CWE · MITRE source
CWE-304Missing Critical Step in Authentication
The product implements an authentication technique, but it skips a step that weakens the technique.
Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 6 mapping(s) from 5 framework(s): STIG rhel 7 2 (mostly) · OWASP-Web 1 (full) · STIG ubuntu 22 04 1 (mostly) · ASVS 5.0 1 (partial) · ATT&CK 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (1)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-8 | Identification and Authentication (Non-organizational Users) | IA | Ensures the authentication process is followed for non-organizational users, avoiding missing critical steps. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-2302 | 7.0 | 9.8 | 0.0159 | 2022-07-11 |
CVE-2024-2172 UPD | 7.0 | 9.8 | 0.0171 | 2024-03-13 |
CVE-2024-45764 | 7.0 | 9.0 | 0.0052 | 2024-11-08 |
CVE-2024-8954 | 7.0 | 9.8 | 0.0082 | 2025-03-20 |
CVE-2026-30831 | 7.0 | 9.8 | 0.0033 | 2026-03-06 |
CVE-2026-44547 UPD | 7.0 | 9.6 | 0.0021 | 2026-05-12 |
CVE-2019-16766 | 5.5 | 8.7 | 0.0116 | 2019-11-29 |
CVE-2022-1065 | 5.5 | 8.1 | 0.0276 | 2022-04-19 |
CVE-2022-2821 | 5.5 | 7.5 | 0.0112 | 2022-08-15 |
CVE-2022-40622 | 5.5 | 8.8 | 0.0070 | 2022-09-13 |
CVE-2023-22833 | 5.5 | 7.6 | 0.0041 | 2023-06-06 |
CVE-2023-52424 | 5.5 | 7.4 | 0.0072 | 2024-05-17 |
CVE-2024-20153 | 5.5 | 7.5 | 0.0032 | 2025-01-06 |
CVE-2024-11302 | 5.5 | 8.0 | 0.0022 | 2025-03-20 |
CVE-2024-12048 | 5.5 | 8.8 | 0.0069 | 2025-03-20 |
CVE-2024-9216 | 5.5 | 8.1 | 0.0058 | 2025-03-20 |
CVE-2024-52965 UPD | 5.5 | 7.2 | 0.0025 | 2025-07-08 |
CVE-2025-55138 UPD | 5.5 | 7.4 | 0.0029 | 2025-08-07 |
CVE-2025-24322 UPD | 5.5 | 8.1 | 0.0054 | 2025-08-20 |
CVE-2026-40542 UPD | 5.5 | 7.3 | 0.0046 | 2026-04-22 |
CVE-2026-42452 UPD | 5.5 | 8.1 | 0.0031 | 2026-05-08 |
CVE-2026-57915 | 5.5 | 7.3 | 0.0032 | 2026-06-26 |
CVE-2026-55957 | 5.5 | 7.3 | 0.0043 | 2026-06-29 |
CVE-2011-3172 | 3.5 | 5.4 | 0.0103 | 2018-06-08 |
CVE-2021-41179 | 3.5 | 6.5 | 0.0116 | 2021-10-25 |