CWE-636: Not Failing Securely ('Failing Open')
Also known as: Failing Open
When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
Last updated
Overview
By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe."
Real-world CVEs
28 recorded CVEs are caused by CWE-636 (Not Failing Securely ('Failing Open')). The highest-severity and most recent are shown first. 17 new CWE-636 CVEs have been recorded so far in 2026 (2 in 2025).
- CVE-2024-3729
Frontend Admin by DynamiApps <= 3.19.4 - Improper Missing Encryption Exception Handling to Form Manipulation
Critical · CVSS 9.8 · EPSS 53th2024-05-02 - CVE-2026-22034
Snuffleupagus vulnerable to RCE on instances with upload validation enabled but without the VLD package
Critical · CVSS 9.2 · EPSS 47th2026-01-08 - CVE-2026-40525
OpenViking < 0.3.9 Authentication Bypass via VikingBot OpenAPI
Critical · CVSS 9.1 · EPSS 43th2026-04-17 - CVE-2024-43532
Remote Registry Service Elevation of Privilege Vulnerability
High · CVSS 8.8 · EPSS 96th2024-10-08 - CVE-2021-1578High · CVSS 8.8 · EPSS 78th2021-08-25
- CVE-2026-40248
free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions
High · CVSS 8.7 · EPSS 35th2026-04-16 - CVE-2026-40247
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions
High · CVSS 8.7 · EPSS 39th2026-04-16 - CVE-2025-54870
VTun-ng's failure to initialize encryption modules may cause reversion to plaintext
High · CVSS 8.7 · EPSS 10th2025-08-05 - CVE-2026-35205
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
High · CVSS 8.4 · EPSS 8th2026-04-09 - CVE-2023-4030High · CVSS 8.4 · EPSS 8th2023-08-17
- CVE-2026-54291
Silent channel-binding authentication downgrade via unsupported certificate algorithms
High · CVSS 8.2 · EPSS 15th2026-07-06 - CVE-2026-42423
OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback
High · CVSS 7.7 · EPSS 24th2026-04-28
Showing 12 of 28 recorded CWE-636 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-636 vulnerabilitiesCommon consequences
What can happen when CWE-636 is exploited.
Bypass Protection Mechanism
Affects: Access Control
Intended access restrictions can be bypassed, which is often contradictory to what the product's administrator expects.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-636, grouped by where in the lifecycle they apply.
Subdivide and allocate resources and components so that a failure in one part does not affect the entire product.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Switches may revert their functionality to that of hubs when the table used to map ARP information to the switch interface overflows, such as when under a spoofing attack. This results in traffic being broadcast to an eavesdropper, instead of being sent only on the relevant switch interface. To mitigate this type of problem, the developer could limit the number of ARP entries that can be recorded for a given switch interface, while other interfaces may keep functioning normally. Configuration options can be provided on the appropriate actions to be taken in case of a detected failure, but safe defaults should be used.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2007-5277 — The failure of connection attempts in a web browser resets DNS pin restrictions. An attacker can then bypass the same origin policy by rebinding a domain name to a different IP address. This was an attempt to "fail functional."
- CVE-2006-4407 — Incorrect prioritization leads to the selection of a weaker cipher. Although it is not known whether this issue occurred in implementation or design, it is feasible that a poorly designed algorithm could be a factor.
Terminology & mappings
Alternate terms
- Failing Open
Mapped taxonomies
- OWASP Top Ten 2004: Improper Error Handling (A7) — CWE More Specific fit
Frequently asked questions
Common questions about CWE-636.
- What is CWE-636?
- When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
- What CVEs are caused by CWE-636?
- 28 recorded CVEs are attributed to CWE-636, including CVE-2024-3729, CVE-2026-22034, CVE-2026-40525.
- Is CWE-636 part of the OWASP Top 10?
- CWE-636 maps to OWASP Top Ten 2004: Improper Error Handling (A7) in the OWASP security taxonomy.
- How do you prevent CWE-636?
- Subdivide and allocate resources and components so that a failure in one part does not affect the entire product.
- What are the consequences of CWE-636?
- Exploiting CWE-636 can lead to: Bypass Protection Mechanism.
- Is CWE-636 actively exploited?
- 28 recorded CVEs are caused by CWE-636; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-636) (opens in a new tab)
- CWE-636 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-636
Get alerted the moment a new CWE-636 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.