Base weakness

Incomplete

CWE-1230: Exposure of Sensitive Information Through Metadata

The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.

Last updated May 1, 2026

24

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Developers might correctly prevent unauthorized access to a database or other resource containing sensitive information, but they might not consider that portions of the original information might also be recorded in metadata, search indices, statistical reports, or other resources. If these resources are not also restricted, then attackers might be able to extract some or all of the original information, or otherwise infer some details. For example, an attacker could specify search terms that are known to be unique to a particular person, or view metadata such as activity or creation dates in order to identify usage patterns.

Real-world CVEs

24 recorded CVEs are caused by CWE-1230 (Exposure of Sensitive Information Through Metadata). The highest-severity and most recent are shown first. 6 new CWE-1230 CVEs have been recorded so far in 2026 (12 in 2025).

High · CVSS 7.6 · EPSS 19th

2025-11-26

CVE-2025-47324

Exposure of Sensitive Information Through Metadata in Powerline Communication Firmware

High · CVSS 7.5 · EPSS 44th

2025-08-06

CVE-2025-0330

Exposure of Sensitive Information in berriai/litellm

High · CVSS 7.5 · EPSS 59th

2025-03-20

CVE-2024-53291

High · CVSS 7.5 · EPSS 62th

2024-12-25

CVE-2025-30038

Session ID leakage in Zone.Identifier of downloaded files

High · CVSS 7.3 · EPSS 10th

2025-08-27

CVE-2024-47517

Medium · CVSS 6.8 · EPSS 27th

2025-01-10

CVE-2025-59601

Exposure of Sensitive Information Through Metadata in Powerline Communication Firmware

Medium · CVSS 6.5 · EPSS 3th

2026-06-01

CVE-2024-9447

Medium · CVSS 6.5 · EPSS 55th

2025-03-20

CVE-2026-49270

Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)

Medium · CVSS 5.9 · EPSS 36th

2026-06-01

CVE-2026-29055

Tandoor Recipes: WebP and GIF Image Uploads Bypass EXIF/Metadata Stripping, Leaking GPS Coordinates and PII

Medium · CVSS 5.3 · EPSS 18th

2026-03-26

Showing 12 of 24 recorded CWE-1230 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-1230 vulnerabilities

Common consequences

What can happen when CWE-1230 is exploited.

Read Application Data

Affects: Confidentiality

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Frequently asked questions

Common questions about CWE-1230.

What is CWE-1230?

The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.

What CVEs are caused by CWE-1230?

24 recorded CVEs are attributed to CWE-1230, including CVE-2024-9099, CVE-2023-1974, CVE-2025-13084.

What are the consequences of CWE-1230?

Exploiting CWE-1230 can lead to: Read Application Data.

Is CWE-1230 actively exploited?

24 recorded CVEs are caused by CWE-1230; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-1230

Get alerted the moment a new CWE-1230 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing