CWE-425: Direct Request ('Forced Browsing')
Also known as: forced browsing
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Last updated
Overview
CWE-425 (Direct Request ('Forced Browsing')) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
101 recorded CVEs are caused by CWE-425 (Direct Request ('Forced Browsing')), including 2 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 16 new CWE-425 CVEs have been recorded so far in 2026 (28 in 2025).