CWE-302: Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Last updated
Overview
CWE-302 (Authentication Bypass by Assumed-Immutable Data) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
33 recorded CVEs are caused by CWE-302 (Authentication Bypass by Assumed-Immutable Data). The highest-severity and most recent are shown first. 5 new CWE-302 CVEs have been recorded so far in 2026 (8 in 2025).
- CVE-2025-29813
Azure DevOps Elevation of Privilege Vulnerability
Critical · CVSS 10.0 · EPSS 72th2025-05-08 - CVE-2024-56404Critical · CVSS 9.9 · EPSS 47th2025-01-24
- CVE-2025-63210Critical · CVSS 9.8 · EPSS 40th2025-11-19
- CVE-2024-43441Critical · CVSS 9.8 · EPSS 99th2024-12-24
- CVE-2023-4612
MFA bypass in Apereo CAS
Critical · CVSS 9.8 · EPSS 57th2023-11-09 - CVE-2023-4669
Authentication Bypass in Exagate SYSGuard 3001
Critical · CVSS 9.8 · EPSS 58th2023-09-14 - CVE-2016-9482Critical · CVSS 9.8 · EPSS 91th2018-07-13
- CVE-2026-39429
kcp's cache server is accessible without authentication or authorization checks
Critical · CVSS 9.1 · EPSS 35th2026-04-08 - CVE-2025-47158
Azure DevOps Server Elevation of Privilege Vulnerability
Critical · CVSS 9.0 · EPSS 48th2025-07-18 - CVE-2026-47303
ASP.NET Core Elevation of Privilege Vulnerability
High · CVSS 8.8 · EPSS 44th2026-07-14 - CVE-2024-12838High · CVSS 8.8 · EPSS 50th2024-12-31
- CVE-2024-49056
Airlift.microsoft.com Elevation of Privilege Vulnerability
High · CVSS 8.8 · EPSS 60th2024-11-12
Showing 12 of 33 recorded CWE-302 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-302 vulnerabilitiesCommon consequences
What can happen when CWE-302 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-302, grouped by where in the lifecycle they apply.
Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the following example, an "authenticated" cookie is used to determine whether or not a user should be granted access to a system.
Vulnerable example
boolean authenticated = new Boolean(getCookieValue("authenticated")).booleanValue();Modifying the value of a cookie on the client-side is trivial, but many developers assume that cookies are essentially immutable.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2002-0367CISA KEV— DebPloit
- CVE-2004-0261 — Web auth
- CVE-2002-1730 — Authentication bypass by setting certain cookies to "true".
- CVE-2002-1734 — Authentication bypass by setting certain cookies to "true".
- CVE-2002-2064 — Admin access by setting a cookie.
- CVE-2002-2054 — Gain privileges by setting cookie.
- CVE-2004-1611 — Product trusts authentication information in cookie.
- CVE-2005-1708 — Authentication bypass by setting admin-testing variable to true.
- CVE-2005-1787 — Bypass auth and gain privileges by setting a variable.
Terminology & mappings
Mapped taxonomies
- PLOVER: Authentication Bypass via Assumed-Immutable Data
- OWASP Top Ten 2004: Unvalidated Input (A1) — CWE More Specific fit
- The CERT Oracle Secure Coding Standard for Java (2011): Do not base security checks on untrusted sources (SEC02-J)
Attack patterns
CAPEC attack patterns that exploit this weakness.
- CAPEC-10: Buffer Overflow via Environment Variables
- CAPEC-13: Subverting Environment Variable Values
- CAPEC-21: Exploitation of Trusted Identifiers
- CAPEC-274: HTTP Verb Tampering
- CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
- CAPEC-39: Manipulating Opaque Client-based Data Tokens
- CAPEC-45: Buffer Overflow via Symbolic Links
- CAPEC-77: Manipulating User-Controlled Variables
Frequently asked questions
Common questions about CWE-302.
- What is CWE-302?
- The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
- What CVEs are caused by CWE-302?
- 33 recorded CVEs are attributed to CWE-302, including CVE-2025-29813, CVE-2024-56404, CVE-2025-63210.
- Is CWE-302 part of the OWASP Top 10?
- CWE-302 maps to OWASP Top Ten 2004: Unvalidated Input (A1) in the OWASP security taxonomy.
- How do you prevent CWE-302?
- Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.)
- What are the consequences of CWE-302?
- Exploiting CWE-302 can lead to: Bypass Protection Mechanism.
- Is CWE-302 actively exploited?
- 33 recorded CVEs are caused by CWE-302; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-302) (opens in a new tab)
- CWE-302 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-302
Get alerted the moment a new CWE-302 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.