Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-306 (关键功能的认证机制缺失) — Vulnerability Class 1119

1119 vulnerabilities classified as CWE-306 (关键功能的认证机制缺失). AI Chinese analysis included.

CWE-306 represents a critical authentication weakness where software fails to verify user identity before executing sensitive operations or consuming substantial resources. Attackers typically exploit this vulnerability by directly invoking administrative endpoints, initiating high-cost processes, or accessing restricted data without valid credentials, effectively bypassing security controls. This oversight allows unauthorized users to perform actions intended only for authenticated individuals, leading to privilege escalation, data breaches, or denial of service through resource exhaustion. To mitigate this risk, developers must implement robust access control mechanisms that strictly enforce authentication checks on all critical functions. This involves integrating secure session management, validating tokens for every request, and applying the principle of least privilege to ensure that only verified users with appropriate permissions can trigger sensitive operations or consume significant system resources.

MITRE CWE Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Common Consequences (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context
Exposing critical functionality essentially provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, accessing administrative or other privileged functionality, or p…
Mitigations (5)
Architecture and DesignDivide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be access…
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Architecture and DesignWhere possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authentication…
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].
Examples (2)
In the following Java example the method createBankAccount is used to create a BankAccount object for a bank management application.
public BankAccount createBankAccount(String accountNumber, String accountType, String accountName, String accountSSN, double balance) { BankAccount account = new BankAccount(); account.setAccountNumber(accountNumber); account.setAccountType(accountType); account.setAccountOwnerName(accountName); account.setAccountOwnerSSN(accountSSN); account.setBalance(balance); return account; }
Bad · Java
private boolean isUserAuthentic = false; // authenticate user, // if user is authenticated then set variable to true // otherwise set variable to false public boolean authenticateUser(String username, String password) { ... } public BankAccount createNewBankAccount(String accountNumber, String accountType, String accountName, String accountSSN, double balance) { BankAccount account = null; if (isUserAuthentic) { account = new BankAccount(); account.setAccountNumber(accountNumber); account.setAccountType(accountType); account.setAccountOwnerName(accountName); account.setAccountOwnerSSN(accountS
Good · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2026-21445 Langflow Missing Authentication on Critical API Endpoints — langflow 9.4 -2026-01-02
CVE-2020-36904 Selea CarPlateServer 4.0.1.6 Remote Program Execution via Configuration Endpoint — Selea CarPlateServer (CPS) 7.5 High2025-12-31
CVE-2024-58336 Akuvox Smart Intercom S539 Unauthenticated Video Stream Disclosure — Akuvox Smart Doorphone 5.3 Medium2025-12-30
CVE-2022-50790 SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Radio Stream Disclosure — Impact/Pulse/First 7.5 High2025-12-30
CVE-2025-66377 Pexip Infinity 访问控制错误漏洞 — Infinity 7.5 High2025-12-25
CVE-2025-3232 Mitsubishi Electric Europe smartRTU Missing Authentication for Critical Function — smartRTU 7.5 High2025-12-24
CVE-2019-25248 Beward N100 M2.1.6 Unauthenticated RTSP Video Stream Disclosure — N100 H.264 VGA IP Camera 7.5 High2025-12-24
CVE-2019-25240 Rifatron 5brid DVR 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504) Unauthenticated Live Stream Disclosure via animate.cgi — DVR 9.8 Critical2025-12-24
CVE-2019-25236 iSeeQ Hybrid DVR WH-H4 1.03R Unauthenticated Live Stream Disclosure — Hybrid DVR WH-H4 9.8 Critical2025-12-24
CVE-2018-25141 FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated RTSP Stream Disclosure — FLIR Thermal Traffic Cameras 7.5 High2025-12-24
CVE-2018-25140 FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated Websocket Device Manipulation — Thermal Traffic Cameras 7.5 High2025-12-24
CVE-2018-25139 FLIR AX8 Thermal Camera 1.32.16 Unauthenticated RTSP Stream Disclosure — FLIR AX8 Thermal Camera 7.5 High2025-12-24
CVE-2018-25137 FLIR Brickstream 3D+ 2.1.742.1842 Unauthenticated Config File Disclosure — FLIR Brickstream 3D+ 7.5 High2025-12-24
CVE-2018-25136 FLIR Brickstream 3D+ 2.1.742.1842 Unauthenticated RTSP Stream Disclosure — Brickstream 3D+ 7.5 High2025-12-24
CVE-2018-25134 Synaccess netBooter NP-02x/NP-08x 6.8 Authentication Bypass via webNewAcct.cgi — netBooter NP-02x/NP-08x 9.8 Critical2025-12-24
CVE-2025-66445 Authorization bypass vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer — Hitachi Infrastructure Analytics Advisor 7.1 High2025-12-24
CVE-2023-53964 SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Factory Reset Vulnerability — Impact/Pulse/First 9.8 Critical2025-12-22
CVE-2023-53974 D-Link DSL-124 ME_1.00 Backup Configuration File Disclosure via Unauthenticated Request — DSL-124 Wireless N300 ADSL2+ 7.5 High2025-12-22
CVE-2023-53969 Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Password Change — Screen SFT DAB 600/C 7.5 High2025-12-22
CVE-2023-53970 Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Reset Board Config — Screen SFT DAB 600/C 7.5 High2025-12-22
CVE-2023-53967 Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Admin Password Change — Screen SFT DAB 600/C 7.5 High2025-12-22
CVE-2023-53968 Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Erase Account — Screen SFT DAB 600/C 9.8 Critical2025-12-22
CVE-2025-12049 Sharp Media Player MP-01 安全漏洞 — Media Player MP-01 9.1AICriticalAI2025-12-22
CVE-2025-14300 Unauthenticated Access to connectAP API Endpoint on Tapo C100 and C200 — Tapo C200 V3 7.1AIHighAI2025-12-20
CVE-2025-65010 Missing authorizations for admin panel password change in WODESYS WD-R608U router — WD-R608U 9.8AICriticalAI2025-12-18
CVE-2025-65007 Missing Authentication for Critical Function in WODESYS WD-R608U router — WD-R608U 9.8AICriticalAI2025-12-18
CVE-2025-34434 AVideo < 20.1 ImageGallery Plugin Unauthenticated File Upload and Deletion — AVideo 9.1AICriticalAI2025-12-17
CVE-2023-53896 D-Link DAP-1325 Hardware A1 Unauthenticated Configuration Download — DAP-1325 7.5 High2025-12-16
CVE-2025-14567 haxxorsid Stock-Management-System employees missing authentication — Stock-Management-System 5.3 Medium2025-12-12
CVE-2025-12348 Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution — Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress 5.3 Medium2025-12-12

Vulnerabilities classified as CWE-306 (关键功能的认证机制缺失) represent 1119 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.