CWE · MITRE source
CWE-501Trust Boundary Violation
The product mixes trusted and untrusted data in the same data structure or structured message.
A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 1 mapping(s) from 1 framework(s): OWASP-Web 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A06:2025 Insecure Design.
NIST 800-53 r5 controls that address this weakness (9)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-20 | Use of External Systems | AC | Establishes and maintains trust boundaries with external organizations before allowing their systems to interact with organization resources. |
AC-4 | Information Flow Enforcement | AC | Prevents information from crossing trust boundaries without explicit approved authorizations. |
CA-3 | Information Exchange | CA | Defining interfaces, controls, and trust responsibilities in agreements helps prevent violations of trust boundaries during data exchanges. |
CA-9 | Internal System Connections | CA | Authorizing and reviewing connections helps maintain proper trust boundaries between internal components. |
SC-16 | Transmission of Security and Privacy Attributes | SC | Explicitly binding attributes to information crossing trust boundaries prevents loss of security context that leads to trust-boundary violations. |
SC-46 | Cross Domain Policy Enforcement | SC | By mediating every interface between security domains, the mechanism upholds trust boundaries and blocks violations that would allow untrusted data or commands to cross. |
MP-5 | Media Transport | MP | Controlling media movement outside controlled areas maintains separation between internal and external trust boundaries. |
PM-24 | Data Integrity Board | PM | Review of inter-system matching programs identifies and corrects trust-boundary violations before data crosses organizational or policy domains. |
PT-3 | Personally Identifiable Information Processing Purposes | PT | Defines explicit trust boundaries for PII use via documented purposes and prevents processing outside those boundaries. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-61884 KEV | 10.0 | 7.5 | 0.9758 | 2025-10-12 |
CVE-2025-48938 UPD | 7.0 | 9.8 | 0.0043 | 2025-05-30 |
CVE-2026-25725 | 7.0 | 10.0 | 0.0042 | 2026-02-06 |
CVE-2026-35051 UPD | 7.0 | 10.0 | 0.0027 | 2026-04-30 |
CVE-2026-48746 UPD | 7.0 | 9.1 | 0.0086 | 2026-06-22 |
CVE-2020-4076 | 5.5 | 7.8 | 0.0037 | 2020-07-07 |
CVE-2020-4077 | 5.5 | 7.7 | 0.0100 | 2020-07-07 |
CVE-2023-0629 | 5.5 | 7.1 | 0.0022 | 2023-03-13 |
CVE-2023-28597 | 5.5 | 8.3 | 0.0052 | 2023-03-27 |
CVE-2023-49788 | 5.5 | 7.2 | 0.0050 | 2023-12-08 |
CVE-2024-23682 UPD | 5.5 | 8.2 | 0.0035 | 2024-01-19 |
CVE-2024-3661 | 5.5 | 7.6 | 0.0406 | 2024-05-06 |
CVE-2024-49050 | 5.5 | 8.8 | 0.0121 | 2024-11-12 |
CVE-2025-49714 UPD | 5.5 | 7.8 | 0.0040 | 2025-07-08 |
CVE-2025-64496 | 5.5 | 7.3 | 0.0777 | 2025-11-08 |
CVE-2025-14542 | 5.5 | 7.5 | 0.0022 | 2025-12-13 |
CVE-2026-4687 UPD | 5.5 | 8.6 | 0.0054 | 2026-03-24 |
CVE-2026-27893 UPD | 5.5 | 8.8 | 0.0136 | 2026-03-27 |
CVE-2026-34780 UPD | 5.5 | 8.3 | 0.0033 | 2026-04-04 |
CVE-2026-33828 UPD | 5.5 | 7.8 | 0.0031 | 2026-06-09 |
CVE-2019-0035 | 3.5 | 6.8 | 0.0040 | 2019-04-10 |
CVE-2020-15096 | 3.5 | 6.8 | 0.0081 | 2020-07-07 |
CVE-2022-1799 | 3.5 | 5.7 | 0.0025 | 2022-07-29 |
CVE-2022-20826 | 3.5 | 6.4 | 0.0032 | 2022-11-15 |
CVE-2023-0627 | 3.5 | 6.7 | 0.0024 | 2023-09-25 |