CWE-358: Improperly Implemented Security Check for Standard
The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Last updated
Overview
CWE-358 (Improperly Implemented Security Check for Standard) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
99 recorded CVEs are caused by CWE-358 (Improperly Implemented Security Check for Standard), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 23 new CWE-358 CVEs have been recorded so far in 2026 (19 in 2025).
- CVE-2024-7965CISA KEVHigh · CVSS 8.7 · EPSS 97th2024-08-21
- CVE-2018-0268Critical · CVSS 10.0 · EPSS 92th2018-05-17
- CVE-2022-25152Critical · CVSS 9.9 · EPSS 74th2022-06-08
- CVE-2025-62583Critical · CVSS 9.8 · EPSS 38th2025-10-16
- CVE-2023-3266Critical · CVSS 9.8 · EPSS 53th2023-08-14
- CVE-2019-6742Critical · CVSS 9.8 · EPSS 92th2019-06-03
- CVE-2025-69234Critical · CVSS 9.1 · EPSS 16th2025-12-30
- CVE-2023-39403Critical · CVSS 9.1 · EPSS 24th2023-08-13
- CVE-2026-1486
Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant
High · CVSS 8.8 · EPSS 36th2026-02-09 - CVE-2025-66600High · CVSS 8.8 · EPSS 23th2026-02-09
- CVE-2025-3069High · CVSS 8.8 · EPSS 24th2025-04-02
- CVE-2021-26105High · CVSS 8.8 · EPSS 38th2025-03-24
Showing 12 of 99 recorded CWE-358 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-358 vulnerabilitiesCommon consequences
What can happen when CWE-358 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2002-0862 — Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
- CVE-2002-0970 — Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
- CVE-2002-1407 — Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
- CVE-2005-0198 — Logic error prevents some required conditions from being enforced during Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5).
- CVE-2004-2163 — Shared secret not verified in a RADIUS response packet, allowing authentication bypass by spoofing server replies.
- CVE-2005-2181 — Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
- CVE-2005-2182 — Insufficient verification in VoIP implementation, in violation of standard, allows spoofed messages.
- CVE-2005-2298 — Security check not applied to all components, allowing bypass.
Terminology & mappings
Mapped taxonomies
- PLOVER: Improperly Implemented Security Check for Standard
Frequently asked questions
Common questions about CWE-358.
- What is CWE-358?
- The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
- What CVEs are caused by CWE-358?
- 99 recorded CVEs are attributed to CWE-358, including CVE-2024-7965, CVE-2018-0268, CVE-2022-25152. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- What are the consequences of CWE-358?
- Exploiting CWE-358 can lead to: Bypass Protection Mechanism.
- Is CWE-358 actively exploited?
- Yes. 1 CWE-358 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 99 recorded CVEs.
References
- MITRE CWE definition (CWE-358) (opens in a new tab)
- CWE-358 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-358
Get alerted the moment a new CWE-358 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.