEVEXPLOITEPSS 63%14 h ago
Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability
CVE-2022-21587Critical· 9.8KEVEXPLOITEPSS 94%14 h ago
Oracle E-Business Suite Unspecified Vulnerability
CVE-2022-26143Critical· 9.8KEVEPSS 89%14 h ago
MiCollab, MiVoice Business Express Access Control Vulnerability
CVE-2020-24363High· 8.8KEVEXPLOITEPSS 11%14 h ago
TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability
CVE-2026-33017Critical· 9.8KEVEPSS 25%14 h ago
Langflow Code Injection Vulnerability
pypi
CVE-2025-61757Critical· 9.8KEVEPSS 88%14 h ago
Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability
CVE-2022-24990High· 7.5KEVEXPLOITEPSS 94%14 h ago
TerraMaster OS Remote Command Execution Vulnerability
CVE-2025-4008High· 8.8KEVEPSS 44%14 h ago
Smartbedded Meteobridge Command Injection Vulnerability
CVE-2024-5910Critical· 9.8KEVEXPLOITEPSS 91%14 h ago
Palo Alto Networks Expedition Missing Authentication Vulnerability
CVE-2023-36851Medium· 5.3KEVEPSS 15%14 h ago
Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
CVE-2022-26501Critical· 9.8KEVEPSS 75%14 h ago
Veeam Backup & Replication Remote Code Execution Vulnerability
CVE-2021-37415Critical· 9.8KEVEPSS 93%14 h ago
Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability
CVE-2023-36846Medium· 5.3KEVEPSS 94%14 h ago
Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
CVE-2021-20021Critical· 9.8KEVEPSS 91%14 h ago
SonicWall Email Security Improper Privilege Management Vulnerability
CVE-2022-23227Critical· 9.8KEVEPSS 54%14 h ago
NUUO NVRmini2 Devices Missing Authentication Vulnerability
CVE-2020-6207Critical· 9.8KEVEXPLOITEPSS 94%14 h ago
SAP Solution Manager Missing Authentication for Critical Function Vulnerability
CVE-2021-44077Critical· 9.8KEVEXPLOITEPSS 94%14 h ago
Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability
CVE-2026-8694Medium· 5.315 h ago
Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.
CVE-2026-50245High· 7.7EPSS 0%15 h ago
Brickcom cameras allow unauthenticated access to live snapshot images via the /ONVIF endpoint and no authentication is required to retrieve still images from the camera feed.
CVE-2026-11535—EPSS 0%15 h ago
An unauthorized access vulnerability exists in the PcSuite APP. The vulnerability can be exploited by attackers to Unauthorized access to the victim’s device.
CVE-2026-11848Medium· 5.3EPSS 0%15 h ago
The iRM-IEI Remote Management developed by IEI Integration Corp has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain partial system configuration information.
CVE-2026-9212—EPSS 0%2 d ago
Insufficient authentication and input validation in the listed NETGEAR models allow users connected to the local network to execute commands impacting the product's confidentiality or change certain configurations.
CVE-2026-9045High· 7.8EPSS 0%2 d ago
During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise for Windows that could allow a local authenticated user to execute arbitrary code with elevated privil
CVE-2026-45567High· 8.3EPSS 0%2 d ago
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publicat
CVE-2026-53469Critical· 9.1EPSS 0%2 d ago
A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all cus
CVE-2026-46612—EPSS 0%2 d ago
Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives
go

CWE catalog data sourced from MITRE. CVE associations come from NVD weakness mappings; some CVEs carry multiple CWEs.