CWE-379: Creation of Temporary File in Directory with Insecure Permissions
The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
Last updated
Overview
On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the application that is using the temporary file could be known. If one has access to list the processes on the system, the attacker has gained information about what the user is doing at that time. By correlating this with the applications the user is running, an attacker could potentially discover what a user's actions are. From this, higher levels of security could be breached.
Real-world CVEs
49 recorded CVEs are caused by CWE-379 (Creation of Temporary File in Directory with Insecure Permissions). The highest-severity and most recent are shown first. 6 new CWE-379 CVEs have been recorded so far in 2026 (6 in 2025).
- CVE-2024-36821High · CVSS 8.8 · EPSS 85th2024-06-11
- CVE-2023-49797High · CVSS 8.8 · EPSS 25th2023-12-09
- CVE-2024-9950High · CVSS 8.5 · EPSS 22th2025-01-02
- CVE-2026-42191
OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter
High · CVSS 7.8 · EPSS 1th2026-05-12 - CVE-2024-9500
Autodesk ADP Desktop SDK Privilege Escalation Vulnerability
High · CVSS 7.8 · EPSS 9th2024-11-15 - CVE-2023-6080
Privilege Escalation to SYSTEM in Lakeside Software Installer
High · CVSS 7.8 · EPSS 12th2024-10-18 - CVE-2023-3181High · CVSS 7.8 · EPSS 8th2024-01-25
- CVE-2023-3972
Insights-client: unsafe handling of temporary files and directories
High · CVSS 7.8 · EPSS 17th2023-11-01 - CVE-2023-37243High · CVSS 7.8 · EPSS 8th2023-10-31
- CVE-2023-32450High · CVSS 7.8 · EPSS 9th2023-07-27
- CVE-2023-26396High · CVSS 7.8 · EPSS 89th2023-04-12
- CVE-2023-21612High · CVSS 7.8 · EPSS 32th2023-01-18
Showing 12 of 49 recorded CWE-379 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-379 vulnerabilitiesCommon consequences
What can happen when CWE-379 is exploited.
Read Application Data
Affects: Confidentiality
Since the file is visible and the application which is using the temp file could be known, the attacker has gained information about what the user is doing at that time.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-379, grouped by where in the lifecycle they apply.
Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.
Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories.
Avoid using vulnerable temp file functions.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the following code examples a temporary file is created and written to. After using the temporary file, the file is closed and deleted from the file system.
Vulnerable example
// write data to tmp file
FILE *stream;Vulnerable example
try {Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-27818 — A hotkey daemon written in Rust creates a domain socket file underneath /tmp, which is accessible by any user.
- CVE-2021-41989 — analytic platform's repair functionality uses the %TEMP% folder of a user while running with higher privileges
- CVE-2021-21290 — A Java-based application for a rapid-development framework uses File.createTempFile() to create a random temporary file with insecure default permissions.
Terminology & mappings
Mapped taxonomies
- CLASP: Guessed or visible temporary file
- CERT C Secure Coding: Ensure that file operations are performed in a secure directory (FIO15-C)
Frequently asked questions
Common questions about CWE-379.
- What is CWE-379?
- The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
- What CVEs are caused by CWE-379?
- 49 recorded CVEs are attributed to CWE-379, including CVE-2024-36821, CVE-2023-49797, CVE-2024-9950.
- How do you prevent CWE-379?
- Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.
- How is CWE-379 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-379?
- Exploiting CWE-379 can lead to: Read Application Data.
- Is CWE-379 actively exploited?
- 49 recorded CVEs are caused by CWE-379; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-379) (opens in a new tab)
- CWE-379 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-379
Get alerted the moment a new CWE-379 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.