If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
Last updated
For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.
9 recorded CVEs are caused by CWE-551 (Incorrect Behavior Order: Authorization Before Parsing and Canonicalization). The highest-severity and most recent are shown first. 4 new CWE-551 CVEs have been recorded so far in 2026.
URI validation failure on SVG parsing in Dompdf
ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction
Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.
Keycloak: keycloak authorization header parsing leading to potential security control bypass
What can happen when CWE-551 is exploited.
Bypass Protection Mechanism
Affects: Access Control
Typically introduced during these phases of the software lifecycle.
Technologies
Practical mitigations for CWE-551, grouped by where in the lifecycle they apply.
URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.
Common questions about CWE-551.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-551 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.