CWE-306: Missing Authentication for Critical Function <https://cwe.mitre.org/data/definitions/306.html>
Looking at the CWE-306 wording, this does not look like the right CWE, but OWASP ASVP 3.7.1 points to this CWE.
OWASP ASVP 3.7.1 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>
3.7.1 Verify the application ensures a full, valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications. CWE-306