CWE-180: Incorrect Behavior Order: Validate Before Canonicalize
The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
Last updated
Overview
This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.
Real-world CVEs
13 recorded CVEs are caused by CWE-180 (Incorrect Behavior Order: Validate Before Canonicalize). The highest-severity and most recent are shown first. 8 new CWE-180 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2026-34475Critical · CVSS 9.8 · EPSS 10th2026-03-27
- CVE-2022-26136Critical · CVSS 9.8 · EPSS 90th2022-07-20
- CVE-2026-24895
FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files
High · CVSS 8.9 · EPSS 44th2026-02-12 - CVE-2022-26137High · CVSS 8.8 · EPSS 77th2022-07-20
- CVE-2026-52747
ModSecurity: Multipart form-data parser silently strips embedded line breaks from form-field values, enabling request-body inspection bypass
High · CVSS 8.6 · EPSS 38th2026-07-10 - CVE-2026-48721
Warp: Env-var prefixes can lead to denylisted command autoexecution
High · CVSS 8.6 · EPSS 4th2026-06-24 - CVE-2026-39364
Vite has a `server.fs.deny` bypass with queries
High · CVSS 8.2 · EPSS 80th2026-04-07 - CVE-2025-33194High · CVSS 7.1 · EPSS 3th2025-11-25
- CVE-2026-45022
go-git: Improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
High · CVSS 7.0 · EPSS 6th2026-05-27 - CVE-2026-39409
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
Medium · CVSS 6.3 · EPSS 26th2026-04-08 - CVE-2025-43716Medium · CVSS 5.8 · EPSS 65th2025-04-23
- CVE-2026-34786
Rack: Rack::Static header_rules bypass via URL-encoded paths
Medium · CVSS 5.3 · EPSS 9th2026-04-02
Showing 12 of 13 recorded CWE-180 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-180 vulnerabilitiesCommon consequences
What can happen when CWE-180 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-180, grouped by where in the lifecycle they apply.
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".
Vulnerable example
String path = getInputPath();Safe example
String path = getInputPath();Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2002-0433 — List files in web server using "*.ext"
- CVE-2003-0332 — Product modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension.
- CVE-2002-0802 — Database consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks.
- CVE-2000-0191 — Overlaps "fakechild/../realchild"
- CVE-2004-2363 — Product checks URI for "<" and other literal characters, but does it before hex decoding the URI, so "%3E" and other sequences are allowed.
Terminology & mappings
Mapped taxonomies
- PLOVER: Validate-Before-Canonicalize
- OWASP Top Ten 2004: Unvalidated Input (A1) — CWE More Specific fit
- The CERT Oracle Secure Coding Standard for Java (2011): Normalize strings before validating them (IDS01-J) — Exact fit
- SEI CERT Oracle Coding Standard for Java: Normalize strings before validating them (IDS01-J) — Exact fit
Attack patterns
CAPEC attack patterns that exploit this weakness.
- CAPEC-267: Leverage Alternate Encoding
- CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
- CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
- CAPEC-78: Using Escaped Slashes in Alternate Encoding
- CAPEC-79: Using Slashes in Alternate Encoding
- CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic
Frequently asked questions
Common questions about CWE-180.
- What is CWE-180?
- The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
- What CVEs are caused by CWE-180?
- 13 recorded CVEs are attributed to CWE-180, including CVE-2026-34475, CVE-2022-26136, CVE-2026-24895.
- Is CWE-180 part of the OWASP Top 10?
- CWE-180 maps to OWASP Top Ten 2004: Unvalidated Input (A1) in the OWASP security taxonomy.
- How do you prevent CWE-180?
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- What are the consequences of CWE-180?
- Exploiting CWE-180 can lead to: Bypass Protection Mechanism.
- Is CWE-180 actively exploited?
- 13 recorded CVEs are caused by CWE-180; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-180) (opens in a new tab)
- CWE-180 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-180
Get alerted the moment a new CWE-180 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.