CWE · MITRE source
CWE-636Not Failing Securely ('Failing Open')
When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
By entering a less secure state, the product inherits the weaknesses associated with that state, making it easier to compromise. At the least, it causes administrators to have a false sense of security. This weakness typically occurs as a result of wanting to "fail functional" to minimize administration and support costs, instead of "failing safe."
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (9)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-13 | Predictable Failure Prevention | SI | Standby components and explicit exchange criteria enforce a controlled, secure failover instead of failing open. |
SI-17 | Fail-safe Procedures | SI | Directly implements fail-safe (fail-closed/secure) behavior on indicated failures, preventing the system from defaulting to an insecure open state. |
SI-6 | Security and Privacy Function Verification | SI | Failed verification tests trigger alerts, reducing the window for exploitation when systems fail open. |
AU-15 | Alternate Audit Logging Capability | AU | Ensures audit logging continues on primary failure instead of failing open with no logging capability. |
AU-5 | Response to Audit Logging Process Failures | AU | Supports failing securely by requiring alerts and configurable actions (e.g., shutdown) when the audit mechanism fails instead of continuing without it. |
CP-12 | Safe Mode | CP | Entering safe mode when conditions are detected prevents failing open and continuing normal operation in a potentially exploitable state. |
CP-13 | Alternative Security Mechanisms | CP | Ensures security functions remain enforced via alternatives instead of defaulting to an insecure state when the primary means fails. |
SA-8 | Security and Privacy Engineering Principles | SA | Fail-safe-defaults principle prevents systems from failing open. |
SC-24 | Fail in Known State | SC | Directly requires transition to a known (secure) state on failure, preventing fail-open behavior. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-43532 | 5.4 | 8.8 | 0.6141 | 2024-10-08 |
CVE-2024-3729 | 2.0 | 9.8 | 0.0055 | 2024-05-02 |
CVE-2026-22034 | 2.0 | 9.8 | 0.0005 | 2026-01-08 |
CVE-2021-1578 | 1.8 | 8.8 | 0.0105 | 2021-08-25 |
CVE-2026-40525 | 1.8 | 9.1 | 0.0029 | 2026-04-17 |
CVE-2023-4030 | 1.7 | 8.4 | 0.0007 | 2023-08-17 |
CVE-2023-28841 | 1.6 | 6.8 | 0.0419 | 2023-04-04 |
CVE-2026-35205 | 1.6 | 7.8 | 0.0002 | 2026-04-09 |
CVE-2023-28840 | 1.5 | 7.5 | 0.0065 | 2023-04-04 |
CVE-2024-8185 | 1.5 | 7.5 | 0.0081 | 2024-10-31 |
CVE-2026-35042 | 1.5 | 7.5 | 0.0002 | 2026-04-06 |
CVE-2026-40247 | 1.5 | 7.5 | 0.0003 | 2026-04-16 |
CVE-2026-40248 | 1.5 | 7.5 | 0.0003 | 2026-04-16 |
CVE-2026-42423 | 1.5 | 7.5 | 0.0005 | 2026-04-28 |
CVE-2023-28842 | 1.4 | 6.8 | 0.0086 | 2023-04-04 |
CVE-2021-3614 | 1.3 | 6.4 | 0.0005 | 2021-07-16 |
CVE-2024-2660 | 1.3 | 6.4 | 0.0069 | 2024-04-04 |
CVE-2026-41334 | 1.3 | 6.5 | 0.0005 | 2026-04-23 |
CVE-2026-27448 | 1.1 | 5.3 | 0.0004 | 2026-03-18 |
CVE-2026-40249 | 1.1 | 5.3 | 0.0002 | 2026-04-16 |
CVE-2023-22943 | 1.0 | 4.8 | 0.0033 | 2023-02-14 |
CVE-2025-41759 | 1.0 | 4.9 | 0.0001 | 2026-03-09 |
CVE-2025-41760 | 1.0 | 4.9 | 0.0001 | 2026-03-09 |
CVE-2025-21210 | 0.9 | 4.2 | 0.0023 | 2025-01-14 |
CVE-2026-41377 | 0.9 | 4.6 | 0.0003 | 2026-04-28 |