A07:2025 Authentication Failures
Identity verification can be bypassed, brute-forced, or hijacked. Credential stuffing, weak password reset flows, session-management mistakes.
Member CWEs (36)
- CWE-258 Empty Password in Configuration File
- CWE-259 Use of Hard-coded Password
- CWE-287 Improper Authentication
- CWE-288 Authentication Bypass Using an Alternate Path or Channel
- CWE-289 Authentication Bypass by Alternate Name
- CWE-290 Authentication Bypass by Spoofing
- CWE-291 Reliance on IP Address for Authentication
- CWE-293 Using Referer Field for Authentication
- CWE-294 Authentication Bypass by Capture-replay
- CWE-295 Improper Certificate Validation
- CWE-297 Improper Validation of Certificate with Host Mismatch
- CWE-298 Improper Validation of Certificate Expiration
- CWE-299 Improper Check for Certificate Revocation
- CWE-300 Channel Accessible by Non-Endpoint
- CWE-302 Authentication Bypass by Assumed-Immutable Data
- CWE-303 Incorrect Implementation of Authentication Algorithm
- CWE-304 Missing Critical Step in Authentication
- CWE-305 Authentication Bypass by Primary Weakness
- CWE-306 Missing Authentication for Critical Function
- CWE-307 Improper Restriction of Excessive Authentication Attempts
- CWE-308 Use of Single-factor Authentication
- CWE-309 Use of Password System for Primary Authentication
- CWE-346 Origin Validation Error
- CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
- CWE-384 Session Fixation
- CWE-521 Weak Password Requirements
- CWE-613 Insufficient Session Expiration
- CWE-620 Unverified Password Change
- CWE-640 Weak Password Recovery Mechanism for Forgotten Password
- CWE-798 Use of Hard-coded Credentials
- CWE-940 Improper Verification of Source of a Communication Channel
- CWE-941 Incorrectly Specified Destination in a Communication Channel
- CWE-1390 Weak Authentication
- CWE-1391 Use of Weak Credentials
- CWE-1392 Use of Default Credentials
- CWE-1393 Use of Default Password
Mapped NIST 800-53 r5 controls (4)
Our two-way, human-QA’d reading of how this category and each NIST 800-53 control relate. No external body publishes an OWASP→800-53 mapping, so these are our assessment.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Tagged CVEs (showing 50 most recent of 14,439)
- CVE-2026-59096
- CVE-2026-58593
- CVE-2026-58517
- CVE-2026-58466
- CVE-2026-58453
- CVE-2026-58446
- CVE-2026-58399
- CVE-2026-58375
- CVE-2026-58370
- CVE-2026-58172
- CVE-2026-58169
- CVE-2026-58127
- CVE-2026-58126
- CVE-2026-58029
- CVE-2026-57915
- CVE-2026-57473
- CVE-2026-57352
- CVE-2026-57289
- CVE-2026-56782
- CVE-2026-56450
- CVE-2026-56425
- CVE-2026-56357
- CVE-2026-56346
- CVE-2026-56345
- CVE-2026-56321
- CVE-2026-56299
- CVE-2026-56294
- CVE-2026-56286
- CVE-2026-56278
- CVE-2026-56277
- CVE-2026-56270
- CVE-2026-56269
- CVE-2026-56265
- CVE-2026-56262
- CVE-2026-56243
- CVE-2026-56237
- CVE-2026-56234
- CVE-2026-56224
- CVE-2026-56223
- CVE-2026-56219
- CVE-2026-56130
- CVE-2026-56091
- CVE-2026-56081
- CVE-2026-56080
- CVE-2026-56029
- CVE-2026-56022
- CVE-2026-56020
- CVE-2026-55964
- CVE-2026-55962
- CVE-2026-55960
Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1442).