Log inLog in

Base weakness

Draft

CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

Q: What CVEs are caused by CWE-349?

32 recorded CVEs are attributed to CWE-349, including CVE-2025-5994, CVE-2025-40778, CVE-2025-40776.

Q: What are the consequences of CWE-349?

Exploiting CWE-349 can lead to: Bypass Protection Mechanism, Modify Application Data.

Q: Is CWE-349 actively exploited?

32 recorded CVEs are caused by CWE-349; none are currently in CISA's KEV catalog of actively exploited flaws.

The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

Last updated May 1, 2026

32

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

32 recorded CVEs are caused by CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data). The highest-severity and most recent are shown first. 5 new CWE-349 CVEs have been recorded so far in 2026 (12 in 2025).

2025-07-16

CVE-2023-44317

High · CVSS 8.6 · EPSS 37th

2023-11-14

CVE-2026-32162

Windows COM Elevation of Privilege Vulnerability

High · CVSS 8.4 · EPSS 13th

2026-04-14

CVE-2026-35641

OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation

High · CVSS 8.4 · EPSS 1th

2026-04-10

CVE-2026-1642

NGINX vulnerability

High · CVSS 8.2 · EPSS 6th

2026-02-04

CVE-2021-21374

High · CVSS 8.1 · EPSS 55th

2021-03-26

CVE-2020-8023

High · CVSS 7.7 · EPSS 19th

2020-09-01

CVE-2025-29842

UrlMon Security Feature Bypass Vulnerability

High · CVSS 7.5 · EPSS 42th

2025-05-13

CVE-2025-29816

Microsoft Word Security Feature Bypass Vulnerability

High · CVSS 7.5 · EPSS 52th

2025-04-08

CVE-2025-27415

Nuxt allows DOS via cache poisoning with payload rendering response

High · CVSS 7.5 · EPSS 50th

2025-03-19

Showing 12 of 32 recorded CWE-349 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-349 vulnerabilities

Common consequences

What can happen when CWE-349 is exploited.

Bypass Protection Mechanism, Modify Application Data

Affects: Access Control, Integrity

An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2002-0018 — Does not verify that trusted entity is authoritative for all entities in its response.
CVE-2006-5462 — use of extra data in a signature allows certificate signature forging

Terminology & mappings

Mapped taxonomies

PLOVER: Untrusted Data Appended with Trusted Data
The CERT Oracle Secure Coding Standard for Java (2011): Place all security-sensitive code in a single JAR and sign and seal it (ENV01-J)

Attack patterns

CAPEC attack patterns that exploit this weakness.

Frequently asked questions

Common questions about CWE-349.

What is CWE-349?

The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

What CVEs are caused by CWE-349?

32 recorded CVEs are attributed to CWE-349, including CVE-2025-5994, CVE-2025-40778, CVE-2025-40776.

What are the consequences of CWE-349?

Exploiting CWE-349 can lead to: Bypass Protection Mechanism, Modify Application Data.

Is CWE-349 actively exploited?

32 recorded CVEs are caused by CWE-349; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-349

Get alerted the moment a new CWE-349 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing