VariantIncomplete

CWE-1004Sensitive Cookie Without 'HttpOnly' Flag

Category: data-exposure

Description

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Common consequences· 2

  • Confidentiality — Read Application Data
    If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
  • Integrity — Gain Privileges or Assume Identity
    If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

Potential mitigations· 1

  • [Implementation]Leverage the HttpOnly flag when setting a sensitive cookie in a response.

References

  1. https://cwe.mitre.org/data/definitions/1004.html

Compliance frameworks addressing this (incoming)2

TypeTargetConfidenceTier
ComplianceControlcra-annexi-3100%live
ComplianceControlpci_dss_v4-r12100%live

(incoming)4

TypeTargetConfidenceTier
VulnerabilityCVE-2025-26844cve-2025-268440%live
VulnerabilityCVE-2025-47289cve-2025-472890%live
VulnerabilityCVE-2026-35575cve-2026-355750%live
VulnerabilityCVE-2026-42239cve-2026-422390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Reliance on Cookies without Validation and Integrity Checking
CWE
Reliance on Cookies without Validation and Integrity Checking in a Security Decision
CWE
Cleartext Storage of Sensitive Information in a Cookie
CWE
Weak Authentication
CWE
Insufficiently Protected Credentials
CWE
Guessable CAPTCHA
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.