CWE-306 is the weakness class for missing authentication on a critical function. In practical terms, it means a sensitive action, such as starting a shell, changing security settings, or accessing protected data, can be reached without first proving identity. This is a high-risk design flaw because the function itself is important enough to require strong access control.
In cyber security, CWE-306 often appears in web apps, APIs, and WebSocket services where developers secure the main login flow but forget to protect a privileged endpoint. Attackers look for these gaps to bypass normal authentication and reach admin or execution features directly. Defenders should verify that every sensitive route enforces authorization at the endpoint, not just through general middleware, and should treat browser-facing control channels as privileged surfaces. When a flaw is mapped to CWE-306, it signals that the core problem is not a broken password, but a missing gate on a function that should never be public.