BaseIncomplete

CWE-302Authentication Bypass by Assumed-Immutable Data

Category: auth

Description

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

Common consequences· 1

  • Access Control — Bypass Protection Mechanism

Potential mitigations· 1

  • [Architecture and Design, Operation, Implementation]Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)

Related CAPEC attack patterns· 8

CAPEC-10CAPEC-13CAPEC-21CAPEC-274CAPEC-31CAPEC-39CAPEC-45CAPEC-77

References

  1. https://cwe.mitre.org/data/definitions/302.html

Exploits (incoming)8

TypeTargetConfidenceTier
AttackPatternBuffer Overflow via Symbolic Linkscapec-45100%live
AttackPatternExploitation of Trusted Identifierscapec-21100%live
AttackPatternBuffer Overflow via Environment Variablescapec-10100%live
AttackPatternManipulating User-Controlled Variablescapec-77100%live
AttackPatternHTTP Verb Tamperingcapec-274100%live
AttackPatternSubverting Environment Variable Valuescapec-13100%live
AttackPatternAccessing/Intercepting/Modifying HTTP Cookiescapec-31100%live
AttackPatternManipulating Opaque Client-based Data Tokenscapec-39100%live

(incoming)7

TypeTargetConfidenceTier
VulnerabilityCVE-2025-24876cve-2025-248760%live
VulnerabilityCVE-2025-29813cve-2025-298130%live
VulnerabilityCVE-2025-47158cve-2025-471580%live
VulnerabilityCVE-2025-63210cve-2025-632100%live
VulnerabilityCVE-2025-8855cve-2025-88550%live
VulnerabilityCVE-2026-39429cve-2026-394290%live
VulnerabilityCVE-2026-40285cve-2026-402850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Authentication Bypass by Primary Weakness
CWE
Authentication Bypass by Spoofing
CWE
Authorization Bypass Through User-Controlled Key
CWE
Incorrect Implementation of Authentication Algorithm
CWE
Improper Authentication
CWE
DEPRECATED: Authentication Bypass Issues
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.