CWE · MITRE source
CWE-642External Control of Critical State Data
The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
If an attacker can modify the state information without detection, then it could be used to perform unauthorized actions or access unexpected resources, since the application programmer does not expect that the state can be changed. State information can be stored in various locations such as a cookie, in a hidden web form field, input parameter or argument, an environment variable, a database record, within a settings file, etc. All of these locations have the potential to be modified by an attacker. When this state information is used to control security or determine resource usage, then it may create a vulnerability. For example, an application may perform authentication, then save the state in an "authenticated=true" cookie. An attacker may simply create this cookie in order to bypass the authentication.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-22 | Information Diversity | SI | Directly counters external corruption or unavailability of critical state data by mandating and using alternative sources for essential functions. |
SI-9 | Information Input Restrictions | SI | Limits external actors' ability to control critical state through input channels. |
CM-3 | Configuration Change Control | CM | Monitors, approves, and documents changes to critical configuration state data, mitigating external control risks. |
IA-4 | Identifier Management | IA | Requires authorization and prevents reuse, mitigating external control of critical identifier state data. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2018-15382 | 1.8 | 8.6 | 0.0068 | 2018-10-05 |
CVE-2020-27872 | 1.8 | 8.8 | 0.0111 | 2021-02-04 |
CVE-2019-9496 | 1.6 | 7.5 | 0.0236 | 2019-04-17 |
CVE-2023-0575 | 1.5 | 7.2 | 0.0050 | 2023-02-09 |
CVE-2026-29146 | 1.5 | 7.5 | 0.0010 | 2026-04-09 |
CVE-2020-26186 | 1.4 | 6.8 | 0.0004 | 2021-01-08 |
CVE-2022-22154 | 1.4 | 6.8 | 0.0005 | 2022-01-19 |
CVE-2024-22387 | 1.4 | 6.8 | 0.0012 | 2024-07-11 |
CVE-2025-49090 | 1.4 | 7.1 | 0.0005 | 2025-10-02 |
CVE-2024-8754 | 1.3 | 6.4 | 0.0003 | 2024-09-12 |
CVE-2017-0928 | 1.2 | 6.1 | 0.0019 | 2018-06-04 |
CVE-2022-32859 | 1.1 | 5.3 | 0.0024 | 2022-11-01 |
CVE-2020-1976 | 0.9 | 4.7 | 0.0013 | 2020-02-12 |
CVE-2025-26787 | 0.9 | 4.7 | 0.0005 | 2025-12-22 |
CVE-2025-54566 | 0.8 | 4.2 | 0.0001 | 2025-07-25 |
CVE-2024-58265 | 0.6 | 3.1 | 0.0008 | 2025-07-27 |