CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
905 vulnerabilities reference this CWE, most recent first.
GHSA-9528-X887-J2FP
Vulnerability from github – Published: 2026-03-31 23:59 – Updated: 2026-04-06 22:53Summary
Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.
Impact
An attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events.
Affected Component
extensions/nextcloud-talk/src/monitor.ts
Fixed Versions
- Affected:
<= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit e403decb6e (nextcloud-talk: throttle repeated webhook auth failures).
OpenClaw thanks @AntAISecurityLab for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33580"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T23:59:17Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nNextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.\n\n## Impact\n\nAn attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events.\n\n## Affected Component\n\n`extensions/nextcloud-talk/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `\u003c= 2026.3.24`\n- Patched: `\u003e= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `e403decb6e` (`nextcloud-talk: throttle repeated webhook auth failures`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
"id": "GHSA-9528-x887-j2fp",
"modified": "2026-04-06T22:53:25Z",
"published": "2026-03-31T23:59:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33580"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "OpenClaw\u0027s Nextcloud Talk webhook missing rate limiting on shared secret authentication"
}
GHSA-9598-6RG8-G969
Vulnerability from github – Published: 2026-06-06 06:30 – Updated: 2026-06-06 06:30Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass.
This issue affects MyRezzta: from s2.03.01 before v2.05.01.
{
"affected": [],
"aliases": [
"CVE-2025-2415"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-03T09:15:34Z",
"severity": "HIGH"
},
"details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass.\n\nThis issue affects MyRezzta: from s2.03.01 before v2.05.01.",
"id": "GHSA-9598-6rg8-g969",
"modified": "2026-06-06T06:30:27Z",
"published": "2026-06-06T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2415"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0205"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0205"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9825-85H5-5W5P
Vulnerability from github – Published: 2022-09-09 00:01 – Updated: 2022-09-14 00:00The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider.
{
"affected": [],
"aliases": [
"CVE-2022-37145"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-08T01:15:00Z",
"severity": "HIGH"
},
"details": "The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider.",
"id": "GHSA-9825-85h5-5w5p",
"modified": "2022-09-14T00:00:46Z",
"published": "2022-09-09T00:01:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37145"
},
{
"type": "WEB",
"url": "https://www.controlgap.com/blog/a-plextrac-story"
},
{
"type": "WEB",
"url": "http://plextrac.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-99F7-HP6J-V6Q4
Vulnerability from github – Published: 2025-07-16 12:30 – Updated: 2025-07-18 17:23In Eclipse GlassFish version 7.0.16 or earlier, it is possible to perform login brute force attacks as there is no limitation on the number of failed login attempts.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.glassfish.main.admingui:console-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.0.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9342"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-18T17:23:26Z",
"nvd_published_at": "2025-07-16T11:15:23Z",
"severity": "MODERATE"
},
"details": "In Eclipse GlassFish version 7.0.16 or earlier, it is possible to perform login brute force attacks as there is no limitation on the number of failed login attempts.",
"id": "GHSA-99f7-hp6j-v6q4",
"modified": "2025-07-18T17:23:26Z",
"published": "2025-07-16T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9342"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse-ee4j/glassfish"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/33"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/231"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Eclipse GlassFish is vulnerable to Login Brute Force attacks through unlimited failed login attempts"
}
GHSA-99F8-8X85-W7XG
Vulnerability from github – Published: 2023-04-13 21:30 – Updated: 2024-04-04 03:27BlackVue DR750-2CH LTE v.1.012_2022.10.26 was discovered to contain a weak default passphrase which can be easily cracked via a brute force attack if the WPA2 handshake is intercepted.
{
"affected": [],
"aliases": [
"CVE-2023-27746"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-13T20:15:00Z",
"severity": "CRITICAL"
},
"details": "BlackVue DR750-2CH LTE v.1.012_2022.10.26 was discovered to contain a weak default passphrase which can be easily cracked via a brute force attack if the WPA2 handshake is intercepted.",
"id": "GHSA-99f8-8x85-w7xg",
"modified": "2024-04-04T03:27:17Z",
"published": "2023-04-13T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27746"
},
{
"type": "WEB",
"url": "https://blackvue.com"
},
{
"type": "WEB",
"url": "https://github.com/eyJhb/blackvue-cve-2022"
},
{
"type": "WEB",
"url": "https://github.com/eyJhb/blackvue-cve-2023"
},
{
"type": "WEB",
"url": "https://shop.blackvue.com/product/dr750-2ch-ir-lte"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9HCR-9HCV-X6PV
Vulnerability from github – Published: 2023-04-10 16:37 – Updated: 2025-03-07 19:09Impact
Lack of rate limiting will allow an attacker to brute-force user credentials.
