CWE · MITRE source
CWE-526Cleartext Storage of Sensitive Information in an Environment Variable
The product uses an environment variable to store unencrypted sensitive information.
Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (0)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
| No NIST controls proposed yet. | |||
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2023-5720 | 1.7 | 7.7 | 0.0271 | 2023-11-15 |
CVE-2025-28381 | 1.5 | 7.5 | 0.0043 | 2025-06-13 |
CVE-2026-40153 | 1.5 | 7.4 | 0.0003 | 2026-04-09 |
CVE-2024-2700 | 1.4 | 7.0 | 0.0004 | 2024-04-04 |
CVE-2024-4369 | 1.4 | 6.8 | 0.0003 | 2024-05-01 |
CVE-2023-43029 | 1.4 | 6.8 | 0.0006 | 2025-03-21 |
CVE-2024-12604 | 1.3 | 6.5 | 0.0010 | 2025-03-10 |
CVE-2025-36017 | 1.3 | 6.5 | 0.0003 | 2025-12-08 |
CVE-2025-0985 | 1.1 | 5.5 | 0.0010 | 2025-02-28 |
CVE-2025-27899 | 1.1 | 5.3 | 0.0004 | 2026-02-17 |
CVE-2024-11736 | 1.0 | 4.9 | 0.0002 | 2025-01-14 |
CVE-2025-9162 | 1.0 | 4.9 | 0.0003 | 2025-08-21 |
CVE-2025-36105 | 0.9 | 4.4 | 0.0001 | 2026-03-10 |
CVE-2023-47615 | 0.7 | 3.3 | 0.0002 | 2023-11-09 |
CVE-2023-35931 | 0.6 | 3.1 | 0.0046 | 2023-06-23 |
CVE-2014-2377 | 0.0 | 0.0 | 0.0052 | 2014-09-15 |