CWE · MITRE source
CWE-288Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (6)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-10 | Adaptive Authentication | IA | Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths. |
IA-13 | Identity Providers and Authorization Servers | IA | Centralized IdPs close alternate authentication paths that enable bypass. |
IA-8 | Identification and Authentication (Non-organizational Users) | IA | Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels. |
AC-17 | Remote Access | AC | Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels. |
AC-9 | Previous Logon Notification | AC | Users can identify logons via alternate paths or channels by reviewing the previous logon time. |
SC-11 | Trusted Path | SC | Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-1709 KEV | 9.7 | 10.0 | 0.9432 | 2024-02-21 |
CVE-2020-10148 KEV | 9.6 | 9.8 | 0.9435 | 2020-12-29 |
CVE-2023-46747 KEV | 9.6 | 9.8 | 0.9444 | 2023-10-26 |
CVE-2024-55591 KEV | 9.6 | 9.8 | 0.9406 | 2025-01-14 |
CVE-2023-42793 KEV | 9.5 | 9.8 | 0.9291 | 2023-09-19 |
CVE-2024-27198 KEV | 9.5 | 9.8 | 0.9305 | 2024-03-04 |
CVE-2025-2747 KEV | 9.4 | 9.8 | 0.9126 | 2025-03-24 |
CVE-2025-2746 KEV | 9.3 | 9.8 | 0.8973 | 2025-03-24 |
CVE-2026-23760 KEV | 8.8 | 9.8 | 0.7994 | 2026-01-22 |
CVE-2025-57819 KEV | 8.6 | 9.8 | 0.7673 | 2025-08-28 |
CVE-2025-4427 KEV | 8.5 | 5.3 | 0.9126 | 2025-05-13 |
CVE-2025-34026 KEV | 7.8 | 7.5 | 0.7108 | 2025-05-21 |
CVE-2024-10924 | 7.6 | 9.8 | 0.9389 | 2024-11-15 |
CVE-2023-2986 | 7.5 | 9.8 | 0.9171 | 2023-06-08 |
CVE-2024-9989 | 7.5 | 9.8 | 0.9261 | 2024-10-29 |
CVE-2023-2732 | 7.4 | 9.8 | 0.9033 | 2023-05-25 |
CVE-2020-27866 | 7.2 | 8.8 | 0.9078 | 2021-02-12 |
CVE-2026-1603 KEV | 7.1 | 8.6 | 0.5587 | 2026-02-10 |
CVE-2024-50477 | 6.9 | 9.8 | 0.8223 | 2024-10-28 |
CVE-2022-25369 | 6.8 | 9.8 | 0.8014 | 2026-01-23 |
CVE-2023-2437 | 6.6 | 9.8 | 0.7679 | 2023-11-22 |
CVE-2024-10081 | 6.4 | 10.0 | 0.7391 | 2024-11-06 |
CVE-2024-23917 | 6.3 | 9.8 | 0.7292 | 2024-02-06 |
CVE-2023-2982 | 6.2 | 9.8 | 0.7012 | 2023-06-29 |
CVE-2024-7314 | 6.2 | 9.8 | 0.7010 | 2024-08-02 |