Log inLog in

Base weakness

Draft

CWE-304: Missing Critical Step in Authentication

The product implements an authentication technique, but it skips a step that weakens the technique.

Last updated May 1, 2026

31

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.

Real-world CVEs

31 recorded CVEs are caused by CWE-304 (Missing Critical Step in Authentication). The highest-severity and most recent are shown first. 4 new CWE-304 CVEs have been recorded so far in 2026 (12 in 2025).

CVE-2022-2302

Critical · CVSS 9.8 · EPSS 72th

2022-07-11

CVE-2026-44547

ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2

Critical · CVSS 9.6 · EPSS 11th

2026-05-12

CVE-2024-45764

Critical · CVSS 9.0 · EPSS 28th

2024-11-08

CVE-2024-12048

High · CVSS 8.8 · EPSS 44th

2025-03-20

CVE-2019-16766

2FA bypass in Wagtail through new device path

High · CVSS 8.7 · EPSS 37th

2019-11-29

CVE-2026-42452

Termix: Pending-TOTP temporary token can regenerate backup codes and neutralize TOTP

High · CVSS 8.1 · EPSS 2th

2026-05-08

CVE-2025-24322

High · CVSS 8.1 · EPSS 27th

2025-08-20

CVE-2024-9216

High · CVSS 8.1 · EPSS 39th

2025-03-20

CVE-2022-1065

Multi Factor Authentication Bypass in various versions of Abacus ERP

High · CVSS 8.1 · EPSS 83th

2022-04-19

Showing 12 of 31 recorded CWE-304 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-304 vulnerabilities

Common consequences

What can happen when CWE-304 is exploited.

Bypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data, Execute Unauthorized Code or Commands

Affects: Access Control, Integrity, Confidentiality

This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or allowing attackers to execute arbitrary code.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2004-2163 — Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.
CVE-2005-3327 — Chain: Authentication bypass by skipping the first startup step as required by the protocol.

Terminology & mappings

Mapped taxonomies

PLOVER: Missing Critical Step in Authentication

Frequently asked questions

Common questions about CWE-304.

What is CWE-304?

The product implements an authentication technique, but it skips a step that weakens the technique.

What CVEs are caused by CWE-304?

31 recorded CVEs are attributed to CWE-304, including CVE-2024-8954, CVE-2024-2172, CVE-2022-2821.

How is CWE-304 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-304?

Exploiting CWE-304 can lead to: Bypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data, Execute Unauthorized Code or Commands.

Is CWE-304 actively exploited?

31 recorded CVEs are caused by CWE-304; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-304

Get alerted the moment a new CWE-304 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing