CWE · MITRE source
CWE-302Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 9 mapping(s) from 3 framework(s): CAPEC 6 (partial) · ATT&CK 2 (partial) · OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A07:2025 Authentication Failures.
NIST 800-53 r5 controls that address this weakness (1)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IA-8 | Identification and Authentication (Non-organizational Users) | IA | Proper authentication for non-organizational users counters bypasses relying on assumed-immutable data. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-43441 | 8.0 | 9.8 | 0.6965 | 2024-12-24 |
CVE-2016-9482 | 7.0 | 9.8 | 0.0466 | 2018-07-13 |
CVE-2023-4669 | 7.0 | 9.8 | 0.0096 | 2023-09-14 |
CVE-2023-4612 | 7.0 | 9.8 | 0.0094 | 2023-11-09 |
CVE-2024-56404 | 7.0 | 9.9 | 0.0065 | 2025-01-24 |
CVE-2025-29813 UPD | 7.0 | 10.0 | 0.0153 | 2025-05-08 |
CVE-2025-47158 UPD | 7.0 | 9.0 | 0.0067 | 2025-07-18 |
CVE-2025-63210 | 7.0 | 9.8 | 0.0050 | 2025-11-19 |
CVE-2026-48781 | 7.0 | 9.9 | 0.0021 | 2026-06-17 |
CVE-2024-4024 | 6.0 | 7.3 | 0.1490 | 2024-04-25 |
CVE-2020-15074 | 5.5 | 7.5 | 0.0104 | 2020-07-14 |
CVE-2022-22729 | 5.5 | 8.8 | 0.0091 | 2022-03-11 |
CVE-2022-3875 | 5.5 | 7.3 | 0.0097 | 2022-12-19 |
CVE-2024-22179 | 5.5 | 7.5 | 0.0039 | 2024-04-18 |
CVE-2024-3741 | 5.5 | 7.5 | 0.0049 | 2024-04-18 |
CVE-2024-49056 | 5.5 | 7.3 | 0.0104 | 2024-11-12 |
CVE-2024-12838 | 5.5 | 8.8 | 0.0073 | 2024-12-31 |
CVE-2025-24876 | 5.5 | 8.1 | 0.0047 | 2025-02-11 |
CVE-2025-8855 UPD | 5.5 | 8.1 | 0.0034 | 2025-11-14 |
CVE-2024-45370 | 5.5 | 7.3 | 0.0015 | 2025-12-01 |
CVE-2026-39429 | 5.5 | 8.2 | 0.0044 | 2026-04-08 |
CVE-2026-40285 | 5.5 | 8.8 | 0.0027 | 2026-04-17 |
CVE-2021-1399 | 3.5 | 4.3 | 0.0062 | 2021-04-08 |
CVE-2021-1561 | 3.5 | 5.4 | 0.0074 | 2021-08-18 |
CVE-2022-2503 | 3.5 | 6.9 | 0.0035 | 2022-08-12 |