Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-289 (使用候选名称进行的认证绕过) — Vulnerability Class 21

21 vulnerabilities classified as CWE-289 (使用候选名称进行的认证绕过). AI Chinese analysis included.

CWE-289 represents an authentication bypass vulnerability where systems rely on a single identifier to verify access rights without validating alternative names associated with the same resource or actor. Attackers typically exploit this by utilizing alternate aliases, such as symbolic links, IP addresses, or domain variations, to circumvent security controls that only check the primary name. This oversight allows unauthorized users to gain access to protected assets by presenting a valid but unverified identifier. To prevent this weakness, developers must implement comprehensive identity resolution mechanisms that map all possible names for a resource or user to a single canonical identity. By ensuring that authentication checks apply to every potential alias and enforcing strict validation of all name variations, organizations can eliminate the ambiguity that enables attackers to bypass security boundaries effectively.

MITRE CWE Description
The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (3)
Architecture and DesignAvoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2026-3184 Util-linux: util-linux: access control bypass due to improper hostname canonicalization — Red Hat Hardened Images 3.7 Low2026-04-03
CVE-2026-32036 OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels — OpenClaw 6.5 Medium2026-03-19
CVE-2026-23903 Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems — Apache Shiro 7.5 -2026-02-09
CVE-2026-24058 Soft Serve has Critical Authentication Bypass — soft-serve 8.1AIHighAI2026-01-22
CVE-2025-14777 Keycloak: keycloak idor in realm client creating/deleting — Red Hat build of Keycloak 26.4 6.0 Medium2025-12-16
CVE-2025-13613 Elated Membership <= 1.2 - Authentication Bypass via Social Login — Elated Membership 9.8 Critical2025-12-10
CVE-2025-64521 authentik deactivated service accounts can authenticate to OAuth — authentik 4.8 Medium2025-11-19
CVE-2025-64343 (conda) Constructor: Excessive permissions during and after installation — constructor 7.8 High2025-11-07
CVE-2025-8415 Cryostat: authentication bypass if network policies are disabled — Cryostat 5.9 Medium2025-08-20
CVE-2025-29266 Unraid 安全漏洞 — Unraid 9.6 Critical2025-03-31
CVE-2024-11283 WP JobHunt <= 7.1 - Authentication Bypass to Candidate — WP JobHunt 7.5 High2025-03-14
CVE-2024-56511 DataEase has an unauthorized vulnerability — dataease 9.1 -2025-01-10
CVE-2024-2098 Download Manager <= 3.2.89 - Improper Authorization via protectMediaLibrary — Download Manager 7.5 High2024-06-13
CVE-2023-51663 Hail authentication can be bypassed by changing email address — hail 5.3 Medium2023-12-29
CVE-2023-41890 Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation — Saml2 7.5 High2023-09-19
CVE-2023-3263 Dataprobe 授权问题漏洞 — iBoot PDU 7.5 High2023-08-14
CVE-2023-38487 HedgeDoc API allows to hide existing notes — hedgedoc 6.5 Medium2023-08-04
CVE-2023-20046 Cisco StarOS 安全漏洞 — Cisco ASR 5000 Series Software 8.8 High2023-05-09
CVE-2023-1803 Authentication Bypass in Redline Router — Redline Router 9.8 Critical2023-04-14
CVE-2021-34746 Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerability — Cisco Enterprise NFV Infrastructure Software 9.8 Critical2021-09-02
CVE-2017-16590 Netgain Enterprise Manager 安全漏洞 — NetGain Systems Enterprise Manager 8.8 -2018-01-23

Vulnerabilities classified as CWE-289 (使用候选名称进行的认证绕过) represent 21 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.