Cyber Posture

CWE · MITRE source

CWE-359Exposure of Private Personal Information to an Unauthorized Actor

Abstraction: Base · CVEs in our corpus: 174

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (33)AI

Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
PM-18Privacy Program PlanPMThe privacy program plan explicitly addresses protection of personal information, mandating controls and resources that prevent unauthorized exposure of private personal data across the enterprise.
PM-19Privacy Program Leadership RolePMDedicated accountability and resources for managing privacy risks directly reduce exposure of private personal information.
PM-20Dissemination of Privacy Program InformationPMPublic dissemination of privacy practices, reports, and feedback channels increases organizational accountability and enables external scrutiny, reducing the likelihood that exposures of private personal information remain undetected or unremediated.
PT-1Policy and ProceduresPTPII transparency and processing policy plus procedures reduce the chance of unauthorized exposure of private personal information.
PT-2Authority to Process Personally Identifiable InformationPTEnforces restriction of PII processing to authorized purposes, reducing exposure of private personal information to unauthorized actors.
PT-3Personally Identifiable Information Processing PurposesPTRestricts PII processing and disclosure to authorized purposes, reducing unauthorized exposure of private personal information.
AC-15Automated MarkingACAutomated marking identifies private personal information in outputs, tangibly reducing the ability to exploit weaknesses that result in its unauthorized exposure.
AC-16Security and Privacy AttributesACPrivacy-specific attributes and their controlled association directly reduce exposure of private personal information through missing or incorrect labeling.
AC-22Publicly Accessible ContentACPreventing nonpublic personal information from public posting reduces unauthorized exposure of private personal data.
RA-2Security CategorizationRAExplicit categorization of PII ensures stronger privacy controls are applied and approved before system operation.
RA-3Risk AssessmentRAThe control specifically requires assessing adverse effects from PII processing, directly mitigating privacy-related information exposure.
RA-8Privacy Impact AssessmentsRAPIAs explicitly identify and drive mitigation of risks involving unauthorized exposure or misuse of private personal information before systems or collections are implemented.
SI-18Personally Identifiable Information Quality OperationsSITargeted operations on PII accuracy, timeliness, and deletion reduce the risk of private personal information remaining available for unauthorized exposure.
SI-19De-identificationSIExplicitly targets removal of private personal information (PII) to stop its exposure to unauthorized parties.
SI-20TaintingSITainting enables identification of exfiltration of private personal information to unauthorized parties.
Show 18 more broadly-applicable controls
PM-21Accounting of DisclosuresPMThe control mandates an auditable trail specifically for private personal information, making unauthorized disclosures of PII more readily discoverable by the affected individual.
PM-22Personally Identifiable Information Quality ManagementPMOrganization-wide accuracy, relevance, and deletion rules limit the private personal information available for unauthorized exposure.
PM-24Data Integrity BoardPMThe board evaluates privacy implications of proposed matching, directly mitigating exposure of private personal information through uncontrolled data sharing.
PM-25Minimization of Personally Identifiable Information Used in Testing, Training, and ResearchPMExplicitly limits use of private personal information (PII) for non-operational purposes, reducing opportunities for its exposure outside production systems.
PM-26Complaint ManagementPMGives data subjects a reliable mechanism to report exposure of private personal information, driving corrective action that mitigates privacy-related information-leakage weaknesses.
PM-27Privacy ReportingPMDirectly monitors compliance with mandates protecting personal information, making undetected exposure to unauthorized actors harder to sustain.
PT-4ConsentPTMandating consent prior to collection directly prevents unauthorized exposure of private personal information.
PT-5Privacy NoticePTClear, plain-language notice of PII processing authority, purposes, and scope creates transparency that makes unauthorized exposure of private personal information more likely to be detected and challenged by individuals.
PT-6System of Records NoticePTRequiring accurate, policy-scoped SORNs for Privacy Act records forces explicit identification and public documentation of PII handling, directly reducing the likelihood that personal data will be exposed without appropriate safeguards or accountability.
PT-7Specific Categories of Personally Identifiable InformationPTThe control mandates tailored handling for designated categories of personally identifiable information, thereby limiting unauthorized disclosure of private personal data.
PT-8Computer Matching RequirementsPTLimits exposure of private personal information by restricting matching to approved programs, publishing notices, and allowing individuals to contest findings.
AC-23Data Mining ProtectionACThe control detects and protects against mining of private personal information, reducing unauthorized exposure of PII.
PL-5Privacy Impact AssessmentPLPIA explicitly identifies PII collection/use/disclosure flows and drives mitigations that reduce the likelihood of unauthorized exposure of private personal information.
PL-8Security and Privacy ArchitecturesPLThe control specifically requires architectures that minimize privacy risk when processing PII, directly addressing exposure of personal information.
SC-15Collaborative Computing Devices and ApplicationsSCBlocks unauthorized remote access that would expose private personal information via collaborative devices.
SC-42Sensor Capability and DataSCMandatory user notification of sensor activation makes surreptitious capture of private personal information (camera, microphone, location, etc.) substantially harder to perform without detection.
AT-2Literacy Training and AwarenessATPrivacy literacy training directly targets preventing exposure of personal information through user mishandling.
CM-12Information LocationCMTracking locations of sensitive data and access users reduces risk of private personal information exposure.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2022-04827.39.10.90792022-03-09
CVE-2024-455916.25.30.86192024-09-10
CVE-2023-507194.67.50.51122023-12-15
CVE-2024-113964.35.30.54172025-01-14
CVE-2025-344414.37.50.47492025-12-17
CVE-2024-300562.07.10.09722024-05-25
CVE-2022-29211.88.80.00462022-08-21
CVE-2025-497151.87.50.05732025-06-20
CVE-2023-360181.77.80.01612023-11-14
CVE-2023-360521.78.60.00402023-11-14
CVE-2024-261921.78.20.00212024-02-23
CVE-2023-500531.67.60.00652024-04-30
CVE-2024-423471.67.70.00772024-08-06
CVE-2025-119591.68.10.00042025-11-11
CVE-2021-218231.57.50.00272021-08-20
CVE-2021-39801.57.50.00642021-12-03
CVE-2022-360911.57.50.00452022-09-08
CVE-2023-27031.57.50.00092023-05-23
CVE-2023-351511.57.50.00422023-06-23
CVE-2023-441561.57.50.00242023-09-27
CVE-2023-59831.57.50.00192023-11-22
CVE-2024-283871.57.50.00062024-03-25
CVE-2024-332711.57.50.00232024-04-29
CVE-2024-366771.57.50.00422024-06-19
CVE-2024-366821.57.50.00282024-06-24