LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-287

CWE-287

Improper Authentication

Class EXPLOIT LIKELIHOOD: HIGH

What it is

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Impact

Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands

Mitigations

  • [Architecture and Design] Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

Real-world CVE examples

  • CVE-2024-11680 — File-sharing PHP product does not check if user is logged in during requests for PHP library files under an includes/ directory, allowing configuration changes,
  • CVE-2022-35248 — Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
  • CVE-2022-36436 — Python-based authentication proxy does not enforce password authentication during the initial handshake, allowing the client to bypass authentication by specify
  • CVE-2022-30034 — Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390).
  • CVE-2022-29951 — TCP-based protocol in Programmable Logic Controller (PLC) has no authentication.
  • CVE-2022-29952 — Condition Monitor uses a protocol that does not require authentication.
  • CVE-2022-30313 — Safety Instrumented System uses proprietary TCP protocols with no authentication.
  • CVE-2022-30317 — Distributed Control System (DCS) uses a protocol that has no authentication.
  • CVE-2022-33139 — SCADA system only uses client-side authentication, allowing adversaries to impersonate other users.
  • CVE-2021-3116 — Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if a
  • CVE-2021-21972 — Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences
  • CVE-2021-37415 — IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top