A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.
Last updated
Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.
17 recorded CVEs are caused by CWE-214 (Invocation of Process Using Visible Sensitive Information). The highest-severity and most recent are shown first. 2 new CWE-214 CVEs have been recorded so far in 2026 (4 in 2025).
Secrets Exfiltration in gradio-app/gradio
Showing 12 of 17 recorded CWE-214 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-214 vulnerabilitiesWhat can happen when CWE-214 is exploited.
Read Application Data
Affects: Confidentiality
Typically introduced during these phases of the software lifecycle.
Illustrative examples from MITRE showing how the weakness appears in code.
In the example below, the password for a keystore file is read from a system property.
Vulnerable example
String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.
Real CVEs that MITRE cites as examples of this weakness.
Common questions about CWE-214.
A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.
17 recorded CVEs are attributed to CWE-214, including CVE-2020-36771, CVE-2018-16837, CVE-2019-3869.
Exploiting CWE-214 can lead to: Read Application Data.
17 recorded CVEs are caused by CWE-214; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-214 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.