Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1199

1199 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2026-30967 Parse Server OAuth2 authentication adapter account takeover via identity spoofing — parse-server 9.8AICriticalAI2026-03-10
CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter — parse-server 9.1AICriticalAI2026-03-10
CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover — feathers 8.2AIHighAI2026-03-10
CVE-2026-26141 Hybrid Worker Extension (Arc‑enabled Windows VMs) Elevation of Privilege Vulnerability — Azure Automation Hybrid Worker Windows Extension 7.8 High2026-03-10
CVE-2026-26128 Windows SMB Server Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2026-03-10
CVE-2026-24294 Windows SMB Server Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2026-03-10
CVE-2026-0953 Tutor LMS Pro <= 3.9.5 - Authentication Bypass via Social Login — Tutor LMS Pro 9.8 Critical2026-03-10
CVE-2025-68402 FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch] — FreshRSS 5.3AIMediumAI2026-03-09
CVE-2026-3794 doramart DoraCMS Email API send improper authentication — DoraCMS 7.3 High2026-03-09
CVE-2026-3739 suitenumerique messages ThreadAccess serializers.py ThreadAccessSerializer improper authentication — messages 6.3 Medium2026-03-08
CVE-2026-30851 Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation — caddy 8.1 High2026-03-07
CVE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters — parse-server 9.8 -2026-03-07
CVE-2026-29193 ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2 — zitadel 8.2 High2026-03-07
CVE-2026-30223 OliveTin: JWT Audience Validation Bypass in Local Key and HMAC Modes — OliveTin 8.8 High2026-03-06
CVE-2026-30831 Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer — Rocket.Chat 9.8 -2026-03-06
CVE-2026-28514 Rocket.Chat: Users can login with any password via the EE ddp-streamer-service — Rocket.Chat 9.8 -2026-03-06
CVE-2026-28428 Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions — Talishar 5.3 Medium2026-03-06
CVE-2026-28787 OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay — oneuptime 8.2 High2026-03-06
CVE-2026-29093 WWBN AVideo: Unauthenticated PHP session store exposed to host network via published memcached port — AVideo 8.1 High2026-03-06
CVE-2026-28471 OpenClaw 2026.1.14-1 < 2026.2.2 - Allowlist Bypass via displayName and Cross-Homeserver localpart Matching in Matrix Plugin — OpenClaw 5.3 Medium2026-03-05
CVE-2026-24898 OpenEMR has an Unauthenticated MedEx Token Disclosure — openemr 10.0 Critical2026-03-03
CVE-2026-3224 Devolutions Server 安全漏洞 — Server 9.8AICriticalAI2026-03-03
CVE-2026-27939 Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass — cms 8.8 High2026-02-27
CVE-2026-1305 Japanized for WooCommerce <= 2.8.4 - Missing Authorization to Unauthenticated Paidy Order Manipulation — Japanized for WooCommerce 5.3 Medium2026-02-27
CVE-2026-26077 Discourse doesn't ensure webhooks require a token — discourse 6.5 Medium2026-02-26
CVE-2026-27968 Packistry accepts expired access tokens — packistry 4.3 Medium2026-02-26
CVE-2026-20127 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability — Cisco Catalyst SD-WAN Manager 10.0 Critical2026-02-25
CVE-2026-20129 Cisco Catayst SD-WAN Authentication Bypass Vulnerability — Cisco Catalyst SD-WAN Manager 9.8 Critical2026-02-25
CVE-2026-3192 Chia Blockchain RPC Credential rpc_server_base.py _authenticate improper authentication — Blockchain 5.6 Medium2026-02-25
CVE-2026-24241 NVIDIA Delegated Licensing Service 授权问题漏洞 — DLS component of NVIDIA License System 4.3 Medium2026-02-24

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1199 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.