CWE-287

High likelihood

Improper Authentication

Parent: CWE-284 - Improper Access Control

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

4,195 vulnerabilities with CWE-287
CVE-2026-6126 HIGH
zhayujie chatgpt-on-wechat CowAgent Administrative HTTP Endpoint missing authentication
CVSS 7.3
CVE-2026-40178 MEDIUM
ajenti.plugin.core has a race conditions in 2FA
CVSS 5.9
CVE-2026-40177 HIGH
Password bypass when 2FA is activated
CVSS 7.5
CVE-2026-34727 HIGH
Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path
CVSS 7.4
CVE-2026-4664 MEDIUM
Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter
CVSS 5.3
CVE-2026-40109 LOW
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
CVSS 3.1
CVE-2026-34500 MEDIUM
Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
CVSS 6.5
CVE-2026-29145 CRITICAL
Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
CVSS 9.1
CVE-2026-39976 HIGH
Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens
CVSS 7.1
CVE-2026-5959 MEDIUM
GL.iNet GL-RM1/GL-RM10/GL-RM10RC/GL-RM1PE Factory Reset improper authentication
CVSS 6.6
CVE-2026-39411 MEDIUM
LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
CVSS 5.0
CVE-2026-5795 HIGH
Eclipse Foundation Eclipse Jetty < 12.1.7 - Privilege Escalation
CVSS 7.4
CVE-2026-39322 HIGH
PolarLearn: Any password authenticates banned accounts and grants API access
CVSS 8.8
CVE-2026-39324 CRITICAL
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
CVSS 9.8
CVE-2026-5676 HIGH
Totolink A8000R cstecgi.cgi setLanguageCfg missing authentication
CVSS 7.3
CVE-2026-35030 CRITICAL
LiteLLM has an authentication bypass via OIDC userinfo cache key collision
CVSS 9.1
CVE-2026-5632 HIGH
assafelovic gpt-researcher HTTP REST API Endpoint missing authentication
CVSS 7.3
CVE-2026-5616 HIGH
JeecgBoot AI Chat JeecgBizToolsProvider.java missing authentication
CVSS 7.3
CVE-2026-5570 HIGH
Technostrobe HI-LED-WR120-G2 LoginCB index_config improper authentication
CVSS 7.3
CVE-2026-5557 MEDIUM
badlogic pi-mono pi-mom Slack Bot slack.ts authentication bypass
CVSS 6.3
CVE-2026-34990 HIGH
OpenPrinting CUPS: Local print admin token disclosure using temporary printers
CVSS 7.8
CVE-2026-33175 HIGH
OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims
CVSS 8.8
CVE-2026-32173 HIGH
Azure SRE Agent Information Disclosure Vulnerability
CVSS 8.6
CVE-2026-34834 HIGH
Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation
CVSS 7.5
CVE-2026-34736 MEDIUM
Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API
CVSS 5.3
Details
Vulnerabilities 4,195
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits