Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 373

373 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-41506 go-git Credential leak via cross-host redirect in smart HTTP transport — go-git 4.7 Medium2026-05-08
CVE-2025-62345 HCL BigFix RunBookAI is affected by a Continued availability of Less-Secure “Input Text” Vulnerability — BigFix RunBookAI 2.7 Low2026-05-06
CVE-2026-23927 Agent 2 Oracle plugin TNS connection string injection via the 'service' parameter — Zabbix--2026-05-06
CVE-2026-42367 GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi privilege escalation vulnerability via leak of Administrator credentials — GV-LPC2011/LPC2211 6.5 Medium2026-05-04
CVE-2026-6446 My Social Feeds <= 1.0.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'ttp_get_accounts' AJAX Action — My Social Feeds – Social Feeds Embedder Plugin for WordPress 5.4 Medium2026-05-02
CVE-2026-35155 Dell iDRAC10 安全漏洞 — iDRAC10 7.1 High2026-04-29
CVE-2026-7038 tufantunc ssh-mcp Command Line index.ts insufficiently protected credentials — ssh-mcp 3.3 Low2026-04-26
CVE-2026-39462 SenseLive X3050 Insufficiently Protected Credentials — X3050 8.1 High2026-04-23
CVE-2026-41345 OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download — OpenClaw 5.3 Medium2026-04-23
CVE-2026-6408 Tanium addressed an information disclosure vulnerability in Tanium Server. — Tanium Server 2.7 Low2026-04-22
CVE-2025-15622 Sparx Enterprise Architect Client reveals plaintext OAuth2 client secret — Sparx Enterprise Architect 6.5AIMediumAI2026-04-17
CVE-2025-36568 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data Domain BoostFS 7.8 High2026-04-17
CVE-2025-15621 Sparx Enterprise Architect Client does not verify the receiver of OAuth2 credentials during OpenID authentication — Sparx Enterprise Architect 8.8AIHighAI2026-04-16
CVE-2026-32171 Azure Logic Apps Elevation of Privilege Vulnerability — Azure Logic Apps 8.8 High2026-04-14
CVE-2026-27316 Fortinet FortiSandbox 安全漏洞 — FortiSandbox 2.5 Low2026-04-14
CVE-2026-34262 Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer — SAP HANA Cockpit and HANA Database Explorer 5.0 Medium2026-04-14
CVE-2026-35467 Private Key stored as extractable in browser IndexeDB — cveClient/encrypt-storage.js 7.5AIHighAI2026-04-02
CVE-2026-33575 OpenClaw < 2026.3.12 - Long-lived Credential Exposure in Pairing Setup Codes — OpenClaw 7.5 High2026-03-29
CVE-2025-15617 Wazuh GitHub Actions Workflow Exposure of Sensitive Credentials — Wazuh (GitHub Actions) 6.5 Medium2026-03-27
CVE-2025-13478 Cache Misconfiguration Leading to Cross-User Data Exposure — Identity Manager 3.1 -2026-03-27
CVE-2025-36440 Multiple Vulnerabilities in IBM Concert Software — Concert 5.1 Medium2026-03-25
CVE-2025-14790 IBM InfoSphere Information Server is vulnerable to disclosure of sensitive information — InfoSphere Information Server 6.5 Medium2026-03-25
CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups — Checkmk 6.5 -2026-03-24
CVE-2026-32913 OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects — OpenClaw 9.3 Critical2026-03-23
CVE-2026-31926 IGL-Technologies eParking.fi Insufficiently Protected Credentials — eParking.fi 6.5 Medium2026-03-20
CVE-2026-28204 CTEK Chargeportal Insufficiently Protected Credentials — Chargeportal 6.5 Medium2026-03-20
CVE-2026-23658 Azure DevOps: msazure Elevation of Privilege Vulnerability — Azure DevOps: msazure 8.6 High2026-03-19
CVE-2026-32606 IncusOS has a LUKS encryption bypass due to insufficient TPM policy — incus-os 7.7 High2026-03-18
CVE-2026-27027 Everon api.everon.io Insufficiently Protected Credentials — api.everon.io 6.5 Medium2026-03-06
CVE-2026-27777 Mobiliti e-mobi.hu Insufficiently Protected Credentials — e-mobi.hu 6.5 Medium2026-03-06

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 373 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.