Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-178 (大小写敏感处理不恰当) — Vulnerability Class 24

24 vulnerabilities classified as CWE-178 (大小写敏感处理不恰当). AI Chinese analysis included.

CWE-178 represents a logic flaw where software fails to properly account for case sensitivity when accessing or determining resource properties, leading to inconsistent and potentially insecure results. Attackers typically exploit this weakness by manipulating input casing to bypass access controls, evade input filters, or reduce the effective key space for password cracking, thereby facilitating brute-force attacks. For instance, a system treating "Admin" and "admin" as distinct users might inadvertently grant elevated privileges if case checks are inconsistently applied. To mitigate this risk, developers must enforce strict, consistent case-handling logic across all validation and authentication routines. This involves normalizing inputs to a standard case before comparison, explicitly defining case-sensitivity requirements in security policies, and rigorously testing edge cases to ensure that case variations do not circumvent security mechanisms or lead to unauthorized resource access.

MITRE CWE Description
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. Improperly handled case sensitive data can lead to several possible consequences, including: case-insensitive passwords reducing the size of the key space, making brute force attacks easier bypassing filters or access controls using alternate names multiple interpretation errors using alternate names.
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (3)
Architecture and DesignAvoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Examples (1)
In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent:
public String preventXSS(String input, String mask) { return input.replaceAll("script", mask); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-3833 Gnutls: gnutls: policy bypass due to case-sensitive nameconstraints comparison 6.5 Medium2026-04-30
CVE-2026-40453 Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection — Apache Camel JMS 9.8AICriticalAI2026-04-27
CVE-2026-22665 prompts.chat Identity Confusion via Case-Sensitive Username Handling — prompts.chat 8.1 High2026-04-03
CVE-2026-33691 OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks — coreruleset 6.8 Medium2026-04-02
CVE-2026-3532 OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027 — OpenID Connect / OAuth client 8.8AIHighAI2026-03-26
CVE-2026-32939 DataEase is Vulnerable to H2 JDBC RCE Bypass — dataease 9.1 -2026-03-20
CVE-2026-29054 Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`) — traefik 7.5 High2026-03-05
CVE-2026-27896 MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity — go-sdk 9.1AICriticalAI2026-02-26
CVE-2026-27588 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass — caddy 9.1 -2026-02-24
CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass — caddy 9.1 -2026-02-24
CVE-2026-25889 File Browser has an Authentication Bypass in User Password Update — filebrowser 5.4 Medium2026-02-09
CVE-2025-67718 Formio improperly authorized permission elevation through specially crafted request path — formio 7.5AIHighAI2025-12-11
CVE-2025-59944 Cursor IDE: Sensitive File Overwrite Bypass is Possible — cursor 8.1 High2025-10-03
CVE-2025-61593 Cursor CLI Agent: Sensitive File Overwrite Bypass — cursor 7.1 High2025-10-03
CVE-2025-46701 Apache Tomcat: Security constraint bypass for CGI scripts — Apache Tomcat 9.1AICriticalAI2025-05-29
CVE-2025-4035 Libsoup: cookie domain validation bypass via uppercase characters in libsoup — Red Hat Enterprise Linux 10 4.3 Medium2025-04-29
CVE-2024-6866 Case-Insensitive Path Matching in corydolphin/flask-cors — corydolphin/flask-cors 7.5 -2025-03-20
CVE-2024-55634 Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004 — Drupal Core 8.8 -2024-12-09
CVE-2024-38829 Spring LDAP sensitive data exposure for case-sensitive comparisons — Spring LDAP 3.7 Low2024-12-04
CVE-2024-32879 social-auth-app-django Improper Handling of Case Sensitivity vulnerability — social-app-django 4.9 Medium2024-04-24
CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem — vite 7.5 High2024-01-19
CVE-2023-3545 Chamilo LMS Htaccess File Upload Security Bypass — Chamilo 9.8 Critical2023-11-28
CVE-2021-39155 Authorization Policy Bypass Due to Case Insensitive Host Comparison — istio 8.3 High2021-08-24
CVE-2021-24347 SP Project & Document Manager <2 4.22 - Authenticated Shell Upload — SP Project & Document Manager 8.8 -2021-06-14

Vulnerabilities classified as CWE-178 (大小写敏感处理不恰当) represent 24 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.