CWE-346: Origin Validation Error
The product does not properly verify that the source of data or communication is valid.
Last updated
Overview
CWE-346 (Origin Validation Error) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
373 recorded CVEs are caused by CWE-346 (Origin Validation Error), including 2 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 166 new CWE-346 CVEs have been recorded so far in 2026 (68 in 2025).
- CVE-2025-34291CISA KEV
Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE
Critical · CVSS 9.4 · EPSS 100th2025-12-05 - CVE-2015-4495CISA KEVCritical · CVSS 9.4 · EPSS 99th2015-08-08
- CVE-2026-42901
Microsoft Entra ID Elevation of Privilege Vulnerability
Critical · CVSS 10.0 · EPSS 22th2026-05-22 - CVE-2023-30856Critical · CVSS 10.0 · EPSS 27th2023-04-28
- CVE-2024-32764Critical · CVSS 9.9 · EPSS 34th2024-04-26
- CVE-2023-49899
Origin Validation Error in X-Rite MA-T6
Critical · CVSS 9.82026-07-16 - CVE-2026-6508
RCE in TUBITAK BILGEM's Liderahenk
Critical · CVSS 9.8 · EPSS 13th2026-05-07 - CVE-2026-2790
Same-origin policy bypass in the Networking: JAR component
Critical · CVSS 9.8 · EPSS 14th2026-02-24 - CVE-2025-69258Critical · CVSS 9.8 · EPSS 87th2026-01-08
- CVE-2025-30466Critical · CVSS 9.8 · EPSS 17th2025-05-29
- CVE-2024-8487Critical · CVSS 9.8 · EPSS 19th2025-03-20
- CVE-2024-57965Critical · CVSS 9.8 · EPSS 29th2025-01-29
Showing 12 of 373 recorded CWE-346 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-346 vulnerabilitiesCommon consequences
What can happen when CWE-346 is exploited.
Gain Privileges or Assume Identity, Varies by Context
Affects: Access Control, Other
An attacker can access any functionality that is inadvertently accessible to the source.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This Android application will remove a user account when it receives an intent to do so:
Vulnerable example
IntentFilter filter = new IntentFilter("com.example.RemoveUser");This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
Vulnerable example
// AndroidVulnerable example
// iOSAttack input
window.location = examplescheme://method?parameter=valueIllustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2025-0411CISA KEV— Zip file extraction program does not propagate Mark-of-the-Web (MotW) metadata to files that are extracted from an Internet-downloaded Zip file
- CVE-2000-1218 — DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
- CVE-2018-6074 — Browser does not set Mark-of-the-Web (MotW) for a downloaded .EXE file if the name is close to the maximum path length, preventing recording of a zone identifier in the filename
- CVE-2025-46652 — Zip file extraction program does not propagate Mark-of-the-Web (MotW) metadata to files that are extracted from an Internet-downloaded Zip file
- CVE-2005-0877 — DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
- CVE-2001-1452 — DNS server caches glue records received from non-delegated name servers
- CVE-2005-2188 — user ID obtained from untrusted source (URL)
- CVE-2003-0174 — LDAP service does not verify if a particular attribute was set by the LDAP server
- CVE-1999-1549 — product does not sufficiently distinguish external HTML from internal, potentially dangerous HTML, allowing bypass using special strings in the page title. Overlaps special elements.
- CVE-2003-0981 — product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS.
Terminology & mappings
Mapped taxonomies
- PLOVER: Origin Validation Error
- ISA/IEC 62443: Req SR 2.12 RE(1) (Part 3-3)
- ISA/IEC 62443: Req SD-1 (Part 4-1)
- ISA/IEC 62443: Req SR-2 (Part 4-1)
- ISA/IEC 62443: Req SVV-1 (Part 4-1)
- ISA/IEC 62443: Req CR 2.12 RE(1) (Part 4-2)
- ISA/IEC 62443: Req CR 3.1 RE(1) (Part 4-2)
Attack patterns
CAPEC attack patterns that exploit this weakness.
- CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
- CAPEC-141: Cache Poisoning
- CAPEC-142: DNS Cache Poisoning
- CAPEC-160: Exploit Script-Based APIs
- CAPEC-21: Exploitation of Trusted Identifiers
- CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
- CAPEC-385: Transaction or Event Tampering via Application API Manipulation
- CAPEC-386: Application API Navigation Remapping
- CAPEC-387: Navigation Remapping To Propagate Malicious Content
- CAPEC-388: Application API Button Hijacking
- CAPEC-510: SaaS User Request Forgery
- CAPEC-59: Session Credential Falsification through Prediction
- CAPEC-60: Reusing Session IDs (aka Session Replay)
- CAPEC-75: Manipulating Writeable Configuration Files
- CAPEC-76: Manipulating Web Input to File System Calls
- CAPEC-89: Pharming
Frequently asked questions
Common questions about CWE-346.
- What is CWE-346?
- The product does not properly verify that the source of data or communication is valid.
- What CVEs are caused by CWE-346?
- 373 recorded CVEs are attributed to CWE-346, including CVE-2025-34291, CVE-2015-4495, CVE-2026-42901. 2 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How is CWE-346 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-346?
- Exploiting CWE-346 can lead to: Gain Privileges or Assume Identity, Varies by Context.
- Is CWE-346 actively exploited?
- Yes. 2 CWE-346 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 373 recorded CVEs.
References
- MITRE CWE definition (CWE-346) (opens in a new tab)
- CWE-346 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-346
Get alerted the moment a new CWE-346 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.