BaseIncomplete

CWE-551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Category: auth

Description

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.

Common consequences· 1

  • Access Control — Bypass Protection Mechanism

Potential mitigations· 1

  • [Architecture and Design]URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.

References

  1. https://cwe.mitre.org/data/definitions/551.html

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2026-4636cve-2026-46360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Neutralization of Encoded URI Schemes in a Web Page
CAPEC
Path Traversal
CAPEC
Absolute Path Traversal
CAPEC
Relative Path Traversal
CWE
Use of Non-Canonical URL Paths for Authorization Decisions
CWE
Path Equivalence: 'fakedir/../realdir/filename'
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.