CWE-1390
Allowed-with-ReviewWeak Authentication
Abstraction: Class · Status: Incomplete
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
155 vulnerabilities reference this CWE, most recent first.
GHSA-45JF-R23J-3XM6
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30A weak authentication in Fortinet FortiPAM 1.5.0, 1.4.0 through 1.4.2, 1.3.0 through 1.3.1, 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager 7.2.0 through 7.2.4 allows attacker to execute unauthorized code or commands via specially crafted http requests
{
"affected": [],
"aliases": [
"CVE-2025-49201"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T16:15:38Z",
"severity": "HIGH"
},
"details": "A weak authentication in Fortinet FortiPAM 1.5.0, 1.4.0 through 1.4.2, 1.3.0 through 1.3.1, 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager 7.2.0 through 7.2.4 allows attacker to execute unauthorized code or commands via specially crafted http requests",
"id": "GHSA-45jf-r23j-3xm6",
"modified": "2025-10-14T18:30:27Z",
"published": "2025-10-14T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49201"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4765-M9WV-V7GX
Vulnerability from github – Published: 2025-11-12 09:30 – Updated: 2025-11-12 18:31The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2025-12870"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T08:15:41Z",
"severity": "CRITICAL"
},
"details": "The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges.",
"id": "GHSA-4765-m9wv-v7gx",
"modified": "2025-11-12T18:31:23Z",
"published": "2025-11-12T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12870"
},
{
"type": "WEB",
"url": "https://www.chtsecurity.com/news/b97e8337-6b0c-43e8-8e8c-187b7c0e13c2"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4CPV-8QGX-F9FV
Vulnerability from github – Published: 2026-04-23 18:33 – Updated: 2026-04-23 18:33Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.
{
"affected": [],
"aliases": [
"CVE-2025-70994"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T15:36:26Z",
"severity": "HIGH"
},
"details": "Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.",
"id": "GHSA-4cpv-8qgx-f9fv",
"modified": "2026-04-23T18:33:03Z",
"published": "2026-04-23T18:33:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70994"
},
{
"type": "WEB",
"url": "https://github.com/ktauchathuranga/CVE-2025-70994"
},
{
"type": "WEB",
"url": "https://github.com/ktauchathuranga/ghost-keys"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RHW-3JX2-MPCF
Vulnerability from github – Published: 2026-03-03 09:30 – Updated: 2026-03-13 18:31Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions.
{
"affected": [],
"aliases": [
"CVE-2025-15595"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T07:16:09Z",
"severity": "MODERATE"
},
"details": "Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions.",
"id": "GHSA-4rhw-3jx2-mpcf",
"modified": "2026-03-13T18:31:30Z",
"published": "2026-03-03T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15595"
},
{
"type": "WEB",
"url": "https://jrsoftware.org/files/is6.2-whatsnew.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:Clear",
"type": "CVSS_V4"
}
]
}
GHSA-4VWJ-X32H-M4VJ
Vulnerability from github – Published: 2024-01-25 18:30 – Updated: 2024-02-08 15:30An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.
{
"affected": [],
"aliases": [
"CVE-2024-0822"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-25T16:15:08Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.",
"id": "GHSA-4vwj-x32h-m4vj",
"modified": "2024-02-08T15:30:26Z",
"published": "2024-01-25T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0822"
},
{
"type": "WEB",
"url": "https://github.com/oVirt/ovirt-engine/pull/914"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-0822"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258509"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4X6W-65JR-R5PV
Vulnerability from github – Published: 2025-11-11 15:31 – Updated: 2025-11-11 15:31A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period.
{
"affected": [],
"aliases": [
"CVE-2025-11084"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T14:15:34Z",
"severity": "HIGH"
},
"details": "A security issue exists within DataMosaix\u2122 Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period.",
"id": "GHSA-4x6w-65jr-r5pv",
"modified": "2025-11-11T15:31:20Z",
"published": "2025-11-11T15:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11084"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1758.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4XG2-VJM8-8R9M
Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2025-26343"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T14:15:34Z",
"severity": "HIGH"
},
"details": "A CWE-1390 \"Weak Authentication\" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.",
"id": "GHSA-4xg2-vjm8-8r9m",
"modified": "2025-02-12T15:32:00Z",
"published": "2025-02-12T15:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26343"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26343"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52P8-9VRH-6WX7
Vulnerability from github – Published: 2023-09-19 15:30 – Updated: 2024-04-04 07:44ARCONTE Aurea's authentication system, in its 1.5.0.0 version, could allow an attacker to make incorrect access requests in order to block each legitimate account and cause a denial of service. In addition, a resource has been identified that could allow circumventing the attempt limit set in the login form.
{
"affected": [],
"aliases": [
"CVE-2023-4094"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-19T14:15:22Z",
"severity": "HIGH"
},
"details": "ARCONTE Aurea\u0027s authentication system, in its 1.5.0.0 version, could allow an attacker to make incorrect access requests in order to block each legitimate account and cause a denial of service. In addition, a resource has been identified that could allow circumventing the attempt limit set in the login form.",
"id": "GHSA-52p8-9vrh-6wx7",
"modified": "2024-04-04T07:44:05Z",
"published": "2023-09-19T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4094"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fujitsu-arconte-aurea"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5GFX-M376-WPJR
Vulnerability from github – Published: 2026-03-20 18:31 – Updated: 2026-04-14 15:30A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.
We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later
{
"affected": [],
"aliases": [
"CVE-2025-62844"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-20T17:16:42Z",
"severity": "MODERATE"
},
"details": "A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later",
"id": "GHSA-5gfx-m376-wpjr",
"modified": "2026-04-14T15:30:28Z",
"published": "2026-03-20T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62844"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5HV5-8328-HRJ4
Vulnerability from github – Published: 2025-07-04 12:30 – Updated: 2026-04-01 18:35Weak Authentication vulnerability in AresIT WP Compress allows Authentication Abuse. This issue affects WP Compress: from n/a through 6.30.30.
{
"affected": [],
"aliases": [
"CVE-2025-47479"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T12:15:28Z",
"severity": "MODERATE"
},
"details": "Weak Authentication vulnerability in AresIT WP Compress allows Authentication Abuse. This issue affects WP Compress: from n/a through 6.30.30.",
"id": "GHSA-5hv5-8328-hrj4",
"modified": "2026-04-01T18:35:45Z",
"published": "2025-07-04T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47479"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wp-compress-image-optimizer/vulnerability/wordpress-wp-compress-6-30-30-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.