Class weakness

Incomplete

CWE-436: Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Last updated May 1, 2026

62

Recorded CVEs

With this primary weakness

1

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave.

Real-world CVEs

62 recorded CVEs are caused by CWE-436 (Interpretation Conflict), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 24 new CWE-436 CVEs have been recorded so far in 2026 (5 in 2025).

CVE-2026-41248

Official Clerk JavaScript SDKs: Middleware-based route protection bypass

Critical · CVSS 9.1

2026-04-24

CVE-2026-6270

@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes

Critical · CVSS 9.1

2026-04-16

CVE-2026-33807

@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes

Critical · CVSS 9.1

2026-04-15

CVE-2026-33808

@fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Showing 12 of 62 recorded CWE-436 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-436 vulnerabilities

Common consequences

What can happen when CWE-436 is exploited.

Unexpected State, Varies by Context

Affects: Integrity, Other

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" [REF-428] shows that OSes varied widely in how they manage unusual packets, which made it difficult or impossible for intrusion detection systems to properly detect certain attacker manipulations that took advantage of these OS differences.

Null characters have different interpretations in Perl and C, which have security consequences when Perl invokes C functions. Similar problems have been reported in ASP [REF-429] and PHP.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2005-1215 — Bypass filters or poison web cache using requests with multiple Content-Length headers, a non-standard behavior.
CVE-2002-0485 — Anti-virus product allows bypass via Content-Type and Content-Disposition headers that are mixed case, which are still processed by some clients.
CVE-2002-1978 — FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass.
CVE-2002-1979 — FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass.
CVE-2002-0637 — Virus product bypass with spaces between MIME header fields and the ":" separator, a non-standard message that is accepted by some clients.
CVE-2002-1777 — AV product detection bypass using inconsistency manipulation (file extension in MIME Content-Type vs. Content-Disposition field).
CVE-2005-3310 — CMS system allows uploads of files with GIF/JPG extensions, but if they contain HTML, Internet Explorer renders them as HTML instead of images.
CVE-2005-4260 — Interpretation conflict allows XSS via invalid " " is expected, which is treated as ">" by many web browsers.
CVE-2005-4080 — Interpretation conflict (non-standard behavior) enables XSS because browser ignores invalid characters in the middle of tags.

Terminology & mappings

Mapped taxonomies

PLOVER: Multiple Interpretation Error (MIE)
WASC: HTTP Response Smuggling (27)

Attack patterns

CAPEC attack patterns that exploit this weakness.

Frequently asked questions

Common questions about CWE-436.

What is CWE-436?

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

What CVEs are caused by CWE-436?

62 recorded CVEs are attributed to CWE-436, including CVE-2025-48384, CVE-2023-24813, CVE-2019-19589. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

What are the consequences of CWE-436?

Exploiting CWE-436 can lead to: Unexpected State, Varies by Context.

Is CWE-436 actively exploited?

Yes. 1 CWE-436 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 62 recorded CVEs.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-436

Get alerted the moment a new CWE-436 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Peer

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-436?

What CVEs are caused by CWE-436?

What are the consequences of CWE-436?

Is CWE-436 actively exploited?

References

Stay ahead of CWE-436