Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1199

1199 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2026-0558 Unauthenticated File Upload in parisneo/lollms — parisneo/lollms 9.8 -2026-03-29
CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address — fleet 8.8 -2026-03-27
CVE-2026-27856 Open-Xchange OX Dovecot Pro 安全漏洞 — OX Dovecot Pro 7.4 High2026-03-27
CVE-2026-33898 Local Incus UI web server vulnerable to nuthentication bypass — incus 8.8 High2026-03-26
CVE-2026-4831 kalcaddle kodbox Password-protected Share auth.class.php can improper authentication — kodbox 3.7 Low2026-03-26
CVE-2026-33248 NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching — nats-server 4.2 Medium2026-03-25
CVE-2026-33246 NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers — nats-server 6.4 Medium2026-03-25
CVE-2026-33665 n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover — n8n 8.5 -2026-03-25
CVE-2026-33215 NATS is vulnerable to MQTT hijacking via Client ID — nats-server 6.5 Medium2026-03-24
CVE-2026-33322 MinIO: JWT Algorithm Confusion in OIDC Authentication — minio 7.5 -2026-03-24
CVE-2026-33314 pyload-ng: Improper Authentication and Origin Validation Error — pyload 6.5 Medium2026-03-24
CVE-2026-33409 Parse Server: Auth provider validation bypass on login via partial authData — parse-server 8.1 -2026-03-24
CVE-2026-33473 Vikunja has TOTP Reuse During Validity Window — vikunja 5.7 Medium2026-03-24
CVE-2026-4021 Contest Gallery <= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion — Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe 8.1 High2026-03-23
CVE-2026-32879 New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure — new-api 4.9 Medium2026-03-23
CVE-2026-33716 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php — AVideo 9.4 Critical2026-03-23
CVE-2026-33512 AVideo has an unauthenticated decrypt oracle leaking any ciphertext — AVideo 7.5 High2026-03-23
CVE-2026-4592 kalcaddle kodbox Password Login index.class.php tfaVerify improper authentication — kodbox 5.6 Medium2026-03-23
CVE-2026-32305 Traefik mTLS bypass via fragmented ClientHello SNI extraction failure — traefik 7.5 -2026-03-20
CVE-2026-33124 Frigate has insecure password change functionality — frigate 6.5 -2026-03-20
CVE-2026-32815 SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure — siyuan 9.1 -2026-03-19
CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) — certificates 10.0 Critical2026-03-19
CVE-2025-14716 Unauthorized access to information — GateManager 6.5 Medium2026-03-19
CVE-2026-32730 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware — apostrophe 8.1 High2026-03-18
CVE-2026-33042 Parse Server affected by empty authData bypassing credential requirement on signup — parse-server 7.5 -2026-03-18
CVE-2026-2991 KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token — KiviCare – Clinic & Patient Management System (EHR) 7.3 High2026-03-18
CVE-2026-25937 GLPI has a MFA bypass — glpi 6.5 Medium2026-03-17
CVE-2026-4349 Duende IdentityServer4 Token Renewal Endpoint authorize improper authentication — IdentityServer4 5.6 Medium2026-03-17
CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint — tinyauth 8.5 High2026-03-12
CVE-2026-32136 AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass — AdGuardHome 9.8 Critical2026-03-11

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1199 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.