Base weakness

Draft

CWE-303: Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

Last updated May 1, 2026

76

Recorded CVEs

With this primary weakness

1

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

This incorrect implementation may allow authentication to be bypassed.

Real-world CVEs

76 recorded CVEs are caused by CWE-303 (Incorrect Implementation of Authentication Algorithm), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 13 new CWE-303 CVEs have been recorded so far in 2026 (18 in 2025).

Critical · CVSS 10.0

2024-05-20

Cal.com Authentication Bypass via bad TOTP + password checks

Critical · CVSS 9.9

2025-12-03

CVE-2025-12421

Account Takeover via Code Exchange Endpoint

Critical · CVSS 9.9

2025-11-27

CVE-2025-12419

Account takeover on OAuth/OpenID-enabled servers

Critical · CVSS 9.9

2025-11-27

CVE-2025-21311

Windows NTLM V1 Elevation of Privilege Vulnerability

OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching

Critical · CVSS 9.4

2026-03-05

CVE-2026-29515

MiCode FileExplorer SwiFTP Server Authentication Bypass

Critical · CVSS 9.3

2026-03-11

CVE-2024-4332

Improper Authentication in Tripwire Enterprise 9.1.0 APIs

Critical · CVSS 9.3

2024-06-03

Showing 12 of 76 recorded CWE-303 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-303 vulnerabilities

Common consequences

What can happen when CWE-303 is exploited.

Bypass Protection Mechanism

Affects: Access Control

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2003-0750 — Conditional should have been an 'or' not an 'and'.

Terminology & mappings

Mapped taxonomies

PLOVER: Authentication Logic Error

Attack patterns

CAPEC attack patterns that exploit this weakness.

CAPEC-90: Reflection Attack in Authentication Protocol

Frequently asked questions

Common questions about CWE-303.

What is CWE-303?

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

What CVEs are caused by CWE-303?

76 recorded CVEs are attributed to CWE-303, including CVE-2023-29357, CVE-2025-13390, CVE-2024-4985. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

What are the consequences of CWE-303?

Exploiting CWE-303 can lead to: Bypass Protection Mechanism.

Is CWE-303 actively exploited?

Yes. 1 CWE-303 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 76 recorded CVEs.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-303

Get alerted the moment a new CWE-303 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-303?

What CVEs are caused by CWE-303?

What are the consequences of CWE-303?

Is CWE-303 actively exploited?

References

Stay ahead of CWE-303