The product stores a password in a configuration file that might be accessible to actors who do not know the password.

What CVEs are caused by CWE-260?

24 recorded CVEs are attributed to CWE-260, including CVE-2023-53739, CVE-2025-57754, CVE-2025-25022.

How do you prevent CWE-260?

Avoid storing passwords in easily accessible locations.

How is CWE-260 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-260?

Exploiting CWE-260 can lead to: Gain Privileges or Assume Identity.

Is CWE-260 actively exploited?

24 recorded CVEs are caused by CWE-260; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-260: Password in Configuration File

2025-06-03

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Below is a snippet from a Java properties file.

Vulnerable example

java

webapp.ldap.username = secretUsername

Because the LDAP credentials are stored in plaintext, anyone with access to the file can gain access to the resource.

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.

Vulnerable example

java

# Java Web App ResourceBundle properties file

CWE-260: Password in Configuration File

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-260?

What CVEs are caused by CWE-260?

How do you prevent CWE-260?

How is CWE-260 detected?

What are the consequences of CWE-260?

Is CWE-260 actively exploited?

References

Stay ahead of CWE-260

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-260?

What CVEs are caused by CWE-260?

How do you prevent CWE-260?

How is CWE-260 detected?

What are the consequences of CWE-260?

Is CWE-260 actively exploited?

References

Stay ahead of CWE-260