Missing authentication is a security flaw where a sensitive function, API route, or administrative interface can be accessed without proving identity first. Instead of requiring a valid login, session, API key, or other credential, the system exposes actions that should be restricted. This is often classified as an authorization or access-control failure, and it can affect web apps, APIs, control planes, and device management interfaces.
It matters because unauthenticated access can let an attacker read data, change settings, launch jobs, or invoke privileged actions directly over the network. In real attacks, adversaries and scanners look for endpoints that respond without a token or cookie, then test whether they can enumerate information or trigger workflows. Defenses include default-deny access control, strong authentication on every sensitive route, role checks after login, and security testing that verifies no management function is publicly reachable.