BaseDraft

CWE-454External Initialization of Trusted Variables or Data Stores

Category: other

Description

The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. A product system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.

Common consequences· 1

  • Integrity — Modify Application Data
    An attacker could gain access to and modify sensitive data or system information.

Potential mitigations· 2

  • [Implementation]A product system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.
  • [Architecture and Design]Avoid any external control of variables. If necessary, restrict the variables that can be modified using an allowlist, and use a different namespace or naming convention if possible.

References

  1. https://cwe.mitre.org/data/definitions/454.html

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2026-26148cve-2026-261480%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Initialization
CWE
Insecure Default Variable Initialization
CWE
Reliance on Untrusted Inputs in a Security Decision
CWE
Incorrect Initialization of Resource
CWE
Access to Critical Private Variable via Public Method
CWE
Initialization of a Resource with an Insecure Default
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.