CWE-549: Missing Password Field Masking
The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
Last updated
Overview
CWE-549 (Missing Password Field Masking) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
16 recorded CVEs are caused by CWE-549 (Missing Password Field Masking). The highest-severity and most recent are shown first. 2 new CWE-549 CVEs have been recorded so far in 2026 (7 in 2025).
- CVE-2023-49106High · CVSS 7.5 · EPSS 36th2024-01-16
- CVE-2022-22550Medium · CVSS 6.7 · EPSS 13th2022-04-12
- CVE-2025-42904
Information Disclosure vulnerability in Application Server ABAP
Medium · CVSS 6.5 · EPSS 21th2025-12-09 - CVE-2023-1763Medium · CVSS 6.5 · EPSS 20th2023-05-17
- CVE-2023-2062Medium · CVSS 6.2 · EPSS 25th2023-06-02
- CVE-2025-31728Medium · CVSS 5.5 · EPSS 20th2025-04-02
- CVE-2025-31727Medium · CVSS 5.5 · EPSS 20th2025-04-02
- CVE-2025-4526
Dígitro NGC Explorer Configuration missing password field masking
Medium · CVSS 5.3 · EPSS 15th2025-05-11 - CVE-2025-13175
Insecure Password Storage in Y Soft SafeQ 6
Medium · CVSS 5.1 · EPSS 21th2026-01-14 - CVE-2024-10122Medium · CVSS 5.1 · EPSS 39th2024-10-18
- CVE-2022-20914Medium · CVSS 4.9 · EPSS 53th2022-08-10
- CVE-2026-3314
Missing Password Masking in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint
Medium · CVSS 4.6 · EPSS 7th2026-05-26
Showing 12 of 16 recorded CWE-549 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-549 vulnerabilitiesCommon consequences
What can happen when CWE-549 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-549, grouped by where in the lifecycle they apply.
Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2025-0148 — Jenkins plugin for a video meeting product does not mask passwords
Frequently asked questions
Common questions about CWE-549.
- What is CWE-549?
- The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
- What CVEs are caused by CWE-549?
- 16 recorded CVEs are attributed to CWE-549, including CVE-2023-49106, CVE-2022-22550, CVE-2025-42904.
- How do you prevent CWE-549?
- Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.
- How is CWE-549 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-549?
- Exploiting CWE-549 can lead to: Bypass Protection Mechanism.
- Is CWE-549 actively exploited?
- 16 recorded CVEs are caused by CWE-549; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-549) (opens in a new tab)
- CWE-549 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-549
Get alerted the moment a new CWE-549 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.