CWE-1390
Allowed-with-ReviewWeak Authentication
Abstraction: Class · Status: Incomplete
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
155 vulnerabilities reference this CWE, most recent first.
GHSA-JM7R-G967-8PCH
Vulnerability from github – Published: 2026-01-28 09:30 – Updated: 2026-01-28 09:30SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.
{
"affected": [],
"aliases": [
"CVE-2025-40554"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T08:16:02Z",
"severity": "CRITICAL"
},
"details": "SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.",
"id": "GHSA-jm7r-g967-8pch",
"modified": "2026-01-28T09:30:31Z",
"published": "2026-01-28T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40554"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40554"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPF4-6GR7-RH8Q
Vulnerability from github – Published: 2026-01-28 09:30 – Updated: 2026-02-26 21:31SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.
{
"affected": [],
"aliases": [
"CVE-2025-40552"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T08:16:02Z",
"severity": "CRITICAL"
},
"details": "SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.",
"id": "GHSA-jpf4-6gr7-rh8q",
"modified": "2026-02-26T21:31:27Z",
"published": "2026-01-28T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40552"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm"
},
{
"type": "WEB",
"url": "https://github.com/watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553/blob/main/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40552"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQFH-6JJG-67XG
Vulnerability from github – Published: 2025-07-08 15:32 – Updated: 2025-07-22 18:30Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.
{
"affected": [],
"aliases": [
"CVE-2025-7326"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T15:15:34Z",
"severity": "HIGH"
},
"details": "Weak authentication in EOL\u00a0ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.\n\nNOTE: This CVE affects only End Of Life (EOL)\u00a0software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.",
"id": "GHSA-jqfh-6jjg-67xg",
"modified": "2025-07-22T18:30:36Z",
"published": "2025-07-08T15:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7326"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24070"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24070"
},
{
"type": "WEB",
"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-24070"
},
{
"type": "WEB",
"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-7326"
},
{
"type": "WEB",
"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-7326?nes-for-.net"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JV5C-8JGX-C489
Vulnerability from github – Published: 2024-09-10 21:31 – Updated: 2024-09-10 21:31Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.
{
"affected": [],
"aliases": [
"CVE-2024-8322"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T21:15:15Z",
"severity": "MODERATE"
},
"details": "Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.",
"id": "GHSA-jv5c-8jgx-c489",
"modified": "2024-09-10T21:31:40Z",
"published": "2024-09-10T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8322"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MCFQ-F994-8HQG
Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-12 21:31A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information.
We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later
{
"affected": [],
"aliases": [
"CVE-2025-57713"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T13:15:56Z",
"severity": "LOW"
},
"details": "A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information.\n\nWe have already fixed the vulnerability in the following version:\nFile Station 5 5.5.6.5166 and later",
"id": "GHSA-mcfq-f994-8hqg",
"modified": "2026-02-12T21:31:25Z",
"published": "2026-02-11T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57713"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P2RJ-QGFH-H8M9
Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30Active Directory Certificate Services Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-49019"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T18:15:41Z",
"severity": "HIGH"
},
"details": "Active Directory Certificate Services Elevation of Privilege Vulnerability",
"id": "GHSA-p2rj-qgfh-h8m9",
"modified": "2024-11-12T18:30:59Z",
"published": "2024-11-12T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49019"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P89H-P4PH-4VJ6
Vulnerability from github – Published: 2025-05-14 21:31 – Updated: 2025-05-16 14:49In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:wso2id-oauth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47889"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-16T14:49:27Z",
"nvd_published_at": "2025-05-14T21:15:59Z",
"severity": "HIGH"
},
"details": "In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the \"WSO2 Oauth\" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.",
"id": "GHSA-p89h-p4ph-4vj6",
"modified": "2025-05-16T14:49:27Z",
"published": "2025-05-14T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47889"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3481"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials"
}
GHSA-PWH8-58VV-VW48
Vulnerability from github – Published: 2023-09-15 13:36 – Updated: 2024-09-10 17:15If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated.
So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the LoginService.
Impact
This impacts usages of the jetty-openid which have configured a nested LoginService and where that LoginService will is capable of rejecting previously authenticated users.
Original Report
working on a custom OpenIdAuthenticator, I discovered the following:
https://github.com/eclipse/jetty.project/blob/jetty-10.0.14/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java#L505
In the case where the LoginService does return that the authentication has been revoked (from the validate() call on line 463), the OpenIdAuthenticator removes the authentication from the session; however the current request still proceeds as if authenticated, since it falls through to "return authentication" on line 505.
This is fixed by moving the line 505 (and associated debug log) inside the else block that ends on line 502, instead of outside it. Then the revocation case will run through to line 517 and will trigger a new OpenId authentication which I think is correct.
