CWE-287 · Improper Authentication
4378 CVEs classified under CWE-287 (Improper Authentication). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-49869 | Critical | 10.0 | 2026-06-26 | Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("… |
CVE-2026-45480 | Critical | 10.0 | 2026-06-19 | Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network. |
CVE-2026-46389 | Critical | 10.0 | 2026-06-05 | UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0… |
CVE-2026-10611 | Critical | 10.0 | 2026-06-02 | An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.m… |
CVE-2026-46840 | Critical | 10.0 | 2026-05-28 | Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulne… |
CVE-2026-47280 | Critical | 10.0 | 2026-05-22 | Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network. |
CVE-2026-42822 | Critical | 10.0 | 2026-05-18 | Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. |
CVE-2026-20182 | Critical | 10.0 | 2026-05-14 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in Februar… |
CVE-2026-42869 | Critical | 10.0 | 2026-05-11 | SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded… |
CVE-2026-41070 | Critical | 10.0 | 2026-05-08 | openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to… |
CVE-2026-41679 | Critical | 10.0 | 2026-04-23 | Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker ca… |
CVE-2026-30836 | Critical | 10.0 | 2026-03-19 | Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unau… |
CVE-2026-24898 | Critical | 10.0 | 2026-03-03 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vu… |
CVE-2026-20127 | Critical | 10.0 | 2026-02-25 | A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vMana… |
CVE-2025-70841 | Critical | 10.0 | 2026-02-03 | Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct… |
CVE-2025-44005 | Critical | 10.0 | 2025-12-17 | An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorizati… |
CVE-2025-63224 | Critical | 10.0 | 2025-11-19 | The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JW… |
CVE-2025-63216 | Critical | 10.0 | 2025-11-18 | The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid J… |
CVE-2025-55241 | Critical | 10.0 | 2025-09-04 | Azure Entra ID Elevation of Privilege Vulnerability |
CVE-2025-54419 | Critical | 10.0 | 2025-07-28 | A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response documen… |