Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Weaknesses (CWE)
CWE-288

CWE-288: Authentication Bypass Using an Alternate Path or Channel

Base weakness

Incomplete

CWE-288: Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Last updated May 1, 2026

520

Recorded CVEs

With this primary weakness

14

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-288 (Authentication Bypass Using an Alternate Path or Channel) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

520 recorded CVEs are caused by CWE-288 (Authentication Bypass Using an Alternate Path or Channel), including 14 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 122 new CWE-288 CVEs have been recorded so far in 2026 (166 in 2025).

CVE-2025-57819
CISA KEV
FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE
Critical · CVSS 10.0
2025-08-28
CVE-2025-4427
CISA KEV
Authentication Bypass
Critical · CVSS 10.0
2025-05-13

On this page

Overview
Real-world CVEs
Common consequences
How it happens
How to prevent it
Code examples
Illustrative examples
Related weaknesses
Terminology & mappings
Attack patterns
FAQ
References

CVE-2024-1709

CISA KEV

Authentication bypass using an alternate path or channel

Critical · CVSS 10.0

2024-02-21

Critical · CVSS 9.3

Critical · CVSS 9.3

SmarterTools SmarterMail < Build 9511 Authentication Bypass via Password Reset API

Critical · CVSS 9.3

Kentico Xperience <= 13.0.178 Staging Sync Server None Password Type Authentication Bypass

Critical · CVSS 9.3

Kentico Xperience <= 13.0.172 Staging Sync Server Digest Password Authentication Bypass

Critical · CVSS 9.3

Critical · CVSS 9.3

BIG-IP Configuration utility unauthenticated remote code execution vulnerability

Critical · CVSS 9.3

SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands

Critical · CVSS 9.3

Versa Concerto Actuator Authentication Bypass Information Leak

Critical · CVSS 9.2

Showing 12 of 520 recorded CWE-288 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-288 vulnerabilities

Common consequences

What can happen when CWE-288 is exploited.

Bypass Protection Mechanism

Affects: Access Control

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Applies to

Technologies

Web Based

How to prevent it

Practical mitigations for CWE-288, grouped by where in the lifecycle they apply.

Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not.

Access control is implemented using an allowlist (as indicated by acl_oh_allowlist). The identity of the initiator of the transaction is indicated by the one hot input, incoming_id. This is checked against the acl_oh_allowlist (which contains a list of initiators that are allowed to access the asset).

Though this example is shown in Verilog, it will apply to VHDL as well.

The bugged line of code is repeated in the Bad example above. Weakness arises from the fact that the SECURE_ME register can be modified by writing to the shadow register COPY_OF_SECURE_ME, the address of COPY_OF_SECURE_ME should also be included in the check. That buggy line of code should instead be replaced as shown in the Good Code Snippet below.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2000-1179 — Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.
CVE-1999-1454 — Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key.
CVE-1999-1077 — OS allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.
CVE-2003-0304 — Direct request of installation file allows attacker to create administrator accounts.
CVE-2002-0870 — Attackers may gain additional privileges by directly requesting the web management URL.
CVE-2002-0066 — Bypass authentication via direct request to named pipe.
CVE-2003-1035 — User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.

Related weaknesses

How this weakness relates to others in the CWE hierarchy.

Parent

CWE-284: Improper Access Control
CWE-306: Missing Authentication for Critical Function

Child

CWE-425: Direct Request ('Forced Browsing')
CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface

Peer

CWE-420: Unprotected Alternate Channel

Terminology & mappings

Mapped taxonomies

PLOVER: Authentication Bypass by Alternate Path/Channel
OWASP Top Ten 2007: Failure to Restrict URL Access (A10) — CWE More Specific fit

Attack patterns

CAPEC attack patterns that exploit this weakness.

CAPEC-127: Directory Indexing
CAPEC-665: Exploitation of Thunderbolt Protection Flaws

Frequently asked questions

Common questions about CWE-288.

What is CWE-288?

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

What CVEs are caused by CWE-288?

520 recorded CVEs are attributed to CWE-288, including CVE-2025-57819, CVE-2025-4427, CVE-2024-1709. 14 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Is CWE-288 part of the OWASP Top 10?

CWE-288 maps to OWASP Top Ten 2007: Failure to Restrict URL Access (A10) in the OWASP security taxonomy.

How do you prevent CWE-288?

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

What are the consequences of CWE-288?

Exploiting CWE-288 can lead to: Bypass Protection Mechanism.

Is CWE-288 actively exploited?

Yes. 14 CWE-288 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 520 recorded CVEs.

References

MITRE CWE definition (CWE-288) (opens in a new tab)
CWE-288 vulnerabilities on NVD (opens in a new tab)
Learn: What is a CWE?

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-288

Get alerted the moment a new CWE-288 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing