CWE-290 使用欺骗进行的认证绕过 类弱点 267 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-290 是一种身份验证绕过漏洞,源于身份验证机制实现不当,易受欺骗攻击。攻击者通常通过伪造或篡改身份标识(如IP地址、证书或令牌),使系统误认其为合法用户从而获取未授权访问权限。开发者应实施强身份验证策略,包括多因素认证、严格的输入验证及防重放机制,并定期审查认证逻辑,确保身份源的可信性与完整性,以有效防御此类欺骗行为。
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2026-25660 | CodeChecker 安全漏洞 — CodeChecker | 9.8AI | CriticalAI | 2026-04-24 |
| CVE-2026-40575 | OAuth2 Proxy 安全漏洞 — oauth2-proxy | 9.1 | Critical | 2026-04-21 |
| CVE-2026-22734 | Cloud Foundry cf-deployment和Cloud Foundry UUA 安全漏洞 — UUA | 8.6 | High | 2026-04-16 |
| CVE-2026-34457 | OAuth2 Proxy 安全漏洞 — oauth2-proxy | 9.1 | Critical | 2026-04-14 |
| CVE-2026-35656 | OpenClaw 安全漏洞 — OpenClaw | 6.5 | Medium | 2026-04-10 |
| CVE-2026-35622 | OpenClaw 安全漏洞 — OpenClaw | 5.9 | Medium | 2026-04-09 |
| CVE-2026-3902 | Django 安全漏洞 — Django | 5.3AI | MediumAI | 2026-04-07 |
| CVE-2026-34778 | Electron 数据伪造问题漏洞 — electron | 5.9 | Medium | 2026-04-03 |
| CVE-2026-33433 | Traefik 安全漏洞 — traefik | 8.1 | - | 2026-03-27 |
| CVE-2026-33661 | pay 安全漏洞 — pay | 8.6 | High | 2026-03-26 |
| CVE-2026-33621 | pinchtab 安全漏洞 — pinchtab | 4.8 | Medium | 2026-03-26 |
| CVE-2026-30975 | Sonarr 安全漏洞 — Sonarr | 8.1 | High | 2026-03-25 |
| CVE-2026-33223 | Nats-Server 安全漏洞 — nats-server | 6.4 | Medium | 2026-03-25 |
| CVE-2026-32492 | WordPress plugin My Tickets 安全漏洞 — My Tickets | 5.3 | Medium | 2026-03-25 |
| CVE-2026-24372 | WordPress plugin Subscriptions for WooCommerce 安全漏洞 — Subscriptions for WooCommerce | 7.5 | High | 2026-03-25 |
| CVE-2026-32045 | OpenClaw 安全漏洞 — OpenClaw | 5.9 | Medium | 2026-03-21 |
| CVE-2026-32666 | Automated Logic WebCtrl 安全漏洞 — WebCTRL Premium Server | 7.5 | High | 2026-03-20 |
| CVE-2026-33131 | H3 安全漏洞 — h3 | 7.4 | High | 2026-03-20 |
| CVE-2026-32014 | OpenClaw 安全漏洞 — OpenClaw | 8.0 | High | 2026-03-19 |
| CVE-2026-27478 | Unity Catalog 安全漏洞 — unitycatalog | 9.1 | Critical | 2026-03-11 |
| CVE-2026-31889 | Shopware 安全漏洞 — core | 8.9 | High | 2026-03-11 |
| CVE-2026-31813 | Auth 安全漏洞 — auth | 4.8 | Medium | 2026-03-11 |
| CVE-2026-32229 | JetBrains Hub 安全漏洞 — Hub | 6.8 | Medium | 2026-03-11 |
| CVE-2025-48840 | Fortinet FortiWeb 安全漏洞 — FortiWeb | 5.0 | Medium | 2026-03-10 |
| CVE-2026-28480 | OpenClaw 安全漏洞 — OpenClaw | 6.5 | Medium | 2026-03-05 |
| CVE-2026-28465 | OpenClaw 数据伪造问题漏洞 — voice-call | 5.9 | Medium | 2026-03-05 |
| CVE-2024-1524 | WSO2 API Manager和WSO2 Identity Server(IS) 安全漏洞 — WSO2 API Manager | 7.7 | High | 2026-02-24 |
| CVE-2025-69401 | WordPress plugin WooODT Lite 安全漏洞 — WooODT Lite | 7.5 | High | 2026-02-20 |
| CVE-2026-24853 | Caido 安全漏洞 — caido | 8.1 | High | 2026-02-13 |
| CVE-2026-25938 | FUXA 访问控制错误漏洞 — FUXA | 9.8AI | CriticalAI | 2026-02-09 |
CWE-290(使用欺骗进行的认证绕过) 是常见的弱点类别,本平台收录该类弱点关联的 267 条 CVE 漏洞。