Class weakness
Log in
The product does not properly verify that the source of data or communication is valid.
Last updated
CWE-346 (Origin Validation Error) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
316 recorded CVEs are caused by CWE-346 (Origin Validation Error), including 2 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 109 new CWE-346 CVEs have been recorded so far in 2026 (68 in 2025).
Microsoft Entra ID Elevation of Privilege Vulnerability
Showing 12 of 316 recorded CWE-346 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-346 vulnerabilitiesWhat can happen when CWE-346 is exploited.
Gain Privileges or Assume Identity, Varies by Context
Affects: Access Control, Other
An attacker can access any functionality that is inadvertently accessible to the source.
Typically introduced during these phases of the software lifecycle.
Technologies
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Illustrative examples from MITRE showing how the weakness appears in code.
This Android application will remove a user account when it receives an intent to do so:
Vulnerable example
IntentFilter filter = new IntentFilter("com.example.RemoveUser");This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
Vulnerable example
// AndroidVulnerable example
// iOSAttack input
window.location = examplescheme://method?parameter=valueReal CVEs that MITRE cites as examples of this weakness.
CAPEC attack patterns that exploit this weakness.
Common questions about CWE-346.
The product does not properly verify that the source of data or communication is valid.
316 recorded CVEs are attributed to CWE-346, including CVE-2025-34291, CVE-2015-4495, CVE-2026-42901. 2 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Exploiting CWE-346 can lead to: Gain Privileges or Assume Identity, Varies by Context.
Yes. 2 CWE-346 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 316 recorded CVEs.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-346 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.