CWE-307

Improper Restriction of Excessive Authentication Attempts

Parent: CWE-1390 - Weak Authentication

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

586 vulnerabilities with CWE-307
CVE-2026-40485 MEDIUM
ChurchCRM: Username Enumeration via Differential Response in Public Login API
CVSS 5.3
CVE-2026-22616 MEDIUM
Eaton IPP Software <2.0 - Auth Bypass
CVSS 6.5
CVE-2026-33667 HIGH
OpenProject: 2FA OTP Verification Missing Rate Limiting
CVSS 7.4
CVE-2026-2402 MEDIUM
Schneider Electric PowerChute Serial Shutdown <=v1.4 - Auth Bypass
CVSS 5.3
CVE-2026-35597 MEDIUM
Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout
CVSS 5.9
CVE-2026-35646 MEDIUM
OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation
CVSS 4.8
CVE-2026-35628 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting
CVSS 4.8
CVE-2026-35623 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting
CVSS 4.8
CVE-2026-33580 MEDIUM
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication
CVSS 6.5
CVE-2026-34505 MEDIUM
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation
CVSS 6.5
CVE-2026-33879 CRITICAL
FLIP doesn't have rate limiting or brute-force protection on login
CVSS 9.8
CVE-2026-33763 MEDIUM
AVideo <=26.0 Video Password Oracle - Brute Force
CVSS 5.3
CVE-2026-33935 HIGH
MyTube has Unauthenticated Account Lockout via Shared Login Attempt State
CVSS 7.5
CVE-2026-33640 CRITICAL
Outline 0.86.0-1.5.x Email OTP - Rate Limit Bypass
CVSS 9.8
CVE-2026-33152 CRITICAL
Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication
CVSS 9.1
CVE-2026-33419 HIGH
MinIO: LDAP login brute-force via user enumeration and missing rate limit
CVSS 7.5
CVE-2026-31851 CRITICAL
Lack of rate limiting allows brute-force attacks in Nexxt Nebula 300+
CVSS 9.8
CVE-2026-31904 HIGH
CTEK Chargeportal Improper Restriction of Excessive Authentication Attempts
CVSS 7.5
CVE-2026-31903 HIGH
IGL-Technologies eParking.fi Improper Restriction of Excessive Authentication Attempts
CVSS 7.5
CVE-2026-32025 HIGH
OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass
CVSS 7.5
CVE-2026-32295 HIGH
JetKVM insufficient login rate limiting
CVSS 7.5
CVE-2026-32292 HIGH
GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting
CVSS 7.5
CVE-2026-32729 HIGH
Runtipi < 4.8.1 - Two-Factor Authentication Bypass via TOTP Brute-Force
CVSS 8.1
CVE-2026-31863 LOW
Anytype Heart <0.48.4 - Auth Bypass
CVSS 3.6
CVE-2026-30959 MEDIUM
OneUptime < 10.0.21 - Authenticated Authorization Bypass via Resend-Verification-Code Endpoint
CVSS 5.0
Details
Vulnerabilities 586
Links
MITRE CWE Entry Search this CWE With Exploits