CWE · MITRE source
CWE-425Direct Request ('Forced Browsing')
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 5 mapping(s) from 3 framework(s): CAPEC 3 (full) · OWASP-Web 1 (full) · ATT&CK 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (6)AI
Showing the 5 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-24 | Access Control Decisions | AC | Forcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths. |
AC-25 | Reference Monitor | AC | Forces all accesses through the reference monitor, preventing direct or forced requests that bypass checks. |
AC-3 | Access Enforcement | AC | Enforcing access for all logical requests prevents unauthorized direct access to protected resources. |
SC-26 | Decoys | SC | Decoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis. |
SI-9 | Information Input Restrictions | SI | Blocks unauthorized direct requests or forced browsing by denying input access to non-authorized actors. |
Show 1 more broadly-applicable controls
AC-8 | System Use Notification | AC | Displaying the notification before further access on public systems prevents direct resource requests from bypassing the required system use terms and consent. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-26085 KEV | 10.0 | 5.3 | 0.9994 | 2021-08-03 |
CVE-2024-45195 KEV | 10.0 | 7.5 | 0.9998 | 2024-09-04 |
CVE-2017-17736 | 8.0 | 9.8 | 0.6936 | 2018-03-23 |
CVE-2018-19207 | 8.0 | 9.8 | 0.8729 | 2018-11-12 |
CVE-2024-0204 | 8.0 | 9.8 | 0.9509 | 2024-01-22 |
CVE-2002-1798 | 7.0 | 9.1 | 0.0456 | 2002-12-31 |
CVE-2017-10833 | 7.0 | 9.1 | 0.0154 | 2017-08-29 |
CVE-2017-14244 | 7.0 | 9.8 | 0.1715 | 2017-09-17 |
CVE-2018-6624 | 7.0 | 9.8 | 0.0168 | 2018-02-05 |
CVE-2018-3774 | 7.0 | 10.0 | 0.0381 | 2018-08-12 |
CVE-2018-18922 | 7.0 | 9.8 | 0.0243 | 2018-12-13 |
CVE-2019-7736 | 7.0 | 9.8 | 0.0273 | 2019-02-11 |
CVE-2019-9552 | 7.0 | 9.8 | 0.0204 | 2019-03-04 |
CVE-2019-12583 | 7.0 | 9.1 | 0.4393 | 2019-06-27 |
CVE-2019-9884 | 7.0 | 9.8 | 0.0296 | 2019-07-25 |
CVE-2019-9584 | 7.0 | 9.8 | 0.0271 | 2019-08-14 |
CVE-2019-16340 | 7.0 | 9.8 | 0.1926 | 2019-11-21 |
CVE-2020-24203 | 7.0 | 9.8 | 0.0374 | 2020-08-27 |
CVE-2020-24660 | 7.0 | 9.8 | 0.0234 | 2020-09-14 |
CVE-2019-12768 | 7.0 | 9.8 | 0.0229 | 2020-12-30 |
CVE-2020-35391 | 7.0 | 9.6 | 0.3500 | 2021-01-01 |
CVE-2021-24215 | 7.0 | 9.8 | 0.0973 | 2021-04-12 |
CVE-2021-36745 | 7.0 | 9.8 | 0.0902 | 2021-09-29 |
CVE-2021-36560 | 7.0 | 9.8 | 0.0148 | 2021-11-02 |
CVE-2022-26279 | 7.0 | 9.8 | 0.0181 | 2022-03-24 |