CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable
The product uses an environment variable to store unencrypted sensitive information.
Last updated
Overview
Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information.
Real-world CVEs
16 recorded CVEs are caused by CWE-526 (Cleartext Storage of Sensitive Information in an Environment Variable). The highest-severity and most recent are shown first. 4 new CWE-526 CVEs have been recorded so far in 2026 (6 in 2025).
- CVE-2026-45370
python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection
High · CVSS 7.7 · EPSS 13th2026-05-14 - CVE-2023-5720High · CVSS 7.7 · EPSS 53th2023-11-15
- CVE-2025-28381High · CVSS 7.5 · EPSS 35th2025-06-13
- CVE-2023-43029
IBM Storage Virtualize vSphere Remote Plug-in information disclosure
High · CVSS 7.5 · EPSS 33th2025-03-21 - CVE-2026-40153
PraisonAIAgents Affected by Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
High · CVSS 7.4 · EPSS 19th2026-04-09 - CVE-2024-2700
Quarkus-core: leak of local configuration properties into quarkus applications
High · CVSS 7.0 · EPSS 21th2024-04-04 - CVE-2024-4369
Cluster-image-registry-operator: exposes a secret via env variable in pod definition on azure
Medium · CVSS 6.8 · EPSS 49th2024-04-30 - CVE-2025-36017
IBM Controller Information Disclosure
Medium · CVSS 6.5 · EPSS 14th2025-12-08 - CVE-2025-0985
IBM MQ information disclosure
Medium · CVSS 6.5 · EPSS 15th2025-02-28 - CVE-2023-47615Medium · CVSS 5.5 · EPSS 11th2023-11-09
- CVE-2025-27899
Multiple vulnerabilities in IBM Java SDK affecting Db2 Recovery Expert for Linux, Unix and Windows
Medium · CVSS 5.3 · EPSS 10th2026-02-17 - CVE-2014-2377
Ecava IntegraXor SCADA Server Information Exposure Through Environmental Variables
Medium · CVSS 5.0 · EPSS 77th2014-09-15
Showing 12 of 16 recorded CWE-526 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-526 vulnerabilitiesCommon consequences
What can happen when CWE-526 is exploited.
Read Application Data
Affects: Confidentiality
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-526, grouped by where in the lifecycle they apply.
Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption.
If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-43691 — CMS shows sensitive server-side information from environment variables when run in Debug mode.
- CVE-2022-27195 — Plugin for an automation server inserts environment variable contents into build XML files.
- CVE-2022-25264 — CI/CD tool logs environment variables related to passwords add Contribution to content history.
Terminology & mappings
Mapped taxonomies
- Software Fault Patterns: Exposed Data (SFP23)
Frequently asked questions
Common questions about CWE-526.
- What is CWE-526?
- The product uses an environment variable to store unencrypted sensitive information.
- What CVEs are caused by CWE-526?
- 16 recorded CVEs are attributed to CWE-526, including CVE-2026-45370, CVE-2023-5720, CVE-2025-28381.
- How do you prevent CWE-526?
- Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption.
- How is CWE-526 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-526?
- Exploiting CWE-526 can lead to: Read Application Data.
- Is CWE-526 actively exploited?
- 16 recorded CVEs are caused by CWE-526; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-526) (opens in a new tab)
- CWE-526 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-526
Get alerted the moment a new CWE-526 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.