CWE•Base•Draft•20 recent CVEs
CWE-306Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Common consequences
- Access Control,Other→Gain Privileges or Assume Identity,Varies by ContextExposing critical functionality essentially provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, acce
Potential mitigations
- Architecture and Design[object Object]
- Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
- Architecture and Design[object Object]
- Architecture and Design[object Object]
- Implementation,System Configuration,OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].
Related CWEs
Recent CVEs classified under this CWE
CVE-2023-543529.82026-06-08CVE-2023-543507.52026-06-08CVE-2026-114202026-06-05CVE-2026-453278.22026-06-05CVE-2025-713189.82026-06-05CVE-2026-62749.82026-06-05CVE-2026-112385.92026-06-05CVE-2024-278929.62026-06-04CVE-2024-278909.62026-06-04CVE-2026-255509.82026-06-04CVE-2019-257389.82026-06-04CVE-2026-502259.12026-06-04CVE-2026-366038.12026-06-03CVE-2026-106177.32026-06-02CVE-2026-420749.82026-06-02CVE-2026-06119.82026-06-02CVE-2026-240907.12026-06-01CVE-2026-240888.22026-06-01CVE-2026-102836.32026-06-01CVE-2026-102817.32026-06-01