Cyber Resilience

CWE · MITRE source

CWE-636Not Failing Securely ('Failing Open')

Abstraction: Class · CVEs in our corpus: 35

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe."

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 13 mapping(s) from 2 framework(s): ASVS 5.0 12 (full) · OWASP-Web 1 (full)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A10:2025 Mishandling of Exceptional Conditions.

NIST 800-53 r5 controls that address this weakness (9)AI

Control Title Family Why it addresses this CWE
SI-13Predictable Failure PreventionSIStandby components and explicit exchange criteria enforce a controlled, secure failover instead of failing open.
SI-17Fail-safe ProceduresSIDirectly implements fail-safe (fail-closed/secure) behavior on indicated failures, preventing the system from defaulting to an insecure open state.
SI-6Security and Privacy Function VerificationSIFailed verification tests trigger alerts, reducing the window for exploitation when systems fail open.
AU-15Alternate Audit Logging CapabilityAUEnsures audit logging continues on primary failure instead of failing open with no logging capability.
AU-5Response to Audit Logging Process FailuresAUSupports failing securely by requiring alerts and configurable actions (e.g., shutdown) when the audit mechanism fails instead of continuing without it.
CP-12Safe ModeCPEntering safe mode when conditions are detected prevents failing open and continuing normal operation in a potentially exploitable state.
CP-13Alternative Security MechanismsCPEnsures security functions remain enforced via alternatives instead of defaulting to an insecure state when the primary means fails.
SA-8Security and Privacy Engineering PrinciplesSAFail-safe-defaults principle prevents systems from failing open.
SC-24Fail in Known StateSCDirectly requires transition to a known (secure) state on failure, preventing fail-open behavior.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2024-37297.09.80.00812024-05-02
CVE-2026-220347.09.80.00662026-01-08
CVE-2026-405257.09.10.00572026-04-17
CVE-2024-435326.08.80.11712024-10-08
CVE-2021-15785.58.80.01972021-08-25
CVE-2023-288405.57.50.02732023-04-04
CVE-2023-40305.58.40.00182023-08-17
CVE-2024-81855.57.50.00482024-10-31
CVE-2026-350425.57.50.00152026-04-06
CVE-2026-35205 UPD5.57.80.00182026-04-09
CVE-2026-402475.57.50.00492026-04-16
CVE-2026-402485.57.50.00432026-04-16
CVE-2026-424235.57.50.00322026-04-28
CVE-2026-42246 UPD5.57.40.00322026-05-09
CVE-2026-547625.58.60.00362026-06-23
CVE-2021-36143.56.40.00242021-07-16
CVE-2023-229433.54.80.00322023-02-14
CVE-2023-288413.56.80.00702023-04-04
CVE-2023-288423.56.80.01442023-04-04
CVE-2024-2660 UPD3.56.40.00302024-04-04
CVE-2025-212103.54.20.01112025-01-14
CVE-2025-417593.54.90.00322026-03-09
CVE-2025-417603.54.90.00322026-03-09
CVE-2026-274483.55.30.00242026-03-18
CVE-2026-402493.55.30.00322026-04-16