CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
Last updated
Overview
For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.
Real-world CVEs
9 recorded CVEs are caused by CWE-551 (Incorrect Behavior Order: Authorization Before Parsing and Canonicalization). The highest-severity and most recent are shown first. 4 new CWE-551 CVEs have been recorded so far in 2026.
- CVE-2023-23924
URI validation failure on SVG parsing in Dompdf
Critical · CVSS 10.0 · EPSS 88th2023-01-31 - CVE-2016-20030
ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction
Critical · CVSS 9.3 · EPSS 43th2026-03-15 - CVE-2021-32779High · CVSS 8.6 · EPSS 57th2021-08-24
- CVE-2021-32777High · CVSS 8.6 · EPSS 87th2021-08-24
- CVE-2026-4636
Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.
High · CVSS 8.1 · EPSS 27th2026-04-02 - CVE-2026-57920High · CVSS 7.7 · EPSS 12th2026-06-26
- CVE-2026-0707
Keycloak: keycloak authorization header parsing leading to potential security control bypass
Medium · CVSS 5.3 · EPSS 28th2026-01-08 - CVE-2021-34429Medium · CVSS 5.3 · EPSS 100th2021-07-15
- CVE-2021-28164Medium · CVSS 5.3 · EPSS 100th2021-04-01
Common consequences
What can happen when CWE-551 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-551, grouped by where in the lifecycle they apply.
URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.
Frequently asked questions
Common questions about CWE-551.
- What is CWE-551?
- If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
- What CVEs are caused by CWE-551?
- 9 recorded CVEs are attributed to CWE-551, including CVE-2023-23924, CVE-2016-20030, CVE-2021-32779.
- How do you prevent CWE-551?
- URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.
- What are the consequences of CWE-551?
- Exploiting CWE-551 can lead to: Bypass Protection Mechanism.
- Is CWE-551 actively exploited?
- 9 recorded CVEs are caused by CWE-551; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-551) (opens in a new tab)
- CWE-551 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-551
Get alerted the moment a new CWE-551 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.