Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-290 (使用欺骗进行的认证绕过) — Vulnerability Class 244

244 vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过). AI Chinese analysis included.

CWE-290 represents a critical authentication weakness where systems fail to properly validate the origin of identity claims, allowing attackers to bypass security controls through spoofing. This vulnerability typically arises when authentication mechanisms rely on easily forged data, such as IP addresses or HTTP headers, without implementing robust verification. Attackers exploit this by injecting malicious or manipulated credentials that mimic legitimate users, thereby gaining unauthorized access to sensitive resources or administrative functions. To mitigate this risk, developers must implement multi-factor authentication and ensure that identity verification relies on cryptographically secure tokens rather than easily spoofable network identifiers. Additionally, rigorous input validation and strict adherence to secure authentication protocols, such as OAuth or OpenID Connect, help prevent attackers from impersonating valid entities, ensuring that only genuinely authenticated users can access protected systems.

MITRE CWE Description
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.
Examples (2)
The following code authenticates users.
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }
Bad · Java
Both of these examples check if a request is from a trusted address before responding to the request.
sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }
Bad · C
while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-48840 Fortinet FortiWeb 安全漏洞 — FortiWeb 5.0 Medium2026-03-10
CVE-2026-28480 OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization — OpenClaw 6.5 Medium2026-03-05
CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers — voice-call 5.9 Medium2026-03-05
CVE-2024-1524 A local user can be impersonated when using federated authentication with Silent JIT Provisioning. — WSO2 API Manager 7.7 High2026-02-24
CVE-2025-69401 WordPress WooODT Lite plugin <= 2.5.2 - Payment Bypass Vulnerability vulnerability — WooODT Lite 7.5 High2026-02-20
CVE-2026-24853 Caido has an insufficient patch for DNS rebind leading to RCE — caido 8.1 High2026-02-13
CVE-2026-25938 FUXA Unauthenticated Remote Code Execution in Node-RED Integration — FUXA 9.8AICriticalAI2026-02-09
CVE-2026-21862 RustFS sourceIp bypass via spoofed X-Forwarded-For/Real-IP headers — rustfs 9.1AICriticalAI2026-02-03
CVE-2020-37056 Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass — http-protection 9.8 Critical2026-01-30
CVE-2026-0834 Logic Vulnerability on TP-Link Archer C20, Archer AX53 and TL-WR841N v13 — Archer C20 v6.0, Archer AX53 v1.0 8.8AIHighAI2026-01-21
CVE-2026-22797 OpenStack keystonemiddleware 安全漏洞 — keystonemiddleware 9.9 Critical2026-01-19
CVE-2025-13455 Lenovo多款产品 安全漏洞 — ThinkPlus FU100 7.8 High2026-01-14
CVE-2025-11250 Authentication Bypass — ManageEngine ADSelfService Plus 9.1 Critical2026-01-13
CVE-2025-62235 Apache Mynewt NimBLE: Incorrect handling of SMP Security Request could lead to undesirable pairing — Apache Mynewt NimBLE 7.5 -2026-01-10
CVE-2025-69258 Trend Micro Apex Central 安全漏洞 — Trend Micro Apex Central 9.8 Critical2026-01-08
CVE-2026-21894 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks — n8n 6.5 Medium2026-01-08
CVE-2025-69203 Signal K Server Vulnerable to Access Request Spoofing — signalk-server 6.3 Medium2026-01-01
CVE-2025-68644 Yealink RPS 安全漏洞 — RPS 7.4 High2025-12-21
CVE-2025-59385 QTS, QuTS hero — QTS 9.1AICriticalAI2025-12-16
CVE-2025-36754 Authentication bypass on web interface — ShineLan-X 7.4AIHighAI2025-12-13
CVE-2025-36753 SWD Interface Open on Growatt ShineLan-X — ShineLan-X 9.1AICriticalAI2025-12-13
CVE-2024-8273 HYPR Server 安全漏洞 — Server 7.5AIHighAI2025-12-11
CVE-2025-13953 Bypass in the authentication method of the GTT Sistema de Información Tributario application — Sistema de Información Tributario 7.8AIHighAI2025-12-10
CVE-2025-66508 1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers — 1Panel 6.5 Medium2025-12-09
CVE-2025-66570 cpp-httplib Untrusted HTTP Header Handling: Internal Header Shadowing (REMOTE*/LOCAL*) — cpp-httplib 10.0 Critical2025-12-05
CVE-2025-27389 Application Installation Source Verification Flaw May Lead to Risk Detection Bypass — ColorOS 8.1 -2025-12-05
CVE-2025-66270 KDE Connect 安全漏洞 — KDE Connect protocol 4.7 Medium2025-12-05
CVE-2025-12653 Authentication Bypass by Spoofing in GitLab — GitLab 6.5 Medium2025-11-26
CVE-2025-12414 Looker account compromise via punycode homograph attack — Looker 7.4 -2025-11-20
CVE-2025-58595 WordPress All In One Login plugin <= 2.0.8 - Bypass Vulnerability vulnerability — All In One Login 5.3 Medium2025-11-06

Vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过) represent 244 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.