CWE-836: Use of Password Hash Instead of Password for Authentication
The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.
Last updated
Overview
Some authentication mechanisms rely on the client to generate the hash for a password, possibly to reduce load on the server or avoid sending the password across the network. However, when the client is used to generate the hash, an attacker can bypass the authentication by obtaining a copy of the hash, e.g. by using SQL injection to compromise a database of authentication credentials, or by exploiting an information exposure. The attacker could then use a modified client to replay the stolen hash without having knowledge of the original password. As a result, the server-side comparison against a client-side hash does not provide any more security than the use of passwords without hashing.
Real-world CVEs
14 recorded CVEs are caused by CWE-836 (Use of Password Hash Instead of Password for Authentication). The highest-severity and most recent are shown first. 3 new CWE-836 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2021-23857
Login with hash
Critical · CVSS 10.0 · EPSS 65th2021-10-04 - CVE-2023-34132Critical · CVSS 9.8 · EPSS 94th2023-07-13
- CVE-2023-23450Critical · CVSS 9.8 · EPSS 49th2023-05-15
- CVE-2026-9222
Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication
Critical · CVSS 9.2 · EPSS 15th2026-06-25 - CVE-2023-4299Critical · CVSS 9.0 · EPSS 42th2023-08-31
- CVE-2023-39546High · CVSS 8.8 · EPSS 46th2023-11-17
- CVE-2023-23614
Improper session handling of "Remember me for 7 days" functionality
High · CVSS 8.8 · EPSS 58th2023-01-26 - CVE-2022-32282High · CVSS 8.8 · EPSS 73th2022-08-22
- CVE-2019-25552
CEWE PHOTO SHOW 6.4.3 Denial of Service via Password Field
High · CVSS 8.7 · EPSS 32th2026-03-21 - CVE-2025-64471High · CVSS 7.5 · EPSS 22th2025-12-09
- CVE-2025-48925High · CVSS 7.5 · EPSS 14th2025-05-28
- CVE-2017-7927High · CVSS 7.3 · EPSS 98th2017-05-06
Showing 12 of 14 recorded CWE-836 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-836 vulnerabilitiesCommon consequences
What can happen when CWE-836 is exploited.
Bypass Protection Mechanism, Gain Privileges or Assume Identity
Affects: Access Control
An attacker could bypass the authentication routine without knowing the original password.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2009-1283 — Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).
- CVE-2005-3435 — Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-836.
- What is CWE-836?
- The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.
- What CVEs are caused by CWE-836?
- 14 recorded CVEs are attributed to CWE-836, including CVE-2021-23857, CVE-2023-34132, CVE-2023-23450.
- What are the consequences of CWE-836?
- Exploiting CWE-836 can lead to: Bypass Protection Mechanism, Gain Privileges or Assume Identity.
- Is CWE-836 actively exploited?
- 14 recorded CVEs are caused by CWE-836; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-836) (opens in a new tab)
- CWE-836 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-836
Get alerted the moment a new CWE-836 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.