I Have a Custom Authorize Attribute that always fire. I remove the configuration in global.asax and have no attributes in controllers/actions. Why?

public class ValidatePermissionAttribute : AuthorizeAttribute
{
    private AuthorizationContext _context;

    public override void OnAuthorization(AuthorizationContext context)
    {
        _context = context;

        base.OnAuthorization(context);
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        bool isAuthorized = false;

        //Use _context here
        ...

        return isAuthorized;
    }
}

My Global.asax:

public class MvcApplication : NinjectHttpApplication
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new LogActionAttribute());

        //ValidatePermissionFilterProvider validatePermissionProvider = new ValidatePermissionFilterProvider();

        //validatePermissionProvider.Add("Login", "Index");
        //validatePermissionProvider.Add("Erro", "*");

        //FilterProviders.Providers.Add(validatePermissionProvider);
    }

    public static void RegisterRoutes(RouteCollection routes)
    {
        routes.IgnoreRoute("{resource}.axd/{*pathInfo}");

        routes.MapRoute(
            "Default", // Route name
            "{controller}/{action}/{id}", // URL with parameters
            new { controller = "Usuario", action = "Index", id = UrlParameter.Optional } // Parameter defaults
        );
    }

    protected override void OnApplicationStarted()
    {
        DefaultModelBinder.ResourceClassKey = "ViewModelValidations";

        AreaRegistration.RegisterAllAreas();

        RegisterGlobalFilters(GlobalFilters.Filters);
        RegisterRoutes(RouteTable.Routes);

        Database.SetInitializer(new DatabaseInitializer());
    }

    protected override IKernel CreateKernel()
    {
        return DependencyResolverFactory.Instance.Kernel;
    }
}

Discover the problem:

With answer of @DarinDimitrov I discover the problem, I'm using Ninject to inject a dependcy in my Filter, this is causing to fire in every Controller:

public class ApplicationServicesModule : NinjectModule
{
    public override void Load()
    {
        this.BindFilter<ValidatePermissionAttribute>(FilterScope.First, null);
    }
}

Only a custom attribute doesn't do anything. There must be some code that is registering it. It could be either registered as global action filter, you could have a controller/action decorated with it or you might have your dependency injection framework which registers it as a global action filter. Right click on the ValidatePermissionAttribute and search where this class is being used. Normally VS will show you where you have registered it.

If your controllers derive from a custom controller base class, you might want to check that to see if the attribute is present there also. You can also try to do a solution-wide Find Usages on the attribute name ValidatePermissionAttribute to see if there's somewhere you missed it.

EDIT: looking at your global.asax, I see that you are registering LogActionAttribute -- is it possible that attribute derives from your other custom authorization attribute? I would try removing all custom registrations and filters to see if the problem persists