CWE-306 2531 個 CVE MITRE 定義 ↗

CWE-306:Missing Authentication for Critical Function

概覽

CWE-306(Missing Authentication for Critical Function)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Cloud Computing Undetermined
technology ICS/OT Often

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-16015 2026-07-17 A vulnerability was determined in poco-ai poco-claw up to 0.5.4. This vulnerability affects the function create_task of the file executor_manager/app/api/v1/tasks.py of the component executor_manager …
CVE-2026-62241 2026-07-16 clawvet self-hosted API server (apps/api) before 0.7.5 hard-codes a fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and ships it as the default in .env.example. Because GET /api/v1/sca…
CVE-2026-6511 2026-07-16 During an internal security assessment, a potential improper access control vulnerability was discovered in Lenovo Smart Connect for Windows that could allow a local authenticated user to access files…
CVE-2026-63087 2026-07-16 Grafana OnCall through 1.16.11 contains an unauthenticated access vulnerability that allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install …
CVE-2026-57206 2026-07-16 SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single_app…
CVE-2026-45695 2026-07-16 Kopia is a cross-platform backup tool for Windows, macOS, and Linux with fast incremental backups, client-side end-to-end encryption, compression, and data deduplication. Prior to 0.23.0, Kopia's HTTP…
CVE-2026-46339 2026-07-15 9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/* and /api/mcp/*, allowing unauthenticated registration of customPlugi…
CVE-2026-58658 2026-07-15 GPUStack through 2.2.1, fixed in commit 4e20551, contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to access sensitive inference logs and modify wo…
CVE-2026-53512 2026-07-15 Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates…
CVE-2026-61613 2026-07-15 Cursor is a code editor built for programming with AI. Prior to the Cloud Agent fix on 03/31/2026, browser-enabled Cursor Cloud Agent sessions allowed attacker-controlled web content to connect from i…
CVE-2026-48325 2026-07-14 ColdFusion is affected by a Missing Authentication for Critical Function vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does…
CVE-2026-24259 2026-07-14 NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause missing authentication for a critical function. A successful exploit of this vulnerability might lead to code execu…
CVE-2026-24229 2026-07-14 NVIDIA TensorRT-LLM for Linux contains a vulnerability in the disaggregated orchestrator component, where an attacker could read, write, or delete internal cluster state by sending requests to the Fas…
CVE-2026-48252 2026-07-14 Adobe Experience Manager is affected by a Missing Authentication for Critical Function vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to by…
CVE-2026-47212 2026-07-14 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, TwilioRequestParser::doParse() received the configured webhook se…
CVE-2026-45755 2026-07-14 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, MailtrapRequestParser::doParse() received the configured webhook secret bu…
CVE-2026-45754 2026-07-14 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parse…
CVE-2026-50451 2026-07-14 Missing authentication for critical function in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.
CVE-2026-50444 2026-07-14 Missing authentication for critical function in Windows Server Update Service allows an authorized attacker to elevate privileges over a network.
CVE-2026-57969 2026-07-14 Missing authentication for critical function in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.

曾用名

  • No Authentication for Critical Function (2010-02-16)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Relationships, Relationship_Notes, Taxonomy_Mappings
2010-02-16 CWE Content Team 1.8 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships
2010-06-21 CWE Content Team 1.9 updated Common_Consequences, Potential_Mitigations, References
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2011-06-27 CWE Content Team 2.0 updated Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, References, Relationships
2012-05-11 CWE Content Team 2.2 updated Potential_Mitigations, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Detection_Factors, Relationships, Taxonomy_Mappings
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
2019-01-03 CWE Content Team 3.2 updated Related_Attack_Patterns
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns, Type
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-08-20 CWE Content Team 4.2 updated Relationships
2021-07-20 CWE Content Team 4.5 updated Observed_Examples, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-06-28 CWE Content Team 4.8 updated Observed_Examples, Relationships
2022-10-13 CWE Content Team 4.9 updated Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships
2023-01-31 CWE Content Team 4.10 updated Related_Attack_Patterns, Relationships
2023-04-27 CWE Content Team 4.11 updated References, Relationships, Taxonomy_Mappings
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2023-10-26 CWE Content Team 4.13 updated Observed_Examples
2024-02-29 CWE Content Team 4.14 updated Observed_Examples
2024-07-16 CWE Content Team 4.15 updated Common_Consequences, Description, Diagram, Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction
2024-11-19 CWE Content Team 4.16 updated Relationships
2025-04-03 CWE Content Team 4.17 updated Observed_Examples
2025-09-09 CWE Content Team 4.18 updated Detection_Factors, References
2025-12-11 CWE Content Team 4.19 updated Relationships, Weakness_Ordinalities

貢獻

類型 名稱 日期 評論
Content "Mapping CWE to 62443" Sub-Working Group 2023-04-25 Suggested mappings to ISA/IEC 62443.
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
cvelogic Threat Intelligence