CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Last updated
Overview
CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
55 recorded CVEs are caused by CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute). The highest-severity and most recent are shown first. 9 new CWE-614 CVEs have been recorded so far in 2026 (14 in 2025).
- CVE-2025-8037
Nameless cookies shadow secure cookies
Critical · CVSS 9.1 · EPSS 12th2025-07-22 - CVE-2026-53661
boruta-server sent sensitive session cookies without the Secure attribute
High · CVSS 8.8 · EPSS 17th2026-06-11 - CVE-2026-46398
HAX CMS Missing Secure Flag on Cookie
High · CVSS 8.8 · EPSS 8th2026-06-05