What CVEs are caused by CWE-287?

1,632 recorded CVEs are attributed to CWE-287, including CVE-2026-20182, CVE-2026-20127, CVE-2025-32975. 32 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Is CWE-287 part of the OWASP Top 10?

CWE-287 maps to OWASP Top Ten 2007: Broken Authentication and Session Management (A7) in the OWASP security taxonomy.

How do you prevent CWE-287?

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

How is CWE-287 detected?

Automated Static Analysis: Automated static analysis is useful for detecting certain types of authentication. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authentication libraries.

What are the consequences of CWE-287?

Exploiting CWE-287 can lead to: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands.

Is CWE-287 actively exploited?

Yes. 32 CWE-287 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 1,632 recorded CVEs.

Class weakness

Draft

CWE-287: Improper Authentication

Also known as: authentification, AuthN, AuthC

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Last updated May 1, 2026

1,632

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

High

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

CWE-287 (Improper Authentication) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.

Vulnerable example

perl

my $q = new CGI;

Attack input

plaintext

GET /cgi-bin/vulnerable.cgi HTTP/1.1

In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support staff, the attacker used the administrator panel to gain access to 33 accounts that belonged to celebrities and politicians. Ultimately, fake Twitter messages were sent that appeared to come from the compromised accounts.

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Multiple vendors did not use any authentication or used client-side authentication for critical functionality in their OT products.

CWE-287: Improper Authentication (authentification)

CWE-287: Improper Authentication

Overview

CWE-287: Improper Authentication

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Manual Static Analysis

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Dynamic Analysis with Manual Results Interpretation

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-287?

What CVEs are caused by CWE-287?

Is CWE-287 part of the OWASP Top 10?

How do you prevent CWE-287?

How is CWE-287 detected?

What are the consequences of CWE-287?

Is CWE-287 actively exploited?

References

Stay ahead of CWE-287

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Automated Static Analysis

Architecture or Design Review

Related

Overview

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Manual Static Analysis

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Dynamic Analysis with Manual Results Interpretation

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-287?

What CVEs are caused by CWE-287?

Is CWE-287 part of the OWASP Top 10?

How do you prevent CWE-287?

How is CWE-287 detected?

What are the consequences of CWE-287?

Is CWE-287 actively exploited?

References

Stay ahead of CWE-287

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Automated Static Analysis

Architecture or Design Review

Related