CWE-304: Missing Critical Step in Authentication

The product implements an authentication technique, but it skips a step that weakens the technique.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.

Real-world CVEs

31 recorded CVEs are caused by CWE-304 (Missing Critical Step in Authentication). The highest-severity and most recent are shown first. 4 new CWE-304 CVEs have been recorded so far in 2026 (12 in 2025).

CWE-304: Missing Critical Step in Authentication

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-304?

What CVEs are caused by CWE-304?

How is CWE-304 detected?

What are the consequences of CWE-304?

Is CWE-304 actively exploited?

References

Stay ahead of CWE-304

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-304?

What CVEs are caused by CWE-304?

How is CWE-304 detected?

What are the consequences of CWE-304?

Is CWE-304 actively exploited?

References

Stay ahead of CWE-304