Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-346 (源验证错误) — Vulnerability Class 159

159 vulnerabilities classified as CWE-346 (源验证错误). AI Chinese analysis included.

CWE-346, Origin Validation Error, represents a critical weakness where software fails to adequately verify the authenticity or legitimacy of data sources and communication endpoints. Attackers typically exploit this vulnerability by spoofing trusted origins, such as forging HTTP headers or manipulating network packets to appear as if they originate from a legitimate internal system. This deception allows adversaries to bypass security controls, execute unauthorized actions, or inject malicious payloads that the application blindly trusts. To mitigate this risk, developers must implement robust validation mechanisms that strictly verify the source of incoming requests. This includes checking cryptographic signatures, validating domain names against a whitelist, and ensuring that sensitive operations are only performed when the origin is explicitly confirmed. By enforcing strict origin verification, organizations can prevent unauthorized access and maintain the integrity of their application logic against sophisticated spoofing attacks.

MITRE CWE Description
The product does not properly verify that the source of data or communication is valid.
Common Consequences (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context
An attacker can access any functionality that is inadvertently accessible to the source.
Examples (2)
This Android application will remove a user account when it receives an intent to do so:
IntentFilter filter = new IntentFilter("com.example.RemoveUser"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); public class DeleteReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { int userID = intent.getIntExtra("userID"); destroyUserData(userID); } }
Bad · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2026-6508 RCE in TUBITAK BILGEM's Liderahenk — Liderahenk 9.8 Critical2026-05-07
CVE-2026-43870 Apache Thrift: Node.js web_server.js multi-vulnerability — Apache Thrift 7.5 -2026-05-05
CVE-2026-7439 AgentFlow Local Web API Content-Type Validation Bypass — AgentFlow 4.4 Medium2026-04-29
CVE-2026-41398 OpenClaw - Unauthorized Agent Request Dispatch via Untrusted Local-Network Pages in iOS A2UI Bridge — OpenClaw 4.6 Medium2026-04-28
CVE-2026-41393 OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via Wide-Area Discovery — OpenClaw 4.8 Medium2026-04-28
CVE-2026-41376 OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation — OpenClaw 5.4 Medium2026-04-28
CVE-2026-41358 OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context — OpenClaw 5.4 Medium2026-04-23
CVE-2026-41342 OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding — OpenClaw 7.3 High2026-04-23
CVE-2026-41057 AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses — AVideo 7.1 High2026-04-21
CVE-2026-40594 pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) — pyload 4.8 Medium2026-04-21
CVE-2026-35577 Missing Host Header Validation in Apollo MCP Server for Localhost Deployments — apollo-mcp-server 6.8 Medium2026-04-09
CVE-2026-34720 Zammad has an origin validation error in SSO mechanism — zammad 7.1AIHighAI2026-04-08
CVE-2026-35568 MCP Java-SDK has a DNS Rebinding Vulnerability — java-sdk 6.3AIMediumAI2026-04-07
CVE-2026-35408 Directus is Missing Cross-Origin Opener Policy — directus 8.7 High2026-04-06
CVE-2026-37977 Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim — Red Hat Build of Keycloak 3.7 Low2026-04-06
CVE-2026-34777 Electron: Incorrect origin passed to permission request handler for iframe requests — electron 5.4 Medium2026-04-03
CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow — signalk-server 6.1 Medium2026-04-02
CVE-2026-34359 HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core — org.hl7.fhir.core 7.4 High2026-03-31
CVE-2026-34373 Parse Server: GraphQL API endpoint ignores CORS origin restriction — parse-server 8.2AIHighAI2026-03-31
CVE-2026-21790 HCL Traveler is susceptible to a weak default HTTP header validation vulnerability — Traveler 6.3 Medium2026-03-24
CVE-2026-32317 Cryptomator for Android: Tampered vault configuration allows MITM attack on Hub API — android 7.6 High2026-03-20
CVE-2026-32318 Cryptomator for IOS: Tampered vault configuration allows MITM attack on Hub API — ios 7.6 High2026-03-20
CVE-2026-32303 Cryptomator: Tampered vault configuration allows MITM attack on Hub API — cryptomator 7.6 High2026-03-20
CVE-2026-32634 Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers — glances 8.1 High2026-03-18
CVE-2026-32632 Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding — glances 5.9 Medium2026-03-18
CVE-2026-2457 WebSocket Message Spoofing via Permalink Embed Manipulation — Mattermost 4.3 Medium2026-03-16
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode — openclaw 8.1 High2026-03-12
CVE-2026-30964 Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation — webauthn-framework 5.4 Medium2026-03-10
CVE-2026-25604 Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass — Apache Airflow Providers Amazon 9.8AICriticalAI2026-03-09
CVE-2026-28403 Textream Cross-Site WebSocket Hijacking (CSWSH) vulnerability — textream 7.6 High2026-03-02

Vulnerabilities classified as CWE-346 (源验证错误) represent 159 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.