CWE-304 · Missing Critical Step in Authentication

30 CVEs classified under CWE-304 (Missing Critical Step in Authentication). Browse by severity and year.

Top CVEs for CWE-304
CVESeverityScorePublishedSummary
CVE-2024-8954Critical9.82025-03-20In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header's value during the authentication step. This vulnerability allows an at…
CVE-2024-2172Critical9.82024-03-13The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing c…
CVE-2022-2821Critical9.82022-08-15Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2.
CVE-2022-2302Critical9.82022-07-11Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote at…
CVE-2026-44547Critical9.62026-05-12ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then si…
CVE-2024-45764Critical9.02024-11-08Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) a Missing Critical Step in Authentication vulnerability. An unauthenticated attacker with remote…
CVE-2024-12048High8.82025-03-20An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authori…
CVE-2019-16766High8.72019-11-29When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by chan…
CVE-2026-42452High8.12026-05-08Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a tem…
CVE-2025-24322High8.12025-08-20An unsafe default authentication vulnerability exists in the Initial Setup Authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted ne…
CVE-2024-9216High8.12025-03-20An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users' chat histo…
CVE-2022-1065High8.12022-04-19A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus…
CVE-2024-11302High8.02025-03-20A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remov…
CVE-2023-22833High7.62023-06-06Palantir Foundry deployments running Lime2 versions between 2.519.0 and 2.532.0 were vulnerable a bug that allowed authenticated users within a Foundry organiz…
CVE-2025-55138High7.42025-08-07LinkJoin through 882f196 mishandles token ownership in password reset.
CVE-2026-40542High7.32026-04-22Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper m…
CVE-2024-12136Medium6.92025-03-19Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass. This issue affects ANKA JPD-00028: b…
CVE-2024-52965Medium6.82025-07-08A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, a…
CVE-2024-7745Medium6.52024-08-28In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the s…
CVE-2023-3628Medium6.52023-12-18A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated…