Log inLog in

Base weakness

Incomplete

CWE-524: Use of Cache Containing Sensitive Information

Q: What CVEs are caused by CWE-524?

38 recorded CVEs are attributed to CWE-524, including CVE-2025-64762, CVE-2026-48901, CVE-2024-27917.

Q: How do you prevent CWE-524?

Protect information stored in cache.

Q: How is CWE-524 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Q: What are the consequences of CWE-524?

Exploiting CWE-524 can lead to: Read Application Data.

Q: Is CWE-524 actively exploited?

38 recorded CVEs are caused by CWE-524; none are currently in CISA's KEV catalog of actively exploited flaws.

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Last updated May 1, 2026

38

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Applications may use caches to improve efficiency when communicating with remote entities or performing intensive calculations. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.

Real-world CVEs

38 recorded CVEs are caused by CWE-524 (Use of Cache Containing Sensitive Information). The highest-severity and most recent are shown first. 10 new CWE-524 CVEs have been recorded so far in 2026 (13 in 2025).

High · CVSS 7.5 · EPSS 30th

2024-03-06

CVE-2024-45596

High · CVSS 7.4 · EPSS 74th

2024-09-10

CVE-2024-12314

Rapid Cache <= 1.2.3 - Unauthenticated Cache Poisoning

High · CVSS 7.2 · EPSS 23th

2025-02-18

CVE-2026-25540

Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)

Medium · CVSS 6.5 · EPSS 9th

2026-02-04

CVE-2025-61598

Discourse is missing Cache-Control response header on error responses

Medium · CVSS 6.3 · EPSS 19th

2025-10-28

CVE-2024-41906

Medium · CVSS 6.3 · EPSS 58th

2024-08-13

CVE-2025-57752

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Medium · CVSS 6.2 · EPSS 34th

2025-08-29

CVE-2025-69202

axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header

Medium · CVSS 6.0 · EPSS 11th

2025-12-29

CVE-2026-41841

Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux

Medium · CVSS 5.9 · EPSS 12th

2026-06-09

CVE-2025-9901

Libsoup: improper handling of http vary header in libsoup caching

Medium · CVSS 5.9 · EPSS 15th

2025-09-03

Showing 12 of 38 recorded CWE-524 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-524 vulnerabilities

Common consequences

What can happen when CWE-524 is exploited.

Read Application Data

Affects: Confidentiality

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to prevent it

Practical mitigations for CWE-524, grouped by where in the lifecycle they apply.

Architecture and Design

Protect information stored in cache.

Architecture and Design

Do not store unnecessarily sensitive information in the cache.

Architecture and Design

Consider using encryption in the cache.

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2024-30127 — Product does not set the "no-cache" option in the HTTP Cache-Control header, allowing sensitive information to be cached

Attack patterns

CAPEC attack patterns that exploit this weakness.

CAPEC-204: Lifting Sensitive Data Embedded in Cache

Frequently asked questions

Common questions about CWE-524.

What is CWE-524?

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

What CVEs are caused by CWE-524?

38 recorded CVEs are attributed to CWE-524, including CVE-2025-64762, CVE-2026-48901, CVE-2024-27917.

How do you prevent CWE-524?

Protect information stored in cache.

How is CWE-524 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-524?

Exploiting CWE-524 can lead to: Read Application Data.

Is CWE-524 actively exploited?

38 recorded CVEs are caused by CWE-524; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-524

Get alerted the moment a new CWE-524 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Illustrative examples

Related weaknesses

Parent

Child

Attack patterns

Frequently asked questions

What is CWE-524?

What CVEs are caused by CWE-524?

How do you prevent CWE-524?

How is CWE-524 detected?

What are the consequences of CWE-524?

Is CWE-524 actively exploited?

References

Stay ahead of CWE-524