CWE-340: Generation of Predictable Numbers or Identifiers
The product uses a scheme that generates numbers or identifiers that are more predictable than required.
Last updated
Overview
CWE-340 (Generation of Predictable Numbers or Identifiers) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
38 recorded CVEs are caused by CWE-340 (Generation of Predictable Numbers or Identifiers). The highest-severity and most recent are shown first. 19 new CWE-340 CVEs have been recorded so far in 2026 (13 in 2025).
- CVE-2026-3256
HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids
Critical · CVSS 9.8 · EPSS 41th2026-03-28 - CVE-2025-40926
Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely
Critical · CVSS 9.8 · EPSS 35th2026-03-05 - CVE-2024-47945
Predictable Session ID
Critical · CVSS 9.8 · EPSS 54th2024-10-15 - CVE-2026-9733
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter
Critical · CVSS 9.1 · EPSS 26th2026-06-23 - CVE-2026-5081
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure
Critical · CVSS 9.1 · EPSS 22th2026-05-06 - CVE-2025-40931
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id
Critical · CVSS 9.1 · EPSS 44th2026-03-05 - CVE-2025-40925
Starch versions 0.14 and earlier generate session ids insecurely
Critical · CVSS 9.1 · EPSS 26th2025-09-20 - CVE-2026-11374
Account Takeover via Predictable SSO Ticket Generation
Critical · CVSS 9.0 · EPSS 66th2026-06-23 - CVE-2025-69286
RAGFlow has Predictable Token Generation Leading to Authentication Bypass Vulnerability
High · CVSS 8.9 · EPSS 39th2025-12-31 - CVE-2025-62294
Predictable Generation of Password Recovery Token
High · CVSS 8.7 · EPSS 19th2025-11-20 - CVE-2026-9219
Setracker2 Children's Smartwatch Ecosystem Generation of Predictable Numbers or Identifiers
High · CVSS 8.3 · EPSS 10th2026-06-25 - CVE-2025-40932
Apache::SessionX versions through 2.01 for Perl create insecure session id
High · CVSS 8.2 · EPSS 10th2026-02-26
Showing 12 of 38 recorded CWE-340 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-340 vulnerabilitiesCommon consequences
What can happen when CWE-340 is exploited.
Varies by Context
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code generates a unique random identifier for a user's session.
Vulnerable example
function generateSessionID($userID){Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-29330 — Product for administering PBX systems uses predictable identifiers and timestamps for filenames (CWE-340) which allows attackers to access files via direct request (CWE-425).
- CVE-2001-1141 — PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.
- CVE-1999-0074 — Listening TCP ports are sequentially allocated, allowing spoofing attacks.
Terminology & mappings
Mapped taxonomies
- PLOVER: Predictability problems
- WASC: Brute Force (11)
Frequently asked questions
Common questions about CWE-340.
- What is CWE-340?
- The product uses a scheme that generates numbers or identifiers that are more predictable than required.
- What CVEs are caused by CWE-340?
- 38 recorded CVEs are attributed to CWE-340, including CVE-2026-3256, CVE-2025-40926, CVE-2024-47945.
- How is CWE-340 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-340?
- Exploiting CWE-340 can lead to: Varies by Context.
- Is CWE-340 actively exploited?
- 38 recorded CVEs are caused by CWE-340; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-340) (opens in a new tab)
- CWE-340 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-340
Get alerted the moment a new CWE-340 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.