Missing Authentication for Critical Function
An endpoint that performs a critical action (delete account, change password, transfer funds) doesn't require authentication.
GateTest coverage
Caught by: authFlaws
Example
app.post('/admin/delete-user/:id', async (req, res) => { ... }) — no auth middleware.How to fix it
Require authentication on every state-changing endpoint by default; make public endpoints opt-in. Audit your routing table for missing middleware. authFlaws catches the obvious cases.
Scan your repo for CWE-306
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-306 (Missing Authentication for Critical Function)?
An endpoint that performs a critical action (delete account, change password, transfer funds) doesn't require authentication.
How do I fix missing authentication for critical function?
Require authentication on every state-changing endpoint by default; make public endpoints opt-in. Audit your routing table for missing middleware. authFlaws catches the obvious cases.
Does GateTest detect missing authentication for critical function?
Yes — GateTest's authFlaws module catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Missing Authentication for Critical Function in the CWE Top 25?
Missing Authentication for Critical Function is ranked #20 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).