What CVEs are caused by CWE-638?

1 recorded CVEs are attributed to CWE-638, including CVE-2024-56512.

How do you prevent CWE-638?

Invalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible.

Is CWE-638 actively exploited?

1 recorded CVEs are caused by CWE-638; none are currently in CISA's KEV catalog of actively exploited flaws.

Class weakness

Draft

CWE-638: Not Using Complete Mediation

Q: What are the consequences of CWE-638?

Exploiting CWE-638 can lead to: Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Other.

The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.

Last updated May 1, 2026

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

CWE-638 (Not Using Complete Mediation) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

1 recorded CVEs are caused by CWE-638 (Not Using Complete Mediation). The highest-severity and most recent are shown first.

CVE-2024-56512
Apache NiFi: Missing Complete Authorization for Parameter and Service References
Low · CVSS 2.1 · EPSS 86th
2024-12-28

Common consequences

What can happen when CWE-638 is exploited.

Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Other

Affects: Integrity, Confidentiality, Availability, Access Control, Other

A user might retain access to a critical resource even after privileges have been revoked, possibly allowing access to privileged functionality or sensitive information, depending on the role of the resource.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

CWE-638: Not Using Complete Mediation

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-638?

What CVEs are caused by CWE-638?

How do you prevent CWE-638?

What are the consequences of CWE-638?

Is CWE-638 actively exploited?

References

Stay ahead of CWE-638

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-638?

What CVEs are caused by CWE-638?

How do you prevent CWE-638?

What are the consequences of CWE-638?

Is CWE-638 actively exploited?

References

Stay ahead of CWE-638