Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-305 (使用基本弱点进行的认证绕过) — Vulnerability Class 117

117 vulnerabilities classified as CWE-305 (使用基本弱点进行的认证绕过). AI Chinese analysis included.

CWE-305 represents a critical authentication bypass vulnerability where the core cryptographic algorithm remains robust, yet the implementation allows attackers to circumvent security controls through a distinct, primary flaw. This weakness typically manifests when developers rely on flawed logic, such as trusting client-side validation or improperly handling session tokens, rather than strengthening the underlying cipher. Attackers exploit these implementation gaps by manipulating request parameters, bypassing access checks, or exploiting race conditions to gain unauthorized access without breaking the encryption itself. To prevent this, developers must ensure that authentication mechanisms are strictly server-side enforced, avoiding any trust in client-supplied data. Comprehensive input validation, rigorous session management, and regular security audits are essential to identify and remediate these secondary weaknesses, ensuring that the authentication process remains resilient against evasion techniques that target implementation errors rather than algorithmic strength.

MITRE CWE Description
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Common Consequences (1)
Access ControlBypass Protection Mechanism
CVE IDTitleCVSSSeverityPublished
CVE-2026-6266 Aap-controller: aap-gateway: account hijacking and unauthorized access via unverified email linking — Red Hat Ansible Automation Platform 2.5 for RHEL 8 8.3 High2026-05-04
CVE-2026-4670 Improper Authentication vulnerability in Progress MOVEit Automation — MOVEit Automation 9.8 Critical2026-04-30
CVE-2026-33472 Cryptomator Hub OAuth token exchange HTTP downgrade via getAuthority() scheme confusion (CVE-2026-32303 bypass) — cryptomator 4.8 Medium2026-04-16
CVE-2026-20152 Cisco Secure Web Appliance Authentication Service Traffic Bypass Vulnerability — Cisco Secure Web Appliance 5.3 Medium2026-04-15
CVE-2026-33892 Siemens Industrial Edge Management 安全漏洞 — Industrial Edge Management Pro V1 7.1 High2026-04-14
CVE-2026-40039 Pachno 1.0.6 Open Redirection via return_to Parameter — Pachno 6.5 Medium2026-04-13
CVE-2026-30849 MantisBT SOAP API has an authentication bypass vulnerability on MySQL — mantisbt 9.8 -2026-03-23
CVE-2025-31703 Dahua NVR和Dahua XVR 安全漏洞 — NVR2-4KS3 6.8 -2026-03-18
CVE-2026-3047 Org.keycloak.broker.saml: keycloak saml broker: authentication bypass due to disabled saml client completing idp-initiated login — Red Hat build of Keycloak 26.2 8.8 High2026-03-05
CVE-2026-28536 Huawei HarmonyOS 安全漏洞 — HarmonyOS 9.6 Critical2026-03-05
CVE-2026-1713 IBM MQ is affected by an authority vulnerablility — MQ 6.8AIMediumAI2026-03-03
CVE-2026-0869 Application User custom defined accounts are not properly password protected in Brocade ASCG 3.4.0 — ASCG 8.1AIHighAI2026-03-03
CVE-2026-22153 Fortinet FortiOS 安全漏洞 — FortiOS 7.5 High2026-02-10
CVE-2025-58382 Privilege escalation in Brocade Fabric before 9.2.1c2 and 9.2.2 through 9.2.2a — Fabric OS 7.2AIHighAI2026-02-03
CVE-2025-4320 Information Disclosure in Birebirsoft's Sufirmam — Sufirmam 10.0 Critical2026-01-23
CVE-2025-68609 Authentication bypass in Aries due to misconfiguration — com.palantir.aries:aries 6.6 Medium2026-01-22
CVE-2026-1290 [PI141230] Fixed A broken access control issue. — Jamf Pro 9.8AICriticalAI2026-01-21
CVE-2025-13915 Authentication bypass in IBM API Connect — API Connect 9.8 Critical2025-12-26
CVE-2024-49587 Glutton V1 endpoints missing authentication — com.palantir.gotham:glutton 9.1 Critical2025-12-19
CVE-2025-68435 Zerobyte has Authentication Bypass by Primary Weakness — zerobyte 9.1 Critical2025-12-17
CVE-2025-41733 Possible malfunction credential injection — Energy-Controlling EWIO2-M 9.8 Critical2025-11-18
CVE-2025-47776 MantisBT: Authentication bypass for some passwords due to PHP type juggling — mantisbt 9.8AICriticalAI2025-11-04
CVE-2025-36386 There is a vulnerability in the IBM Maximo Manage application in IBM Maximo Application Suite for Cognos Analytics — IBM Maximo Application Suite 9.8 Critical2025-10-28
CVE-2025-62772 Mercku M6a 安全漏洞 — M6a 3.1 Low2025-10-22
CVE-2025-59980 Junos OS: When a user with the name ftp or anonymous is configured unauthenticated filesystem access is allowed — Junos OS 6.5 Medium2025-10-09
CVE-2025-59941 go-f3 is Vulnerable to Cached Justification Verification Bypass — go-f3 5.9 Medium2025-09-29
CVE-2025-54622 Huawei HarmonyOS 安全漏洞 — HarmonyOS 8.3 High2025-08-06
CVE-2025-53534 RatPanel can perform remote command execution without authorization — panel 9.8AICriticalAI2025-08-05
CVE-2025-31965 HCL BigFix Remote Control is affected by an authorization bypass vulnerability — BigFix Remote Control 8.2 High2025-07-29
CVE-2025-53826 FileBrowser Has Insecure JWT Handling Which Allows Session Replay Attacks after Logout — filebrowser 9.8AICriticalAI2025-07-15

Vulnerabilities classified as CWE-305 (使用基本弱点进行的认证绕过) represent 117 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.