A07:2025 Authentication Failures

OWASP Top 10:2025 · Back to the list

Identity verification can be bypassed, brute-forced, or hijacked. Credential stuffing, weak password reset flows, session-management mistakes.

Member CWEs (36)

• CWE-258 Empty Password in Configuration File
• CWE-259 Use of Hard-coded Password
• CWE-287 Improper Authentication
• CWE-288 Authentication Bypass Using an Alternate Path or Channel
• CWE-289 Authentication Bypass by Alternate Name
• CWE-290 Authentication Bypass by Spoofing
• CWE-291 Reliance on IP Address for Authentication
• CWE-293 Using Referer Field for Authentication
• CWE-294 Authentication Bypass by Capture-replay
• CWE-295 Improper Certificate Validation
• CWE-297 Improper Validation of Certificate with Host Mismatch
• CWE-298 Improper Validation of Certificate Expiration
• CWE-299 Improper Check for Certificate Revocation
• CWE-300 Channel Accessible by Non-Endpoint
• CWE-302 Authentication Bypass by Assumed-Immutable Data
• CWE-303 Incorrect Implementation of Authentication Algorithm
• CWE-304 Missing Critical Step in Authentication
• CWE-305 Authentication Bypass by Primary Weakness
• CWE-306 Missing Authentication for Critical Function
• CWE-307 Improper Restriction of Excessive Authentication Attempts
• CWE-308 Use of Single-factor Authentication
• CWE-309 Use of Password System for Primary Authentication
• CWE-346 Origin Validation Error
• CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
• CWE-384 Session Fixation
• CWE-521 Weak Password Requirements
• CWE-613 Insufficient Session Expiration
• CWE-620 Unverified Password Change
• CWE-640 Weak Password Recovery Mechanism for Forgotten Password
• CWE-798 Use of Hard-coded Credentials
• CWE-940 Improper Verification of Source of a Communication Channel
• CWE-941 Incorrectly Specified Destination in a Communication Channel
• CWE-1390 Weak Authentication
• CWE-1391 Use of Weak Credentials
• CWE-1392 Use of Default Credentials
• CWE-1393 Use of Default Password

Tagged CVEs (showing 50 most recent of 13,669)

• CVE-2026-9152
• CVE-2026-9141
• CVE-2026-9139
• CVE-2026-9084
• CVE-2026-8971
• CVE-2026-8963
• CVE-2026-8961
• CVE-2026-8960
• CVE-2026-8951
• CVE-2026-8950
• CVE-2026-8922
• CVE-2026-8737
• CVE-2026-8706
• CVE-2026-8621
• CVE-2026-8605
• CVE-2026-8602
• CVE-2026-8598
• CVE-2026-8367
• CVE-2026-8321
• CVE-2026-8305
• CVE-2026-8244
• CVE-2026-8216
• CVE-2026-8214
• CVE-2026-8185
• CVE-2026-8181
• CVE-2026-8076
• CVE-2026-8032
• CVE-2026-8031
• CVE-2026-7986
• CVE-2026-7979
• CVE-2026-7844
• CVE-2026-7821
• CVE-2026-7820
• CVE-2026-7723
• CVE-2026-7722
• CVE-2026-7714
• CVE-2026-7710
• CVE-2026-7679
• CVE-2026-7671
• CVE-2026-7652
• CVE-2026-7643
• CVE-2026-7630
• CVE-2026-7581
• CVE-2026-7579
• CVE-2026-7567
• CVE-2026-7554
• CVE-2026-7507
• CVE-2026-7458
• CVE-2026-7439
• CVE-2026-7428

Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1442).