Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-307 (过多认证尝试的限制不恰当) — Vulnerability Class 332

332 vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当). AI Chinese analysis included.

CWE-307 represents a critical authentication weakness where systems fail to adequately restrict the number of login attempts within a specific timeframe. This vulnerability is typically exploited by attackers conducting brute-force or credential stuffing attacks, allowing them to systematically guess valid usernames and passwords until access is granted. Without proper safeguards, automated tools can rapidly cycle through extensive password dictionaries, compromising user accounts and sensitive data. To mitigate this risk, developers must implement robust countermeasures such as account lockout policies after a defined number of failures, progressive delays between login attempts, or CAPTCHA challenges to distinguish human users from bots. Additionally, integrating multi-factor authentication provides an essential layer of defense, ensuring that even if credentials are compromised, unauthorized access remains blocked.

MITRE CWE Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
Mitigations (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Examples (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-32025 OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass — OpenClaw 7.5 High2026-03-19
CVE-2026-32295 JetKVM insufficient login rate limiting — JetKVM 7.5 High2026-03-17
CVE-2026-32292 GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting — Comet KVM 7.5 High2026-03-17
CVE-2025-69246 Lack of bruteforce protection in Raytha CMS — Raytha 9.1 -2026-03-16
CVE-2026-32729 Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp` — runtipi 8.1 High2026-03-13
CVE-2026-31863 Improper Restriction of Excessive Authentication Attempts in github.com/anyproto/anytype-heart — anytype-heart 3.6 Low2026-03-11
CVE-2026-22629 Fortinet多款产品 安全漏洞 — FortiAnalyzer 3.4 Low2026-03-10
CVE-2026-24696 Everon api.everon.io Improper Restriction of Excessive Authentication Attempts — api.everon.io 7.5 High2026-03-06
CVE-2026-20882 Mobiliti e-mobi.hu Improper Restriction of Excessive Authentication Attempts — e-mobi.hu 7.5 High2026-03-06
CVE-2026-27778 ePower epower.ie Improper Restriction of Excessive Authentication Attempts — epower.ie 7.5 High2026-03-05
CVE-2026-30790 RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force — RustDesk Server Pro 8.4 -2026-03-05
CVE-2026-27801 Vaultwarden: 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement — vaultwarden 8.8AIHighAI2026-03-04
CVE-2026-27981 HomeBox has an Auth Rate Limit Bypass via IP Spoofing — homebox 7.4 High2026-03-03
CVE-2025-36363 IBM DevOps Plan is vulnerable to Excessive Authentication Attempts — DevOps Plan 5.9 Medium2026-03-03
CVE-2026-27824 calibre has IP Ban Bypass via X-Forwarded-For Header Spoofing — calibre 5.3 Medium2026-02-27
CVE-2026-27753 SODOLA SL902-SWTGW124AS <= 200.1.20 Improper Login Rate Limiting — SODOLA SL902-SWTGW124AS 6.5 Medium2026-02-27
CVE-2026-26305 Mobility46 mobility46.se Improper Restriction of Excessive Authentication Attempts — mobility46.se 7.5 High2026-02-27
CVE-2026-24445 EV Energy ev.energy Improper Restriction of Excessive Authentication Attempts — ev.energy 7.5 High2026-02-27
CVE-2026-25113 SWITCH EV swtchenergy.com Improper Restriction of Excessive Authentication Attempts — swtchenergy.com 7.5 High2026-02-26
CVE-2026-25945 EV2GO ev2go.io Improper Restriction of Excessive Authentication Attempts — ev2go.io 7.5 High2026-02-26
CVE-2026-25114 CloudCharge cloudcharge.se Improper Restriction of Excessive Authentication Attempts — cloudcharge.se 7.5 High2026-02-26
CVE-2026-20792 Chargemap chargemap.com Improper Restriction of Excessive Authentication Attempts — chargemap.com 7.5 High2026-02-26
CVE-2026-26227 VLC for Android < 3.7.0 Remote Access OTP Authentication Bypass — VLC for Android 3.7 Low2026-02-26
CVE-2026-27521 Binardat 10G08-0800GSM Network Switch Missing Login Rate Limiting — 10G08-0800GSM Network Switch 7.5 High2026-02-24
CVE-2025-7630 OTP Password Brute Forcing in DorukNet's Wispotter — Wispotter 5.3 Medium2026-02-18
CVE-2026-2110 Tasin1025 SwiftBuy login.php excessive authentication — SwiftBuy 3.7 Low2026-02-07
CVE-2025-67853 Moodle: moodle: brute-force facilitation due to missing rate limiting in confirmation email service 7.5 High2026-02-03
CVE-2026-1685 D-Link DIR-823X Login sub_40AC74 excessive authentication — DIR-823X 3.7 Low2026-01-30
CVE-2026-24436 Tenda W30E V2 Lacks Rate Limiting on Authentication — W30E V2 9.8AICriticalAI2026-01-26
CVE-2026-1409 Beetel 777VR1 UART excessive authentication — 777VR1 2.0 Low2026-01-25

Vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当) represent 332 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.