CWE-603: Use of Client-Side Authentication
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
Last updated
Overview
Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.
Real-world CVEs
22 recorded CVEs are caused by CWE-603 (Use of Client-Side Authentication). The highest-severity and most recent are shown first. 6 new CWE-603 CVEs have been recorded so far in 2026 (6 in 2025).
- CVE-2025-62650Critical · CVSS 9.9 · EPSS 38th2025-10-17
- CVE-2022-3218Critical · CVSS 9.8 · EPSS 99th2022-09-19
- CVE-2022-33139Critical · CVSS 9.8 · EPSS 64th2022-06-21
- CVE-2021-43355
Fresenius Kabi Agilia Connect Infusion System use of client side authentication
Critical · CVSS 9.8 · EPSS 58th2022-01-21 - CVE-2017-7909Critical · CVSS 9.8 · EPSS 84th2017-05-06
- CVE-2026-1363
JNC|IAQS and I6 - Client-Side Enforcement of Server-Side Security
Critical · CVSS 9.3 · EPSS 42th2026-01-23 - CVE-2025-64119
Nuvation Energy BMS Client-side Authentication
Critical · CVSS 9.3 · EPSS 28th2026-01-02 - CVE-2025-12868
CyberTutor|New Site Server - Use of Client-Side Authentication
Critical · CVSS 9.3 · EPSS 41th2025-11-10 - CVE-2024-39375Critical · CVSS 9.3 · EPSS 43th2024-06-27
- CVE-2025-30042
Session generation possible with certificate number only
Critical · CVSS 9.0 · EPSS 0th2026-03-02 - CVE-2020-7591High · CVSS 8.8 · EPSS 71th2020-10-15
- CVE-2026-42098
Authorization Bypass in Sparx Enterprise Architect
High · CVSS 8.7 · EPSS 32th2026-05-19
Showing 12 of 22 recorded CWE-603 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-603 vulnerabilitiesCommon consequences
What can happen when CWE-603 is exploited.
Bypass Protection Mechanism, Gain Privileges or Assume Identity
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-603, grouped by where in the lifecycle they apply.
Do not rely on client side data. Always perform server side authentication.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple vendors used client-side authentication in their OT products.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-33139 — SCADA system only uses client-side authentication, allowing adversaries to impersonate other users.
- CVE-2006-0230 — Client-side check for a password allows access to a server using crafted XML requests from a modified client.
Frequently asked questions
Common questions about CWE-603.
- What is CWE-603?
- A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
- What CVEs are caused by CWE-603?
- 22 recorded CVEs are attributed to CWE-603, including CVE-2025-62650, CVE-2022-3218, CVE-2022-33139.
- How do you prevent CWE-603?
- Do not rely on client side data. Always perform server side authentication.
- What are the consequences of CWE-603?
- Exploiting CWE-603 can lead to: Bypass Protection Mechanism, Gain Privileges or Assume Identity.
- Is CWE-603 actively exploited?
- 22 recorded CVEs are caused by CWE-603; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-603) (opens in a new tab)
- CWE-603 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-603
Get alerted the moment a new CWE-603 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.