CWE-598: Use of HTTP Request With Sensitive Query String
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
Last updated
Overview
CWE-598 (Use of HTTP Request With Sensitive Query String) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
While a query string is frequently used for GET methods, sometimes it is included with other methods such as POST, DELETE, and PUT. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources.
Real-world CVEs
75 recorded CVEs are caused by CWE-598 (Use of HTTP Request With Sensitive Query String). The highest-severity and most recent are shown first. 21 new CWE-598 CVEs have been recorded so far in 2026 (25 in 2025).
- CVE-2023-6014Critical · CVSS 9.8 · EPSS 63th2023-11-16
- CVE-2018-14822Critical · CVSS 9.8 · EPSS 85th2018-10-02
- CVE-2017-3185Critical · CVSS 9.8 · EPSS 87th2017-12-15
- CVE-2026-23846
Tugtainer vulnerable to Password Exposure via URL Query Parameter
Critical · CVSS 9.1 · EPSS 33th2026-01-19 - CVE-2022-22551High · CVSS 8.8 · EPSS 31th2022-01-21
- CVE-2021-36328High · CVSS 8.8 · EPSS 54th2021-11-30
- CVE-2020-5331High · CVSS 8.8 · EPSS 50th2020-05-04
- CVE-2019-18573High · CVSS 8.8 · EPSS 58th2019-12-18
- CVE-2026-58656
Grav API Plugin - Cross-Origin Admin Account Takeover via CORS Wildcard and JWT Query Parameter
High · CVSS 8.7 · EPSS 19th2026-07-08 - CVE-2025-26473
Outback Power Mojave Inverter Use of GET Request Method With Sensitive Query Strings
High · CVSS 8.7 · EPSS 36th2025-02-13 - CVE-2025-56551High · CVSS 8.2 · EPSS 26th2025-10-03
- CVE-2021-21594High · CVSS 8.2 · EPSS 53th2021-08-16
Showing 12 of 75 recorded CWE-598 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-598 vulnerabilitiesCommon consequences
What can happen when CWE-598 is exploited.
Read Application Data
Affects: Confidentiality
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-598, grouped by where in the lifecycle they apply.
When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2025-1738 — Security camera includes a password in its query string
- CVE-2025-31954 — ML/NLP-based automation product calls a GET method with sensitive information in the query string.
- CVE-2024-31842 — Web-based communication product includes an access token in the query string of a GET request
- CVE-2022-23546 — A discussion platform leaks private information in GET requests.
Terminology & mappings
Mapped taxonomies
- Software Fault Patterns: Exposed Data (SFP23)
Frequently asked questions
Common questions about CWE-598.
- What is CWE-598?
- The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
- What CVEs are caused by CWE-598?
- 75 recorded CVEs are attributed to CWE-598, including CVE-2023-6014, CVE-2018-14822, CVE-2017-3185.
- How do you prevent CWE-598?
- When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.
- How is CWE-598 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-598?
- Exploiting CWE-598 can lead to: Read Application Data.
- Is CWE-598 actively exploited?
- 75 recorded CVEs are caused by CWE-598; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-598) (opens in a new tab)
- CWE-598 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-598
Get alerted the moment a new CWE-598 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.