CWE-446: UI Discrepancy for Security Feature

The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the product does not actually enable the encryption. Alternately, the user might provide a "restrict ALL" access control rule, but the product only implements "restrict SOME".

CWE-446: UI Discrepancy for Security Feature

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-446?

What CVEs are caused by CWE-446?

What are the consequences of CWE-446?

Is CWE-446 actively exploited?

References

Stay ahead of CWE-446

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-446?

What CVEs are caused by CWE-446?

What are the consequences of CWE-446?

Is CWE-446 actively exploited?

References

Stay ahead of CWE-446