CWE-186: Overly Restrictive Regular Expression
A regular expression is overly restrictive, which prevents dangerous values from being detected.
Last updated
Overview
This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it.
Real-world CVEs
1 recorded CVEs are caused by CWE-186 (Overly Restrictive Regular Expression). The highest-severity and most recent are shown first. 0 new CWE-186 CVEs have been recorded so far in 2026 (1 in 2025).
Common consequences
What can happen when CWE-186 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.