Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2025-46641 Dell PowerProtect Data Domain(Dell PowerProtect DD) 安全漏洞 — PowerProtect Data Domain 6.6 Medium2026-04-17
CVE-2025-46607 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data Domain 6.6 Medium2026-04-17
CVE-2026-32072 Active Directory Spoofing Vulnerability — Windows 10 Version 1607 6.2 Medium2026-04-14
CVE-2026-23708 Fortinet FortiSOAR PaaS和Fortinet FortiSOAR on-premise 授权问题漏洞 — FortiSOAR PaaS 6.7 High2026-04-14
CVE-2026-40178 ajenti.plugin.core has a race conditions in 2FA — ajenti 8.1 -2026-04-10
CVE-2026-40177 Password bypass when 2FA is activated — ajenti 9.8AICriticalAI2026-04-10
CVE-2026-34727 Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path — vikunja 7.4 High2026-04-10
CVE-2026-4664 Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter — Customer Reviews for WooCommerce 5.3 Medium2026-04-10
CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering — notification-controller 3.1 Low2026-04-09
CVE-2026-39976 Laravel Passport's TokenGuard Authenticates Unrelated User for Client Credentials Tokens — passport 7.1 High2026-04-09
CVE-2026-5959 GL.iNet GL-RM1/GL-RM10/GL-RM10RC/GL-RM1PE Factory Reset improper authentication — GL-RM1 6.6 Medium2026-04-09
CVE-2026-39411 LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header — lobehub 5.0 Medium2026-04-08
CVE-2026-39322 PolarLearn: Any password authenticates banned accounts and grants API access — PolarLearn 9.8AICriticalAI2026-04-07
CVE-2026-39324 Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization — rack-session 7.4AIHighAI2026-04-07
CVE-2026-35030 LiteLLM has an authentication bypass via OIDC userinfo cache key collision — litellm 6.5AIMediumAI2026-04-06
CVE-2026-5570 Technostrobe HI-LED-WR120-G2 LoginCB index_config improper authentication — HI-LED-WR120-G2 7.3 High2026-04-05
CVE-2017-20235 ProSoft Technology ICX35-HWC Authentication Bypass — ICX35-HWC Cellular Gateway 8.8 Critical2026-04-03
CVE-2018-25236 Hirschmann HiOS HiSecOS Authentication Bypass via HTTP Management — Hirschmann HiOS 9.8 Critical2026-04-03
CVE-2026-33175 OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims — oauthenticator 8.8 High2026-04-03
CVE-2026-34990 OpenPrinting CUPS: Local print admin token disclosure using temporary printers — cups 7.8AIHighAI2026-04-03
CVE-2017-20237 Hirschmann Industrial HiVision Authentication Bypass Remote Code Execution — Hirschmann Industrial HiVision 9.8 Critical2026-04-03
CVE-2026-32173 Azure SRE Agent Information Disclosure Vulnerability — Azure SRE Agent Gateway - SignalR Hub 8.6 High2026-04-02
CVE-2024-14034 Hirschmann HiEOS Authentication Bypass via HTTP Management Module — Hirschmann HiEOS LRS11 9.8 Critical2026-04-02
CVE-2026-34834 Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation — webmail 8.2AIHighAI2026-04-02
CVE-2026-34736 Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API — openedx-platform 5.3 Medium2026-04-02
CVE-2026-34121 Authentication Bypass in DS Configuration Service via HTTP Request Parsing Differential of TP-Link Tapo C520WS — Tapo C520WS v2.6 5.3AIMediumAI2026-04-02
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users — panel 9.8 Critical2026-04-02
CVE-2026-34531 Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client — Flask-HTTPAuth 6.5 Medium2026-04-01
CVE-2026-4101 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access — Verify Identity Access Container 8.1 High2026-04-01
CVE-2026-34072 cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution — cronmaster 8.3 High2026-04-01

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.