CWE-307

Improper Restriction of Excessive Authentication Attempts

Parent: CWE-1390 - Weak Authentication

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

561 vulnerabilities with CWE-307
CVE-2026-26206 MEDIUM
Wazuh: API brute-force protection bypass via race condition in login attempt tracking
CVSS 6.5
CVE-2026-35902 MEDIUM
MERCURY IP camera MIPC252W 1.0.5 - DoS
CVSS 6.2
CVE-2026-6947 HIGH
D-Link|DWM-222W USB Wi-Fi Adapter - Brute-Force Protection Bypass
CVSS 7.5
CVE-2026-41213 MEDIUM
@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes
CVSS 5.9
CVE-2026-40586 HIGH
blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection
CVSS 7.5
CVE-2026-41037 HIGH
Missing Rate Limiting Vulnerability in Quantum Networks Router QN-I-470
CVE-2026-40485 MEDIUM
ChurchCRM: Username Enumeration via Differential Response in Public Login API
CVSS 5.3
CVE-2026-22616 MEDIUM
Eaton IPP Software <2.0 - Auth Bypass
CVSS 6.5
CVE-2026-33667 HIGH
OpenProject: 2FA OTP Verification Missing Rate Limiting
CVSS 7.4
CVE-2026-2402 MEDIUM
Schneider Electric PowerChute Serial Shutdown <=v1.4 - Auth Bypass
CVSS 5.3
CVE-2026-35597 MEDIUM
Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout
CVSS 5.9
CVE-2026-35646 MEDIUM
OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation
CVSS 4.8
CVE-2026-35628 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting
CVSS 4.8
CVE-2026-35623 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting
CVSS 4.8
CVE-2026-33580 MEDIUM
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication
CVSS 6.5
CVE-2026-34508 MEDIUM
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation
CVSS 6.5
CVE-2026-34505 MEDIUM
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation
CVSS 6.5
CVE-2026-33879 CRITICAL
FLIP doesn't have rate limiting or brute-force protection on login
CVSS 9.8
CVE-2026-33763 MEDIUM
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
CVSS 5.3
CVE-2026-33935 HIGH
MyTube has Unauthenticated Account Lockout via Shared Login Attempt State
CVSS 7.5
CVE-2026-33640 CRITICAL
Outline has a rate limit bypass that allows brute force of email login OTP
CVSS 9.8
CVE-2026-33152 CRITICAL
Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication
CVSS 9.1
CVE-2026-33419 HIGH
MinIO: LDAP login brute-force via user enumeration and missing rate limit
CVSS 7.5
CVE-2026-31851 CRITICAL
Lack of rate limiting allows brute-force attacks in Nexxt Nebula 300+
CVSS 9.8
CVE-2026-31904 HIGH
CTEK Chargeportal Improper Restriction of Excessive Authentication Attempts
CVSS 7.5
Details
Vulnerabilities 561
Links
MITRE CWE Entry Search this CWE With Exploits