CWE · MITRE source
CWE-939Improper Authorization in Handler for Custom URL Scheme
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.
Last updated: 04 July 2026 08:17 UTC
NIST 800-53 r5 controls that address this weakness (0)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
| No NIST controls proposed yet. | |||
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-31384 | 5.5 | 7.2 | 0.0112 | 2021-10-19 |
CVE-2024-33606 | 5.5 | 8.8 | 0.0046 | 2024-06-11 |
CVE-2026-1046 | 5.5 | 7.6 | 0.0024 | 2026-02-16 |
CVE-2026-33335 | 5.5 | 8.0 | 0.0025 | 2026-03-24 |
CVE-2026-35394 | 5.5 | 8.3 | 0.0039 | 2026-04-06 |
CVE-2026-53407 UPD | 5.5 | 8.1 | 0.0023 | 2026-06-12 |
CVE-2026-53408 | 5.5 | 8.1 | 0.0021 | 2026-06-12 |
CVE-2020-11000 | 3.5 | 5.7 | 0.0121 | 2020-04-08 |
CVE-2022-20736 | 3.5 | 5.3 | 0.0098 | 2022-06-15 |
CVE-2023-43582 | 3.5 | 5.5 | 0.0066 | 2023-11-15 |
CVE-2024-35298 | 3.5 | 4.3 | 0.0029 | 2024-06-19 |
CVE-2024-41918 | 3.5 | 6.1 | 0.0030 | 2024-08-29 |
CVE-2024-45203 | 3.5 | 4.3 | 0.0028 | 2024-09-09 |
CVE-2025-5020 UPD | 3.5 | 4.3 | 0.0020 | 2025-05-21 |
CVE-2025-41408 UPD | 3.5 | 4.3 | 0.0025 | 2025-09-05 |
CVE-2026-26123 | 3.5 | 5.5 | 0.0060 | 2026-03-10 |
CVE-2026-3471 UPD | 3.5 | 6.5 | 0.0018 | 2026-05-18 |
CVE-2026-12189 | 3.5 | 5.3 | 0.0010 | 2026-06-14 |
CVE-2026-12190 | 3.5 | 5.3 | 0.0010 | 2026-06-14 |
CVE-2024-54014 | 1.5 | 3.6 | 0.0019 | 2024-12-05 |
CVE-2024-54125 | 1.5 | 3.3 | 0.0016 | 2024-12-17 |
CVE-2025-67739 | 1.5 | 3.1 | 0.0014 | 2025-12-11 |
CVE-2026-12065 | 1.5 | 1.8 | 0.0011 | 2026-06-12 |