I think this revocation can only occur if you do attach a separate LoginService to the OpenIdLoginService, but in that case the revoked authentication will still let the next request through (and possibly more than one if they are very close to simultaneous).
Technically I think this is a security vulnerability, if a very minor one, so I'm sending this off-list.
Patched Versions
Fixed in Jetty Versions: * 9.4.52 - fixed in PR https://github.com/eclipse/jetty.project/pull/9660 * 10.0.16 - fixed in PR https://github.com/eclipse/jetty.project/pull/9528 * 11.0.16 - fixed in PR https://github.com/eclipse/jetty.project/pull/9528 * 12.0.0 - not impacted (already has fix)
Workaround
Upgrade your version of Jetty.
References
- https://github.com/eclipse/jetty.project/pull/9528
- https://github.com/eclipse/jetty.project/pull/9660
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.4.51"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-openid"
},
"ranges": [
{
"events": [
{
"introduced": "9.4.21"
},
{
"fixed": "9.4.52.v20230823"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.15"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-openid"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.15"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-openid"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-41900"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-15T13:36:10Z",
"nvd_published_at": "2023-09-15T21:15:11Z",
"severity": "LOW"
},
"details": "If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. \n\nSo a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`.\n\n### Impact\nThis impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users.\n\n### Original Report\n\u003e working on a custom OpenIdAuthenticator, I discovered the following:\n\u003e \n\u003e https://github.com/eclipse/jetty.project/blob/jetty-10.0.14/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java#L505\n\u003e \n\u003e In the case where the LoginService does return that the authentication has been revoked (from the validate() call on line 463), the OpenIdAuthenticator removes the authentication from the session; however the current request still proceeds as if authenticated, since it falls through to \"return authentication\" on line 505.\n\u003e \n\u003e This is fixed by moving the line 505 (and associated debug log) inside the else block that ends on line 502, instead of outside it. Then the revocation case will run through to line 517 and will trigger a new OpenId authentication which I think is correct.\n\u003e \n\u003e I think this revocation can only occur if you do attach a separate LoginService to the OpenIdLoginService, but in that case the revoked authentication will still let the next request through (and possibly more than one if they are very close to simultaneous).\n\u003e \n\u003e Technically I think this is a security vulnerability, if a very minor one, so I\u0027m sending this off-list.\n\n### Patched Versions\n\nFixed in Jetty Versions:\n* 9.4.52 - fixed in PR https://github.com/eclipse/jetty.project/pull/9660\n* 10.0.16 - fixed in PR https://github.com/eclipse/jetty.project/pull/9528\n* 11.0.16 - fixed in PR https://github.com/eclipse/jetty.project/pull/9528\n* 12.0.0 - not impacted (already has fix)\n\n### Workaround\nUpgrade your version of Jetty.\n\n### References\n* https://github.com/eclipse/jetty.project/pull/9528\n* https://github.com/eclipse/jetty.project/pull/9660",
"id": "GHSA-pwh8-58vv-vw48",
"modified": "2024-09-10T17:15:25Z",
"published": "2023-09-15T13:36:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-pwh8-58vv-vw48"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41900"
},
{
"type": "WEB",
"url": "https://github.com/eclipse/jetty.project/pull/9528"
},
{
"type": "WEB",
"url": "https://github.com/eclipse/jetty.project/pull/9660"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse/jetty.project"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231110-0004"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5507"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jetty\u0027s OpenId Revoked authentication allows one request"
}
GHSA-PWJV-G8J5-52FJ
Vulnerability from github – Published: 2025-11-12 09:30 – Updated: 2025-11-12 18:31The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2025-12871"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T08:15:41Z",
"severity": "CRITICAL"
},
"details": "The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges.",
"id": "GHSA-pwjv-g8j5-52fj",
"modified": "2025-11-12T18:31:24Z",
"published": "2025-11-12T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12871"
},
{
"type": "WEB",
"url": "https://www.chtsecurity.com/news/b97e8337-6b0c-43e8-8e8c-187b7c0e13c2"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10487-12a32-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10486-a3459-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PXQC-MXCR-VH66
Vulnerability from github – Published: 2025-09-16 00:30 – Updated: 2025-11-03 21:34This issue was addressed through improved state management. This issue is fixed in iOS 26 and iPadOS 26. Private Browsing tabs may be accessed without authentication.
{
"affected": [],
"aliases": [
"CVE-2025-30468"
],
"database_specific": {
"cwe_ids": [
"CWE-1390"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T23:15:29Z",
"severity": "MODERATE"
},
"details": "This issue was addressed through improved state management. This issue is fixed in iOS 26 and iPadOS 26. Private Browsing tabs may be accessed without authentication.",
"id": "GHSA-pxqc-mxcr-vh66",
"modified": "2025-11-03T21:34:28Z",
"published": "2025-09-16T00:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30468"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125108"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/49"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.