CWE-287

High likelihood

Improper Authentication

Parent: CWE-284 - Improper Access Control

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

4,319 vulnerabilities with CWE-287
CVE-2026-2812 MEDIUM
Improper Authentication issue in ArcGIS Server
CVSS 5.3
CVE-2026-9084 MEDIUM
MISP OIDC authentication bypass via automatic email-based account linking under insecure IdP configurations
CVE-2026-6456 HIGH
Account Switcher <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation
CVSS 8.8
CVE-2026-36829 CRITICAL
Panabit PAP-XM320 <= v7.7 - Authentication Bypass via Directory Traversal in Session Cookie Validation
CVSS 9.8
CVE-2026-45434 CRITICAL
Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE
CVSS 9.8
CVE-2026-31387 MEDIUM
Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation
CVSS 5.3
CVE-2026-42822 CRITICAL
Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability
CVSS 10.0
CVE-2026-8737 MEDIUM
Sanluan PublicCMS Trade Address Query TradeAddressListDirective.java execute missing authentication
CVSS 5.3
CVE-2026-44551 CRITICAL
Open WebUI: LDAP Empty Password Authentication Bypass
CVSS 9.1
CVE-2026-5229 CRITICAL
Receive Notifications After Form Submitting – Form Notify for Any Forms <= 1.1.10 - Unauthenticated Authentication Bypass via LINE OAuth Callback
CVSS 9.8
CVE-2026-8621 HIGH
Crabbox < v0.12.0 Authentication Bypass via Header Spoofing
CVSS 8.8
CVE-2026-20182 CRITICAL KEV
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
CVSS 10.0
CVE-2026-8181 CRITICAL
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
CVSS 9.8
CVE-2026-44478 HIGH
hoppscotch: Unauthenticated Onboarding Config Disclosure via Empty Recovery Token
CVSS 7.5
CVE-2026-42602 HIGH
azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
CVSS 8.1
CVE-2026-44351 CRITICAL
fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass
CVSS 9.1
CVE-2026-33377 HIGH
Dashboard Import Overwrites ACL — Editor Privilege Escalation to Dashboard Admin
CVSS 7.1
CVE-2026-44547 CRITICAL
ChurchCRM 7.2.0-7.2.2 Public API Login - Authentication Bypass
CVSS 9.6
CVE-2026-42855 HIGH
arduino-esp32: Digest authentication URI mismatch bypass in WebServer allows cross-resource replay attack
CVSS 7.5
CVE-2026-44196 CRITICAL
Pingvin Share X: TOTP Authentication Bypass via Password-only Login
CVSS 9.1
CVE-2026-44166 HIGH
Pocketbase: Account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade
CVSS 7.6
CVE-2026-33117 CRITICAL
Azure SDK for Java Security Feature Bypass Vulnerability
CVSS 9.1
CVE-2026-8321 HIGH
inkeep agents runAuth Middleware runAuth.ts createDevContext authentication bypass
CVSS 7.3
CVE-2026-42869 CRITICAL
SOCFortress CoPilot: Hardcoded JWT secret allows unauthenticated full admin compromise and lateral movement into all integrated SOC tools
CVSS 10.0
CVE-2026-8305 HIGH
OpenClaw bluebubbles Webhook monitor.ts handleBlueBubblesWebhookRequest improper authentication
CVSS 7.3
Details
Vulnerabilities 4,319
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits