Base weakness
Draft
Log in
The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.
Last updated
CWE-308 (Use of Single-factor Authentication) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
9 recorded CVEs are caused by CWE-308 (Use of Single-factor Authentication). The highest-severity and most recent are shown first. 3 new CWE-308 CVEs have been recorded so far in 2026 (1 in 2025).
Termix's TOTP two-factor authentication can be disabled or bypassed using only the account password
Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476
What can happen when CWE-308 is exploited.
Bypass Protection Mechanism
Affects: Access Control
If the secret in a single-factor authentication scheme gets compromised, full authentication is possible.
Typically introduced during these phases of the software lifecycle.
Practical mitigations for CWE-308, grouped by where in the lifecycle they apply.
Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. For this reason, if multiple schemes are possible, they should be implemented and required -- especially if they are easy to use.
Illustrative examples from MITRE showing how the weakness appears in code.
In both of these examples, a user is logged in if their given password matches a stored password:
Vulnerable example
unsigned char *check_passwd(char *plaintext) {Vulnerable example
//Login if hash matches stored hash
String plainText = new String(plainTextIn);This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759).
Real CVEs that MITRE cites as examples of this weakness.
CAPEC attack patterns that exploit this weakness.
Common questions about CWE-308.
The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.
9 recorded CVEs are attributed to CWE-308, including CVE-2023-49075, CVE-2026-45749, CVE-2025-42959.
Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. For this reason, if multiple schemes are possible, they should be implemented and required -- especially if they are easy to use.
Exploiting CWE-308 can lead to: Bypass Protection Mechanism.
9 recorded CVEs are caused by CWE-308; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-308 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.