CWE-669: Incorrect Resource Transfer Between Spheres
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Last updated
Overview
CWE-669 (Incorrect Resource Transfer Between Spheres) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors.
Real-world CVEs
58 recorded CVEs are caused by CWE-669 (Incorrect Resource Transfer Between Spheres), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 26 new CWE-669 CVEs have been recorded so far in 2026 (17 in 2025).
- CVE-2026-31431CISA KEV
crypto: algif_aead - Revert to operating out-of-place
High · CVSS 8.5 · EPSS 100th2026-04-22 - CVE-2025-67895
Apache Airflow Providers Edge3: Edge3 Worker RPC RCE on Airflow 2
Critical · CVSS 9.8 · EPSS 54th2025-12-17 - CVE-2023-31114Critical · CVSS 9.1 · EPSS 43th2023-06-07
- CVE-2026-33265Critical · CVSS 9.0 · EPSS 14th2026-03-18
- CVE-2025-41660
CODESYS Control Boot Application Replacement Enables Code Execution
High · CVSS 8.8 · EPSS 35th2026-03-24 - CVE-2026-25253High · CVSS 8.8 · EPSS 94th2026-02-01
- CVE-2025-41645
SMA: Sunny Portal demo system privilege escalation
High · CVSS 8.6 · EPSS 27th2025-05-13 - CVE-2026-46448High · CVSS 8.5 · EPSS 19th2026-06-16
- CVE-2025-34158High · CVSS 8.5 · EPSS 42th2025-08-21
- CVE-2026-35545High · CVSS 8.2 · EPSS 25th2026-04-03
- CVE-2026-24708High · CVSS 8.2 · EPSS 26th2026-02-18
- CVE-2022-30236High · CVSS 8.2 · EPSS 50th2022-06-02
Showing 12 of 58 recorded CWE-669 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-669 vulnerabilitiesCommon consequences
What can happen when CWE-669 is exploited.
Read Application Data, Modify Application Data, Unexpected State
Affects: Confidentiality, Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.
Safe example
<form action="FileUploadServlet" method="post" enctype="multipart/form-data">Vulnerable example
public class FileUploadServlet extends HttpServlet {This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.
Vulnerable example
//assume the password is already encrypted, avoiding CWE-312This code either generates a public HTML user information page or a JSON response containing the same user information.
Vulnerable example
// API flag, output JSON if setThe programmer is careful to not display the user's e-mail address when displaying the public HTML page. However, the e-mail address is not removed from the JSON response, exposing the user's e-mail address.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-22909 — Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).
- CVE-2023-5227 — PHP-based FAQ management app does not check the MIME type for uploaded images
- CVE-2005-0406 — Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error).
Frequently asked questions
Common questions about CWE-669.
- What is CWE-669?
- The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
- What CVEs are caused by CWE-669?
- 58 recorded CVEs are attributed to CWE-669, including CVE-2026-31431, CVE-2025-67895, CVE-2023-31114. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- What are the consequences of CWE-669?
- Exploiting CWE-669 can lead to: Read Application Data, Modify Application Data, Unexpected State.
- Is CWE-669 actively exploited?
- Yes. 1 CWE-669 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 58 recorded CVEs.
References
- MITRE CWE definition (CWE-669) (opens in a new tab)
- CWE-669 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-669
Get alerted the moment a new CWE-669 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.