Class weakness

Incomplete

CWE-446: UI Discrepancy for Security Feature

The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.

Last updated May 1, 2026

3

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the product does not actually enable the encryption. Alternately, the user might provide a "restrict ALL" access control rule, but the product only implements "restrict SOME".

Real-world CVEs

3 recorded CVEs are caused by CWE-446 (UI Discrepancy for Security Feature). The highest-severity and most recent are shown first. 0 new CWE-446 CVEs have been recorded so far in 2026 (2 in 2025).

Common consequences

What can happen when CWE-446 is exploited.

Varies by Context

Affects: Other

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-1999-1446 — UI inconsistency; visited URLs list not cleared when "Clear History" option is selected.

Terminology & mappings

Mapped taxonomies

PLOVER: User interface inconsistency

Frequently asked questions

Common questions about CWE-446.

What is CWE-446?

The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.

What CVEs are caused by CWE-446?

3 recorded CVEs are attributed to CWE-446, including CVE-2025-52983, CVE-2025-8353, CVE-2023-1768.

What are the consequences of CWE-446?

Exploiting CWE-446 can lead to: Varies by Context.

Is CWE-446 actively exploited?

3 recorded CVEs are caused by CWE-446; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-446

Get alerted the moment a new CWE-446 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Common consequences

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-446?

What CVEs are caused by CWE-446?

What are the consequences of CWE-446?

Is CWE-446 actively exploited?

References

Stay ahead of CWE-446