Cyber Resilience

CWE · MITRE source

CWE-306Missing Authentication for Critical Function

Abstraction: Base · CVEs in our corpus: 2,466

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 16 mapping(s) from 7 framework(s): CAPEC 4 (partial) · ASVS 5.0 3 (mostly) · STIG rhel 8 2 (full) · STIG rhel 7 2 (mostly) · STIG oracle linux 8 2 (partial) · ATT&CK 2 (partial) · OWASP-Web 1 (full)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A07:2025 Authentication Failures.

NIST 800-53 r5 controls that address this weakness (43)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
IA-1Policy and ProceduresIAThe policy mandates identification and authentication for critical functions, making missing authentication less likely.
IA-10Adaptive AuthenticationIAMandates additional authentication for access under defined conditions, ensuring critical or high-risk functions are not left without authentication.
IA-11Re-authenticationIARe-authentication enforces fresh credential validation for critical functions or operations as defined by the organization parameter.
SA-14Criticality AnalysisSAExplicit identification of critical functions enables organizations to ensure authentication is applied exactly where it is most needed, preventing missing authentication for those functions.
SA-16Developer-provided TrainingSATraining emphasizes enabling and properly using authentication for critical functions, reducing missing authentication exposures.
SA-17Developer Security and Privacy Architecture and DesignSADemands complete description of required security functionality, making omission of authentication for critical functions far less likely.
SC-14Public Access ProtectionsSCRequires authentication gates on critical functions that must remain unavailable to anonymous public users.
SC-15Collaborative Computing Devices and ApplicationsSCTreats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.
SC-19Voice Over Internet ProtocolSCRequiring authorization before VoIP deployment prevents critical VoIP functions (registration, call setup) from lacking authentication.
AC-11Device LockACRequires established identification and authentication to unlock, mitigating missing authentication for continued system access.
AC-14Permitted Actions Without Identification or AuthenticationACRequiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
AC-19Access Control for Mobile DevicesACAuthorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
PE-10Emergency ShutoffPEThe shutoff is a critical function, and the control ensures it cannot be activated without proper (physical) authentication.
PE-3Physical Access ControlPERequires verification of individual access authorizations before granting facility entry, addressing missing authentication for critical physical access.
PE-7Visitor ControlPEImplements authentication steps (ID checks, sign-in, escort verification) for physical access to critical functions or locations.
Show 28 more broadly-applicable controls
IA-13Identity Providers and Authorization ServersIAIdentity providers mandate authentication for functions that would otherwise lack it.
IA-2Identification and Authentication (Organizational Users)IAMandates authentication for organizational users and their associated processes, eliminating missing authentication for critical functions.
IA-3Device Identification and AuthenticationIARequires authentication of devices prior to connection, preventing exploitation of missing authentication for critical network functions.
IA-7Cryptographic Module AuthenticationIAMandates authentication for the critical function of accessing or using a cryptographic module.
IA-8Identification and Authentication (Non-organizational Users)IARequires authentication for non-organizational users, preventing access to critical functions without proper identification and authentication.
IA-9Service Identification and AuthenticationIAMandates authentication prior to establishing communications with services, preventing missing authentication for this critical function.
SA-5System DocumentationSASecure configuration documentation explicitly addresses enabling authentication for critical functions, reducing missing authentication exposures.
SA-8Security and Privacy Engineering PrinciplesSAComplete-mediation principle requires authentication for critical functions.
SA-9External System ServicesSAMandating that external services employ specified authentication controls and ongoing compliance monitoring makes missing authentication for critical functions harder to overlook or exploit.
SC-26DecoysSCDecoy implementations of critical functions without authentication lure and record attackers probing for missing auth checks.
SC-43Usage RestrictionsSCRequiring authorization for listed components ensures authentication occurs before critical functions are invoked.
SC-7Boundary ProtectionSCPublic components are isolated in separate subnetworks and critical internal functions are reachable only via controlled interfaces.
AC-25Reference MonitorACGuarantees critical functions are protected by mandatory invocation of the access control mechanism.
PL-11Baseline TailoringPLTailoring determines which functions require authentication and selects the appropriate baseline or compensating authentication controls.
PL-4Rules of BehaviorPLRules require authentication prior to system or function access, making missing authentication for critical functions harder to ignore or bypass.
PL-8Security and Privacy ArchitecturesPLThe control requires architectures to identify and protect critical functions, including mandatory authentication for those functions.
RA-3Risk AssessmentRARisk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.
RA-5Vulnerability Monitoring and ScanningRATools routinely check for missing authentication on critical functions and exposed interfaces.
RA-9Criticality AnalysisRAExplicit identification of critical functions enables targeted authentication requirements, preventing missing authentication for those functions.
CA-2Control AssessmentsCAThe assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
CA-4Security CertificationCACertification assesses that critical functions have required authentication controls in place.
PM-5System InventoryPMKnowing every system allows confirmation that critical functions are not left without required authentication mechanisms.
PM-8Critical Infrastructure PlanPMProtection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.
AU-14Session AuditAUAuditing sessions makes it possible to detect access to critical functions without required authentication.
CM-7Least FunctionalityCMDisabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.
MA-4Nonlocal MaintenanceMAMandating authentication for nonlocal maintenance addresses missing authentication for this critical function.
PS-1Policy and ProceduresPSPolicy mandates authentication and authorization for critical functions, ensuring these controls are not omitted for personnel-managed resources.
SI-9Information Input RestrictionsSIEnsures critical input functions cannot be reached without prior authorization.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2010-5326 KEV10.010.00.17452016-05-13
CVE-2017-10271 KEV10.07.50.99992017-10-19
CVE-2019-9082 KEV10.08.80.97422019-02-24
CVE-2020-6207 KEV10.09.80.98382020-03-10
CVE-2020-3952 KEV10.09.80.90382020-04-10
CVE-2020-6287 KEV10.010.00.94722020-07-14
CVE-2019-5591 KEV10.06.50.18572020-08-14
CVE-2020-24363 KEV10.08.80.20692020-08-31
CVE-2020-13927 KEV10.09.80.99702020-11-10
CVE-2020-10148 KEV10.09.80.91982020-12-29
CVE-2021-39144 KEV10.08.50.98122021-08-23
CVE-2021-37415 KEV10.09.80.99852021-09-01
CVE-2021-44077 KEV10.09.80.93512021-11-29
CVE-2022-23227 KEV10.09.80.49432022-01-14
CVE-2021-35587 KEV10.09.80.96282022-01-19
CVE-2022-26143 KEV10.09.80.87572022-03-10
CVE-2022-26501 KEV10.09.80.04282022-03-17
CVE-2022-1388 KEV10.09.80.99962022-05-05
CVE-2022-26925 KEV10.08.10.09822022-05-10
CVE-2022-21587 KEV10.09.80.98342022-10-18
CVE-2023-21839 KEV10.07.50.99812023-01-18
CVE-2022-24990 KEV10.07.50.84052023-02-07
CVE-2023-27532 KEV10.07.50.77612023-03-10
CVE-2023-28461 KEV10.09.80.67642023-03-15
CVE-2023-36846 KEV10.05.30.94212023-08-17