CWE-178: Improper Handling of Case Sensitivity
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Last updated
Overview
Improperly handled case sensitive data can lead to several possible consequences, including: case-insensitive passwords reducing the size of the key space, making brute force attacks easier bypassing filters or access controls using alternate names multiple interpretation errors using alternate names.
Real-world CVEs
47 recorded CVEs are caused by CWE-178 (Improper Handling of Case Sensitivity). The highest-severity and most recent are shown first. 26 new CWE-178 CVEs have been recorded so far in 2026 (7 in 2025).
- CVE-2026-47323
Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering
Critical · CVSS 9.8 · EPSS 70th2026-05-19 - CVE-2025-59944
Cursor IDE: Sensitive File Overwrite Bypass is Possible
Critical · CVSS 9.8 · EPSS 26th2025-10-03 - CVE-2024-5699Critical · CVSS 9.8 · EPSS 52th2024-06-11
- CVE-2023-3545Critical · CVSS 9.8 · EPSS 78th2023-11-28
- CVE-2022-29604Critical · CVSS 9.8 · EPSS 59th2023-04-20
- CVE-2004-2154Critical · CVSS 9.8 · EPSS 79th2005-07-05
- CVE-2026-40453
Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection
Critical · CVSS 9.4 · EPSS 54th2026-04-27 - CVE-2021-24347High · CVSS 8.8 · EPSS 99th2021-06-14
- CVE-2025-67718
Formio improperly authorized permission elevation through specially crafted request path
High · CVSS 8.7 · EPSS 19th2025-12-11 - CVE-2026-22665
prompts.chat Identity Confusion via Case-Sensitive Username Handling
High · CVSS 8.6 · EPSS 25th2026-04-03 - CVE-2021-39155High · CVSS 8.3 · EPSS 64th2021-08-24
- CVE-2026-48595
Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
High · CVSS 8.2 · EPSS 32th2026-06-02
Showing 12 of 47 recorded CWE-178 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-178 vulnerabilitiesCommon consequences
What can happen when CWE-178 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Operating systems
How to prevent it
Practical mitigations for CWE-178, grouped by where in the lifecycle they apply.
Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent:
Vulnerable example
public String preventXSS(String input, String mask) {The code only works when the "script" tag is in all lower-case, forming an incomplete denylist (CWE-184). Equivalent tags such as "SCRIPT" or "ScRiPt" will not be neutralized by this method, allowing an XSS attack.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2000-0499 — Application server allows attackers to bypass execution of a jsp page and read the source code using an upper case JSP extension in the request.
- CVE-2000-0497 — The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text".
- CVE-2000-0498 — The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text".
- CVE-2001-0766 — A URL that contains some characters whose case is not matched by the server's filters may bypass access restrictions because the case-insensitive file system will then handle the request after it bypasses the case sensitive filter.
- CVE-2001-0795 — Server allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.
- CVE-2001-1238 — Task Manager does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped.
- CVE-2003-0411 — chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text".
- CVE-2002-0485 — Leads to interpretation error
- CVE-1999-0239 — Directories may be listed because lower case web requests are not properly handled by the server.
- CVE-2005-0269 — File extension check in forum software only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.
- CVE-2004-1083 — Web server restricts access to files in a case sensitive manner, but the filesystem accesses files in a case insensitive manner, which allows remote attackers to read privileged files using alternate capitalization.
- CVE-2002-2119 — Case insensitive passwords lead to search space reduction.
- CVE-2004-2214 — HTTP server allows bypass of access restrictions using URIs with mixed case.
- CVE-2004-2154 — Mixed upper/lowercase allows bypass of ACLs.
- CVE-2005-4509 — Bypass malicious script detection by using tokens that aren't case sensitive.
- CVE-2002-1820 — Mixed case problem allows "admin" to have "Admin" rights (alternate name property).
- CVE-2007-3365 — Chain: uppercase file extensions causes web server to return script source code instead of executing the script.
- CVE-2021-39155 — Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations.
Terminology & mappings
Mapped taxonomies
- PLOVER: Case Sensitivity (lowercase, uppercase, mixed case)
Frequently asked questions
Common questions about CWE-178.
- What is CWE-178?
- The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
- What CVEs are caused by CWE-178?
- 47 recorded CVEs are attributed to CWE-178, including CVE-2026-47323, CVE-2025-59944, CVE-2024-5699.
- How do you prevent CWE-178?
- Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
- What are the consequences of CWE-178?
- Exploiting CWE-178 can lead to: Bypass Protection Mechanism.
- Is CWE-178 actively exploited?
- 47 recorded CVEs are caused by CWE-178; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-178) (opens in a new tab)
- CWE-178 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-178
Get alerted the moment a new CWE-178 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.