Patches
Ability to enable rate limiting on Flask-AppBuilder >= 4.3.0. Use AUTH_RATE_LIMITED = True and RATELIMIT_ENABLED = True set the limit itself by using AUTH_RATE_LIMIT. Will apply only to database authentication.
Workarounds
Implement rate limiting using a reverse proxy or other strategies.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Flask-AppBuilder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29005"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-10T16:37:40Z",
"nvd_published_at": "2023-04-10T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nLack of rate limiting will allow an attacker to brute-force user credentials.\n\n### Patches\nAbility to enable rate limiting on Flask-AppBuilder \u003e= 4.3.0. Use `AUTH_RATE_LIMITED = True` and `RATELIMIT_ENABLED = True` set the limit itself by using `AUTH_RATE_LIMIT`. Will apply only to database authentication.\n\n### Workarounds\nImplement rate limiting using a reverse proxy or other strategies.",
"id": "GHSA-9hcr-9hcv-x6pv",
"modified": "2025-03-07T19:09:34Z",
"published": "2023-04-10T16:37:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29005"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/pull/1976"
},
{
"type": "WEB",
"url": "https://flask-limiter.readthedocs.io/en/stable/configuration.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/dpgaspar/Flask-AppBuilder"
},
{
"type": "WEB",
"url": "https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.3.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Flask-AppBuilder Has No Rate Limiting on Login AUTH DB"
}
GHSA-9HP3-3V8X-GVHX
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2026-06-02 21:30A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions >= 14 and V < XX), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI Mobile Panels (All versions), SIMATIC HMI United Comfort Panels (All versions). Affected devices insufficiently block excessive authentication attempts. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack.
{
"affected": [],
"aliases": [
"CVE-2020-15786"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-09T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions \u003e= 14 and V \u003c XX), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI Mobile Panels (All versions), SIMATIC HMI United Comfort Panels (All versions). Affected devices insufficiently block excessive authentication attempts. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack.",
"id": "GHSA-9hp3-3v8x-gvhx",
"modified": "2026-06-02T21:30:30Z",
"published": "2022-05-24T17:27:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15786"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-542525.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9JH8-XH9X-6W7F
Vulnerability from github – Published: 2026-03-03 21:31 – Updated: 2026-03-03 21:31IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
{
"affected": [],
"aliases": [
"CVE-2025-36363"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T20:16:43Z",
"severity": "MODERATE"
},
"details": "IBM DevOps Plan 3.0.0 through 3.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.",
"id": "GHSA-9jh8-xh9x-6w7f",
"modified": "2026-03-03T21:31:16Z",
"published": "2026-03-03T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36363"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7261934"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9JW5-JRMV-GMVG
Vulnerability from github – Published: 2023-06-01 21:30 – Updated: 2024-04-04 04:28The captive portal in Inpiazza Cloud WiFi versions prior to v4.2.17 does not enforce limits on the number of attempts for password recovery, allowing attackers to brute force valid user accounts to gain access to login credentials.
{
"affected": [],
"aliases": [
"CVE-2023-33754"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-01T20:15:09Z",
"severity": "MODERATE"
},
"details": "The captive portal in Inpiazza Cloud WiFi versions prior to v4.2.17 does not enforce limits on the number of attempts for password recovery, allowing attackers to brute force valid user accounts to gain access to login credentials.",
"id": "GHSA-9jw5-jrmv-gmvg",
"modified": "2024-04-04T04:28:02Z",
"published": "2023-06-01T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33754"
},
{
"type": "WEB",
"url": "https://github.com/Alkatraz97/CVEs/blob/main/CVE-2023-33754.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9M95-X9FM-78HH
Vulnerability from github – Published: 2024-02-16 12:30 – Updated: 2024-08-29 15:30Dell RecoverPoint for Virtual Machines 5.3.x contains a brute force/dictionary attack vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to launch a brute force attack or a dictionary attack against the RecoverPoint login form. This allows attackers to brute-force the password of valid users in an automated manner.
{
"affected": [],
"aliases": [
"CVE-2024-22425"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-16T12:15:07Z",
"severity": "MODERATE"
},
"details": "\nDell RecoverPoint for Virtual Machines 5.3.x contains a brute force/dictionary attack vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to launch a brute force attack or a dictionary attack against the RecoverPoint login form. This allows attackers to brute-force the password of valid users in an automated manner.\n\n",
"id": "GHSA-9m95-x9fm-78hh",
"modified": "2024-08-29T15:30:30Z",
"published": "2024-02-16T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22425"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000222133/dsa-2024-092-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000228154/dsa-2024-369-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.