CWE-306— Missing Authentication for Critical Function
2,159 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 27 of 44
- CVE-2024-27169HIGHCVSS 8.4EG 8.42024-06-14
Toshiba printers provides API without authentication for internal access. A local attacker can bypass authentication in applications, providing administrative access. As for the affected products/models/versions, see the reference URL.
- CVE-2024-27758HIGHCVSS 8.4EG 8.42024-03-12
In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.
- CVE-2024-27890CRITICALCVSS 9.6EG 9.62026-06-04
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.
- CVE-2024-27892CRITICALCVSS 9.6EG 9.62026-06-04
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch.
- CVE-2024-27942HIGHCVSS 7.5EG 7.52024-05-14
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow any unauthenticated client to disconnect any active user from the server. An attacker could use this vulnerability to prevent any u…
- CVE-2024-28179CRITICALCVSS 9.0EG 9.02024-03-20
Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication…
- CVE-2024-2860HIGHCVSS 7.8EG 7.82024-05-08
The PostgreSQL implementation in Brocade SANnav versions before 2.3.0a is vulnerable to an incorrect local authentication flaw. An attacker accessing the VM where the Brocade SANnav is installed can gain access to sensitive data inside the…
- CVE-2024-2921CRITICALCVSS 9.8EG 9.82024-03-26
Improper access control in PAM vault permissions in Devolutions Server 2024.1.10.0 and earlier allows an authenticated user with access to the PAM to access unauthorized PAM entries via a specific set of permissions.
- CVE-2024-30391MEDIUMCVSS 4.8EG 4.82024-04-12
A Missing Authentication for Critical Function vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an unauthenticated network-based attacker to cause limited impa…
- CVE-2024-31218CRITICALCVSS 9.8EG 9.82024-04-05
Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerabilit…
- CVE-2024-31525HIGHCVSS 7.2EG 7.22025-03-05
Peppermint Ticket Management 0.4.6 is vulnerable to Incorrect Access Control. A regular registered user is able to elevate his privileges to admin and gain complete access to the system as the authorization mechanism is not validated on th…
- CVE-2024-31684LOWCVSS 3.5EG 3.52024-06-03
Incorrect access control in the fingerprint authentication mechanism of Bitdefender Mobile Security v4.11.3-gms allows attackers to bypass fingerprint authentication due to the use of a deprecated API.
- CVE-2024-31916HIGHCVSS 7.5EG 7.52024-06-27
IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component could disclose sensitive URI content to an unauthorized actor that bypasses authentication channels. IBM X-ForceID: 290026.
- CVE-2024-3219MEDIUMCVSS 5.1EG 0.02024-07-29
The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connect…
- CVE-2024-32735CRITICALCVSS 9.8EG 9.82024-05-14
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the applicatio…
- CVE-2024-32752CRITICALCVSS 9.1EG 9.12024-06-06
The iSTAR door controllers running firmware prior to version 6.6.B, does not support authenticated communications with ICU, which may allow an attacker to gain unauthorized access
- CVE-2024-32764CRITICALCVSS 9.9EG 9.92024-04-26
A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow users with the privilege level of some functionality via a network. We have already fix…
- CVE-2024-32765MEDIUMCVSS 4.2EG 4.22024-08-12
A vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow local authenticated administrators to gain access to and execute certain functions via unspecified vectors. We have already …
- CVE-2024-3279CRITICALCVSS 9.1EG 9.12024-08-12
An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their…
- CVE-2024-3281HIGHCVSS 8.8EG 8.82024-04-09
A vulnerability was discovered in the firmware builds after 8.0.2.3267 and prior to 8.1.3.1301 in CCX devices. A flaw in the firmware build process did not properly restrict access to a resource from an unauthorized actor.
- CVE-2024-33616MEDIUMCVSS 5.3EG 5.32024-11-26
Admin authentication can be bypassed with some specific invalid credentials, which allows logging in with an administrative privilege. Sharp Corporation states the telnet feature is implemented on older models only, and is planning to prov…
- CVE-2024-33622MEDIUMCVSS 6.5EG 6.52024-06-18
Missing authentication for critical function vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, sensitive information may be obtained and/or the information stored in the database…
- CVE-2024-35124HIGHCVSS 7.5EG 7.52024-08-13
A vulnerability in the combination of the OpenBMC's FW1050.00 through FW1050.10, FW1030.00 through FW1030.50, and FW1020.00 through FW1020.60 default password and session management allow an attacker to gain administrative access to the BM…
- CVE-2024-35143MEDIUMCVSS 6.7EG 6.72024-08-04
IBM Planning Analytics Local 2.0 and 2.1 connects to a MongoDB server. MongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without password authentication. A remote attac…
- CVE-2024-35151MEDIUMCVSS 6.5EG 6.52024-08-22
IBM OpenPages with Watson 8.3 and 9.0 could allow authenticated users access to sensitive information through improper authorization controls on APIs.
