CWE-303 · Incorrect Implementation of Authentication Algorithm

92 CVEs classified under CWE-303 (Incorrect Implementation of Authentication Algorithm). Browse by severity and year.

Top CVEs for CWE-303
CVESeverityScorePublishedSummary
CVE-2026-46389Critical10.02026-06-05UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0…
CVE-2026-46595Critical10.02026-05-22Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key…
CVE-2025-13390Critical10.02025-12-03The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of…
CVE-2022-20695Critical10.02022-04-15A vulnerability in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to bypass a…
CVE-2025-12421Critical9.92025-11-27Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange…
CVE-2025-12419Critical9.92025-11-27Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Conn…
CVE-2022-39366Critical9.92022-10-28DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the DataHub metadata service (GMS) does not verify the sig…
CVE-2026-35579Critical9.82026-05-05CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authenticat…
CVE-2026-29515Critical9.82026-03-11MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without…
CVE-2025-66489Critical9.82025-12-03Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a…
CVE-2025-63210Critical9.82025-11-19The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. An attacker can exploit t…
CVE-2025-21311Critical9.82025-01-14Windows NTLM V1 Elevation of Privilege Vulnerability
CVE-2024-10127Critical9.82024-11-20Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user aut…
CVE-2024-7593Critical9.82024-08-13Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass a…
CVE-2024-4985Critical9.82024-05-20An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sign-on authentication with the optional e…
CVE-2023-3326Critical9.82023-06-22pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Ce…
CVE-2023-29357Critical9.82023-06-14Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2018-4841Critical9.82018-03-29A vulnerability has been identified in TIM 1531 IRC (All versions < V1.1). A remote attacker with network access to port 80/tcp or port 443/tcp could perform a…
CVE-2023-4860Critical9.62024-07-16Inappropriate implementation in Skia in Google Chrome prior to 115.0.5790.98 allowed a remote attacker who had compromised the renderer process to potentially…
CVE-2026-28446Critical9.42026-03-05OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist pol…