Duffie-Hellman can be MITMed if nothing checks that the value you get from the other party actually comes from the intended other party. I.e., an identity check.
That's still not OK. Think about this: you are encrypting your traffic to prevent some third party from seeing/modifying it. But without authentication, you don't know who you're communicating with. So it could be that you're talking with the very third party that you were trying to protect from in the first place.