- CVE-2024-35277HIGHCVSS 8.6EG 8.62025-01-14
A missing authentication for critical function in Fortinet FortiPortal version 6.0.0 through 6.0.15, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to access to the…
- CVE-2024-35293CRITICALCVSS 9.1EG 9.12024-10-02
An unauthenticated remote attacker may use a missing authentication for critical function vulnerability to reboot or erase the affected devices resulting in data loss and/or a DoS.
- CVE-2024-35294MEDIUMCVSS 6.5EG 6.52024-10-02
An unauthenticated remote attacker may use the devices traffic capture without authentication to grab plaintext administrative credentials.
- CVE-2024-35295MEDIUMCVSS 6.1EG 6.12025-06-11
A vulnerability has been identified in Perfect Harmony GH180 (All versions >= V8.0 < V8.3.3 with NXGPro+ controller manufactured between April 2020 to April 2025). The maintenance connection of affected devices fails to protect access to t…
- CVE-2024-35342MEDIUMCVSS 4.6EG 4.62024-05-28
Certain Anpviz products allow unauthenticated users to modify or disable camera related settings such as microphone volume, speaker volume, LED lighting, NTP, motion detection, etc. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-…
- CVE-2024-36388CRITICALCVSS 10.0EG 10.02024-06-02
MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function
- CVE-2024-36445CRITICALCVSS 9.8EG 9.82024-08-22
Swissphone DiCal-RED 4009 devices allow a remote attacker to gain a root shell via TELNET without authentication.
- CVE-2024-36457MEDIUMCVSS 5.3EG 0.02024-07-15
The vulnerability allows an attacker to bypass the authentication requirements for a specific PAM endpoint.
- CVE-2024-36470HIGHCVSS 8.1EG 8.12024-05-29
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific edge cases
- CVE-2024-36555CRITICALCVSS 9.8EG 9.82025-02-06
Built-in SMS-configuration command in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allows malicious users to change …
- CVE-2024-3661HIGHCVSS 7.6EG 8.82024-05-06
DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on t…
- CVE-2024-3701CRITICALCVSS 9.8EG 9.82024-04-15
The system application (com.transsion.kolun.aiservice) component does not perform an authentication check, which allows attackers to perform malicious exploitations and affect system services.
- CVE-2024-37152MEDIUMCVSS 5.3EG 5.32024-06-06
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidde…
- CVE-2024-37303MEDIUMCVSS 5.3EG 5.32024-12-03
Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such…
- CVE-2024-37368HIGHCVSS 7.5EG 7.52024-06-14
A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the l…
- CVE-2024-3774MEDIUMCVSS 5.3EG 5.32024-04-15
aEnrich Technology a+HRD's functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration…
- CVE-2024-37767HIGHCVSS 7.5EG 7.52024-07-05
Insecure permissions in the component /api/admin/user of 14Finger v1.1 allows attackers to access all user information via a crafted GET request.
- CVE-2024-3777CRITICALCVSS 9.8EG 9.82024-04-15
The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password.
- CVE-2024-37991MEDIUMCVSS 5.3EG 5.32024-09-10
A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versi…
- CVE-2024-38143MEDIUMCVSS 4.2EG 4.22024-08-13
Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability
- CVE-2024-38279MEDIUMCVSS 4.6EG 4.62024-06-13
The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes.
- CVE-2024-38437CRITICALCVSS 9.8EG 9.82024-07-21
D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel
- CVE-2024-38643CRITICALCVSS 9.8EG 9.82024-11-22
A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions. We have already fixed …
- CVE-2024-39273CRITICALCVSS 9.0EG 9.02025-01-14
A firmware update vulnerability exists in the fw_check.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary firmware update. An attacker can perform a man-in-the-middle attack to tri…
- CVE-2024-39300LOWCVSS 3.7EG 8.12024-08-30
Missing authentication vulnerability exists in Telnet function of WAB-I1750-PS v1.5.10 and earlier. When Telnet function of the product is enabled, a remote attacker may login to the product without authentication and alter the product's s…
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →