CWE-1275: Sensitive Cookie with Improper SameSite Attribute
The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
Last updated
Overview
The SameSite attribute controls how cookies are sent for cross-domain requests. This attribute may have three values: 'Lax', 'Strict', or 'None'. If the 'None' value is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request. This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens).
Real-world CVEs
16 recorded CVEs are caused by CWE-1275 (Sensitive Cookie with Improper SameSite Attribute). The highest-severity and most recent are shown first. 8 new CWE-1275 CVEs have been recorded so far in 2026 (5 in 2025).
- CVE-2024-6611
Incorrect handling of SameSite cookies
Critical · CVSS 9.8 · EPSS 48th2024-07-09 - CVE-2025-52628
HCL AION is susceptible to Missing SameSite vulnerability
High · CVSS 8.8 · EPSS 9th2026-02-03 - CVE-2023-53957
Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking
High · CVSS 8.5 · EPSS 39th2025-12-19 - CVE-2025-36134
IBM Sterling B2B Integrator and IBM Sterling File Gateway information disclosure
High · CVSS 7.5 · EPSS 18th2025-11-25 - CVE-2025-24387
Missing CSRF protection
Medium · CVSS 6.5 · EPSS 4th2025-03-10 - CVE-2022-38386Medium · CVSS 5.9 · EPSS 37th2024-05-01
- CVE-2024-30155Medium · CVSS 5.5 · EPSS 11th2025-03-26
- CVE-2024-42212Medium · CVSS 5.4 · EPSS 10th2025-05-05
- CVE-2026-55688
AsyncHttpClient: Cookie stored for an unrelated domain (cookie tossing) via ThreadSafeCookieStore
Medium · CVSS 4.0 · EPSS 8th2026-07-01 - CVE-2024-43173Low · CVSS 3.7 · EPSS 11th2024-10-22
- CVE-2026-8416
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)
Low · CVSS 2.3 · EPSS 3th2026-05-21 - CVE-2026-8427
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)
Low · CVSS 2.3 · EPSS 3th2026-05-21
Showing 12 of 16 recorded CWE-1275 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1275 vulnerabilitiesCommon consequences
What can happen when CWE-1275 is exploited.
Modify Application Data
Affects: Confidentiality, Integrity, Non-Repudiation, Access Control
If the website does not impose additional defense against CSRF attacks, failing to use the 'Lax' or 'Strict' values could increase the risk of exposure to CSRF attacks. The likelihood of the integrity breach is Low because a successful attack does not only depend on an insecure SameSite attribute. In order to perform a CSRF attack there are many conditions that must be met, such as the lack of CSRF tokens, no confirmations for sensitive actions on the website, a "simple" "Content-Type" header in the HTTP request and many more.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1275, grouped by where in the lifecycle they apply.
Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.
Effectiveness: High — While this mitigation is effective for protecting cookies from a browser's own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XmlHttpResponse to read the headers directly and obtain the cookie.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In this example, a cookie is used to store a session ID for a client's interaction with a website. The snippet of code below establishes a new cookie to hold the sessionID.
Attack input
<form id=evil action="http://local:3002/setEmail" method="POST">Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-24045 — Web application for a room automation system has client-side JavaScript that sets a sensitive cookie without the SameSite security attribute, allowing the cookie to be sniffed
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1275.
- What is CWE-1275?
- The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
- What CVEs are caused by CWE-1275?
- 16 recorded CVEs are attributed to CWE-1275, including CVE-2024-6611, CVE-2025-52628, CVE-2023-53957.
- How do you prevent CWE-1275?
- Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.
- How is CWE-1275 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1275?
- Exploiting CWE-1275 can lead to: Modify Application Data.
- Is CWE-1275 actively exploited?
- 16 recorded CVEs are caused by CWE-1275; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1275) (opens in a new tab)
- CWE-1275 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1275
Get alerted the moment a new CWE-1275 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.