CWE-694: Use of Multiple Resources with Duplicate Identifier
The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.
Last updated
Overview
If the product assumes that each resource has a unique identifier, the product could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier.
Real-world CVEs
8 recorded CVEs are caused by CWE-694 (Use of Multiple Resources with Duplicate Identifier). The highest-severity and most recent are shown first. 2 new CWE-694 CVEs have been recorded so far in 2026 (2 in 2025).
- CVE-2025-13609
Keylime: keylime: registrar allows identity takeover via duplicate uuid registration
High · CVSS 8.2 · EPSS 31th2025-11-24 - CVE-2025-59048
OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method
High · CVSS 8.1 · EPSS 15th2025-10-23 - CVE-2026-57024
Junos OS: MX with SPC3, SRX Series: Repeated VPN negotiation failures will eventually cause iked to crash continuously
Medium · CVSS 6.9 · EPSS 34th2026-07-09 - CVE-2023-20100Medium · CVSS 6.8 · EPSS 52th2023-03-23
- CVE-2021-3436Medium · CVSS 6.5 · EPSS 57th2021-10-05
- CVE-2026-5794
Vulnerability in Cryptobox allows an authenticated user to trigger an account lockout
Medium · CVSS 4.9 · EPSS 17th2026-04-28 - CVE-2024-41146Medium · CVSS 4.6 · EPSS 22th2024-12-12
- CVE-2022-23721Low · CVSS 3.8 · EPSS 12th2023-04-25
Common consequences
What can happen when CWE-694 is exploited.
Bypass Protection Mechanism
Affects: Access Control
If unique identifiers are assumed when protecting sensitive resources, then duplicate identifiers might allow attackers to bypass the protection.
Quality Degradation
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-694, grouped by where in the lifecycle they apply.
Where possible, use unique identifiers. If non-unique identifiers are detected, then do not operate any resource with a non-unique identifier and report the error appropriately.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
These two Struts validation forms have the same name.
Vulnerable example
<form-validation>It is not certain which form will be used by Struts. It is critically important that validation logic be maintained and kept in sync with the rest of the product.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2013-4787 — chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive.
Frequently asked questions
Common questions about CWE-694.
- What is CWE-694?
- The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.
- What CVEs are caused by CWE-694?
- 8 recorded CVEs are attributed to CWE-694, including CVE-2025-13609, CVE-2025-59048, CVE-2026-57024.
- How do you prevent CWE-694?
- Where possible, use unique identifiers. If non-unique identifiers are detected, then do not operate any resource with a non-unique identifier and report the error appropriately.
- What are the consequences of CWE-694?
- Exploiting CWE-694 can lead to: Bypass Protection Mechanism, Quality Degradation.
- Is CWE-694 actively exploited?
- 8 recorded CVEs are caused by CWE-694; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-694) (opens in a new tab)
- CWE-694 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-694
Get alerted the moment a new CWE-694 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.