Home/CWE/Weak Authentication
Weakness

Weak Authentication

CWE-1390 · Class · Incomplete

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

Extended description

Attackers may be able to bypass weak authentication faster and/or with less effort than expected.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-287 · Improper Authentication
Children (more specific)
ParentOfCWE-1391 · Use of Weak Credentials
ParentOfCWE-262 · Not Using Password Aging
ParentOfCWE-263 · Password Aging with Long Expiration
ParentOfCWE-289 · Authentication Bypass by Alternate Name
ParentOfCWE-290 · Authentication Bypass by Spoofing
ParentOfCWE-294 · Authentication Bypass by Capture-replay
ParentOfCWE-301 · Reflection Attack in an Authentication Protocol
ParentOfCWE-302 · Authentication Bypass by Assumed-Immutable Data
ParentOfCWE-303 · Incorrect Implementation of Authentication Algorithm
ParentOfCWE-305 · Authentication Bypass by Primary Weakness
ParentOfCWE-307 · Improper Restriction of Excessive Authentication Attempts
ParentOfCWE-308 · Use of Single-factor Authentication
ParentOfCWE-309 · Use of Password System for Primary Authentication
ParentOfCWE-41 · Improper Resolution of Path Equivalence
ParentOfCWE-522 · Insufficiently Protected Credentials
ParentOfCWE-593 · Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
ParentOfCWE-603 · Use of Client-Side Authentication
ParentOfCWE-620 · Unverified Password Change
ParentOfCWE-640 · Weak Password Recovery Mechanism for Forgotten Password
ParentOfCWE-804 · Guessable CAPTCHA
ParentOfCWE-836 · Use of Password Hash Instead of Password for Authentication

CVEs With This Weakness

76
A sample of the 76 CVEs tagged with this weakness.
CVECVE-2026-6886
CVECVE-2026-4924
CVECVE-2026-4828
CVECVE-2026-40417
CVECVE-2026-32497
CVECVE-2026-28710
CVECVE-2026-27478
CVECVE-2026-1693
CVECVE-2026-0204
CVECVE-2025-7326
CVECVE-2025-70994
CVECVE-2025-63807

Nuclei Scanner Templates

2
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
criticalSolarWinds Web Help Desk - Authentication Bypass
criticalSolarWinds Web Help Desk - Authentication Bypass
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin