Log inLog in

Class weakness

Incomplete

CWE-922: Insecure Storage of Sensitive Information

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Last updated May 1, 2026

231

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.

Real-world CVEs

231 recorded CVEs are caused by CWE-922 (Insecure Storage of Sensitive Information). The highest-severity and most recent are shown first. 10 new CWE-922 CVEs have been recorded so far in 2026 (42 in 2025).

CVE-2024-7569

Critical · CVSS 9.6 · EPSS 92th

2024-08-13

CVE-2025-8699

Critical · CVSS 9.1 · EPSS 23th

2025-09-12

CVE-2024-30896

Critical · CVSS 9.1 · EPSS 97th

2024-11-21

CVE-2024-3501

Critical · CVSS 9.1 · EPSS 45th

2024-11-14

CVE-2024-10943

Critical · CVSS 9.1 · EPSS 26th

2024-11-12

CVE-2022-0724

Critical · CVSS 9.1 · EPSS 64th

2022-02-23

CVE-2025-10971

Insecure Storage of Sensitive Information

High · CVSS 8.8 · EPSS 4th

2025-12-02

CVE-2025-28244

High · CVSS 8.8 · EPSS 67th

2025-07-10

CVE-2023-42913

High · CVSS 8.8 · EPSS 59th

2024-03-28

Showing 12 of 231 recorded CWE-922 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-922 vulnerabilities

Common consequences

What can happen when CWE-922 is exploited.

Read Application Data, Read Files or Directories

Affects: Confidentiality

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

Modify Application Data, Modify Files or Directories

Affects: Integrity

Attackers can overwrite sensitive information by accessing the unrestricted storage mechanism.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

System Configuration

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

At least one OT product stored a password in plaintext.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2009-2272 — password and username stored in cleartext in a cookie

Frequently asked questions

Common questions about CWE-922.

What is CWE-922?

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

What CVEs are caused by CWE-922?

231 recorded CVEs are attributed to CWE-922, including CVE-2025-12539, CVE-2023-32191, CVE-2023-29727.

How is CWE-922 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-922?

Exploiting CWE-922 can lead to: Read Application Data, Read Files or Directories, Modify Application Data, Modify Files or Directories.

Is CWE-922 actively exploited?

231 recorded CVEs are caused by CWE-922; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-922

Get alerted the moment a new CWE-922 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing