CWE-290: Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Last updated
Overview
CWE-290 (Authentication Bypass by Spoofing) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
453 recorded CVEs are caused by CWE-290 (Authentication Bypass by Spoofing), including 5 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 119 new CWE-290 CVEs have been recorded so far in 2026 (105 in 2025).
- CVE-2024-54085CISA KEV
Redfish Authentication Bypass
Critical · CVSS 10.0 · EPSS 99th2025-03-11 - CVE-2024-4358CISA KEV
Registration Authentication Bypass Vulnerability
Critical · CVSS 9.3 · EPSS 100th2024-05-29 - CVE-2022-24112CISA KEV
apisix/batch-requests plugin allows overwriting the X-REAL-IP header
Critical · CVSS 9.3 · EPSS 100th2022-02-11 - CVE-2022-23131CISA KEV
Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML
Critical · CVSS 9.3 · EPSS 100th2022-01-13 - CVE-2023-50224CISA KEV
TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability
High · CVSS 7.1 · EPSS 97th2024-05-03 - CVE-2026-54782
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
Critical · CVSS 10.0 · EPSS 16th2026-07-08 - CVE-2026-48567
Azure HorizonDB Elevation of Privilege Vulnerability
Critical · CVSS 10.0 · EPSS 58th2026-06-04 - CVE-2025-34063
OneLogin AD Connector JWT Authentication Bypass via Exposed Signing Key
Critical · CVSS 10.0 · EPSS 42th2025-07-01 - CVE-2023-22814Critical · CVSS 10.0 · EPSS 49th2023-06-30
- CVE-2023-34157Critical · CVSS 10.0 · EPSS 28th2023-06-16
- CVE-2022-36331Critical · CVSS 10.0 · EPSS 44th2023-06-12
- CVE-2022-2310Critical · CVSS 10.0 · EPSS 60th2022-07-27
Showing 12 of 453 recorded CWE-290 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-290 vulnerabilitiesCommon consequences
What can happen when CWE-290 is exploited.
Bypass Protection Mechanism, Gain Privileges or Assume Identity
Affects: Access Control
This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code authenticates users.
Vulnerable example
String sourceIP = request.getRemoteAddr();The authentication mechanism implemented relies on an IP address for source validation. If an attacker is able to spoof the IP, they may be able to bypass the authentication mechanism.
Both of these examples check if a request is from a trusted address before responding to the request.
Vulnerable example
sd = socket(AF_INET, SOCK_DGRAM, 0);Vulnerable example
while(true) {The code only verifies the address as stored in the request packet. An attacker can spoof this address, thus impersonating a trusted client.
The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status.
Vulnerable example
struct hostent *hp;struct in_addr myaddr;Vulnerable example
String ip = request.getRemoteAddr();Vulnerable example
IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-30319 — S-bus functionality in a home automation product performs access control using an IP allowlist, which can be bypassed by a forged IP address.
- CVE-2009-1048 — VOIP product allows authentication bypass using 127.0.0.1 in the Host header.
Terminology & mappings
Mapped taxonomies
- PLOVER: Authentication bypass by spoofing
Attack patterns
CAPEC attack patterns that exploit this weakness.
- CAPEC-21: Exploitation of Trusted Identifiers
- CAPEC-22: Exploiting Trust in Client
- CAPEC-459: Creating a Rogue Certification Authority Certificate
- CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
- CAPEC-473: Signature Spoof
- CAPEC-476: Signature Spoofing by Misrepresentation
- CAPEC-59: Session Credential Falsification through Prediction
- CAPEC-60: Reusing Session IDs (aka Session Replay)
- CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
- CAPEC-94: Adversary in the Middle (AiTM)
Frequently asked questions
Common questions about CWE-290.
- What is CWE-290?
- This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
- What CVEs are caused by CWE-290?
- 453 recorded CVEs are attributed to CWE-290, including CVE-2024-54085, CVE-2024-4358, CVE-2022-24112. 5 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- What are the consequences of CWE-290?
- Exploiting CWE-290 can lead to: Bypass Protection Mechanism, Gain Privileges or Assume Identity.
- Is CWE-290 actively exploited?
- Yes. 5 CWE-290 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 453 recorded CVEs.
References
- MITRE CWE definition (CWE-290) (opens in a new tab)
- CWE-290 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-290
Get alerted the moment a new CWE-290 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.