Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-307 (过多认证尝试的限制不恰当) — Vulnerability Class 332

332 vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当). AI Chinese analysis included.

CWE-307 represents a critical authentication weakness where systems fail to adequately restrict the number of login attempts within a specific timeframe. This vulnerability is typically exploited by attackers conducting brute-force or credential stuffing attacks, allowing them to systematically guess valid usernames and passwords until access is granted. Without proper safeguards, automated tools can rapidly cycle through extensive password dictionaries, compromising user accounts and sensitive data. To mitigate this risk, developers must implement robust countermeasures such as account lockout policies after a defined number of failures, progressive delays between login attempts, or CAPTCHA challenges to distinguish human users from bots. Additionally, integrating multi-factor authentication provides an essential layer of defense, ensuring that even if credentials are compromised, unauthorized access remains blocked.

MITRE CWE Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
Mitigations (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Examples (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-41893 Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force) — signalk-server 9.1AICriticalAI2026-05-09
CVE-2025-2514 Improper Restriction of Excessive Authentication Attempts vulnerability in Hitachi Virtual Storage Platform — Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900 5.3 Medium2026-05-07
CVE-2023-54347 OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass — OpenEMR 7.5 High2026-05-05
CVE-2026-7671 CodeWise Tornet Scooter Mobile App TwoFactor excessive authentication — Tornet Scooter Mobile App 3.7 Low2026-05-02
CVE-2026-26206 Wazuh: API brute-force protection bypass via race condition in login attempt tracking — wazuh 6.5 Medium2026-04-29
CVE-2026-6947 D-Link|DWM-222W USB Wi-Fi Adapter - Brute-Force Protection Bypass — DWM-222W 7.5 High2026-04-24
CVE-2026-41213 @node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes — node-oauth2-server 5.9 Medium2026-04-23
CVE-2026-40586 blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection — blueprintue-self-hosted-edition 7.5 High2026-04-21
CVE-2025-14362 GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances — GoAnywhere MFT 7.3 High2026-04-21
CVE-2026-41037 Missing Rate Limiting Vulnerability in Quantum Networks Router QN-I-470 — Router QN-I-470 8.8AIHighAI2026-04-21
CVE-2026-40485 ChurchCRM: Username Enumeration via Differential Response in Public Login API — CRM 5.3 Medium2026-04-17
CVE-2025-46606 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data Domain 6.2 Medium2026-04-17
CVE-2026-22616 Eaton Intelligent Power Protector 安全漏洞 — IPP Software 6.5 Medium2026-04-16
CVE-2026-33667 OpenProject: 2FA OTP Verification Missing Rate Limiting — openproject 7.4 High2026-04-15
CVE-2026-2402 Schneider Electric PowerChute Serial Shutdown 安全漏洞 — PowerChute™ Serial Shutdown 9.8 -2026-04-14
CVE-2025-31991 HCL DevOps Velocity is susceptible to brute-force attacks — Velocity 6.8 Medium2026-04-13
CVE-2026-35597 Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout — vikunja 5.9 Medium2026-04-10
CVE-2026-35646 OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation — OpenClaw 4.8 Medium2026-04-09
CVE-2026-35628 OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting — OpenClaw 4.8 Medium2026-04-09
CVE-2026-35623 OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting — OpenClaw 4.8 Medium2026-04-09
CVE-2026-33580 OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication — OpenClaw 6.5 Medium2026-03-31
CVE-2026-34505 OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation — OpenClaw 6.5 Medium2026-03-31
CVE-2026-33879 FLIP doesn't have rate limiting or brute-force protection on login — FLIP 9.8 -2026-03-27
CVE-2026-33763 AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle — AVideo 5.3 Medium2026-03-27
CVE-2026-33935 MyTube has Unauthenticated Account Lockout via Shared Login Attempt State — MyTube--2026-03-27
CVE-2026-33640 Outline has a rate limit bypass that allows brute force of email login OTP — outline 9.1 -2026-03-26
CVE-2026-33152 Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication — recipes 9.1 Critical2026-03-26
CVE-2026-31851 Lack of Rate Limiting Enables Brute-Force Attacks in Nexxt Nebula 300+ — Nebula 300+ 9.8 -2026-03-23
CVE-2026-31903 IGL-Technologies eParking.fi Improper Restriction of Excessive Authentication Attempts — eParking.fi 7.5 High2026-03-20
CVE-2026-31904 CTEK Chargeportal Improper Restriction of Excessive Authentication Attempts — Chargeportal 7.5 High2026-03-20

Vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当) represent 332 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.