ClassDraft

CWE-636Not Failing Securely ('Failing Open')

Category: other

Description

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe."

Common consequences· 1

  • Access Control — Bypass Protection Mechanism
    Intended access restrictions can be bypassed, which is often contradictory to what the product's administrator expects.

Potential mitigations· 1

  • [Architecture and Design]Subdivide and allocate resources and components so that a failure in one part does not affect the entire product.

References

  1. https://cwe.mitre.org/data/definitions/636.html

(incoming)2

TypeTargetConfidenceTier
VulnerabilityCVE-2026-22034cve-2026-220340%live
VulnerabilityCVE-2026-40525cve-2026-405250%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Non-exit on Failed Initialization
CWE
Protection Mechanism Failure
CWE
Unchecked Return Value
CWE
Incorrect Implementation of Authentication Algorithm
CWE
Violation of Secure Design Principles
CWE
Use of Default Cryptographic Key
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.