CWE · MITRE source
CWE-836Use of Password Hash Instead of Password for Authentication
The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.
Some authentication mechanisms rely on the client to generate the hash for a password, possibly to reduce load on the server or avoid sending the password across the network. However, when the client is used to generate the hash, an attacker can bypass the authentication by obtaining a copy of the hash, e.g. by using SQL injection to compromise a database of authentication credentials, or by exploiting an information exposure. The attacker could then use a modified client to replay the stolen hash without having knowledge of the original password. As a result, the server-side comparison against a client-side hash does not provide any more security than the use of passwords without hashing.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 4 mapping(s) from 3 framework(s): ATT&CK 2 (full) · OWASP-Web 1 (mostly) · CAPEC 1 (partial)
NIST 800-53 r5 controls that address this weakness (0)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
| No NIST controls proposed yet. | |||
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-23857 | 7.0 | 10.0 | 0.0119 | 2021-10-04 |
CVE-2023-34132 | 7.0 | 9.8 | 0.0655 | 2023-07-13 |
CVE-2023-4299 | 7.0 | 9.0 | 0.0055 | 2023-08-31 |
CVE-2017-7927 | 6.0 | 7.3 | 0.3675 | 2017-05-06 |
CVE-2022-32282 | 5.5 | 8.8 | 0.0159 | 2022-08-22 |
CVE-2023-23614 | 5.5 | 8.8 | 0.0097 | 2023-01-26 |
CVE-2023-39546 | 5.5 | 8.8 | 0.0063 | 2023-11-17 |
CVE-2025-52543 UPD | 5.5 | 7.5 | 0.0028 | 2025-09-02 |
CVE-2025-62618 | 5.5 | 8.0 | 0.0029 | 2025-10-31 |
CVE-2019-25552 | 5.5 | 7.5 | 0.0040 | 2026-03-21 |
CVE-2026-9222 | 5.5 | 8.1 | 0.0024 | 2026-06-26 |
CVE-2023-23450 | 3.5 | 6.2 | 0.0071 | 2023-05-15 |
CVE-2025-48925 UPD | 3.5 | 4.3 | 0.0023 | 2025-05-28 |
CVE-2025-64471 | 3.5 | 4.9 | 0.0029 | 2025-12-09 |
CVE-2026-40103 | 3.5 | 4.3 | 0.0022 | 2026-04-10 |
CVE-2026-44736 | 3.5 | 6.5 | 0.0029 | 2026-06-26 |