CWE-223: Omission of Security-relevant Information
The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
Last updated
Overview
CWE-223 (Omission of Security-relevant Information) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
8 recorded CVEs are caused by CWE-223 (Omission of Security-relevant Information). The highest-severity and most recent are shown first. 1 new CWE-223 CVE has been recorded so far in 2026 (2 in 2025).
- CVE-2023-31191Critical · CVSS 9.3 · EPSS 27th2023-07-11
- CVE-2023-29156
Denial of Service due to loss of information in DroneScout ds230 Remote ID receiver from BlueMark Innovations
Medium · CVSS 6.8 · EPSS 24th2023-07-11 - CVE-2022-44646Medium · CVSS 5.3 · EPSS 28th2022-11-03
- CVE-2026-31890
Inspektor Gadget: Tracing Denial of Service via Event Flooding
Medium · CVSS 4.8 · EPSS 4th2026-03-12 - CVE-2022-22563Medium · CVSS 4.4 · EPSS 11th2022-04-08
- CVE-2024-52813Medium · CVSS 4.3 · EPSS 37th2025-01-07
- CVE-2023-28360Medium · CVSS 4.3 · EPSS 54th2023-05-11
- CVE-2025-52926Low · CVSS 2.7 · EPSS 3th2025-06-23
Common consequences
What can happen when CWE-223 is exploited.
Hide Activities
Affects: Non-Repudiation
The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code logs suspicious multiple login attempts.
Vulnerable example
function login($userName,$password){This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.
This code prints the contents of a file if a user has permission.
Vulnerable example
function readFile($filename){While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363).
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-1999-1029 — Login attempts are not recorded if the user disconnects before the maximum number of tries.
- CVE-2002-1839 — Sender's IP address not recorded in outgoing e-mail.
- CVE-2000-0542 — Failed authentication attempts are not recorded if later attempt succeeds.
Terminology & mappings
Mapped taxonomies
- PLOVER: Omission of Security-relevant Information
Frequently asked questions
Common questions about CWE-223.
- What is CWE-223?
- The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
- What CVEs are caused by CWE-223?
- 8 recorded CVEs are attributed to CWE-223, including CVE-2023-31191, CVE-2023-29156, CVE-2022-44646.
- What are the consequences of CWE-223?
- Exploiting CWE-223 can lead to: Hide Activities.
- Is CWE-223 actively exploited?
- 8 recorded CVEs are caused by CWE-223; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-223) (opens in a new tab)
- CWE-223 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-223
Get alerted the moment a new CWE-223 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.