CWE-200

Unintentional disclosure of PII, internal system details, or credentials through error messages, API responses, debug output, or misconfigured access controls....

Verified by Precogs Threat Research
BASE SCORE
7.5 CRITICAL

Precogs AI Insight

"Precogs AI detects sensitive information exposure paths — from verbose error handlers to misconfigured API responses — and generates targeted fixes."

EXPLOIT PROBABILITYHigh
PUBLIC POCAvailable

What is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)?

Unintentional disclosure of PII, internal system details, or credentials through error messages, API responses, debug output, or misconfigured access controls.

Vulnerability Insights

In the context of pii & secrets detection vulnerabilities, this vulnerability poses significant risk because compiled binaries and complex AI logic cannot be easily patched without vendor cooperation. Organizations relying on third-party software must use structural analysis tools to detect these flaws.

Impact on Systems

  • Compromise of Application Integrity: Predictable execution flow is disrupted
  • Potential Data Exposure: Depending on context, sensitive configurations may leak
  • Availability Risks: Unexpected states leading to temporary denial of service

Real-World Attack Scenario

An attacker probes the system interfaces to identify areas where the input or state related to Exposure of Sensitive Information to an Unauthorized Actor is improperly handled. Once identified, they craft a payload tailored to the specific backend architecture. By exploiting the lack of robust structural validation, the attacker is able to force the application into an unintended state, bypassing standard business logic and achieving unauthorized outcomes.

Code Examples

Vulnerable Implementation

// VULNERABLE: Unvalidated input leading to Exposure of Sensitive Information to an Unauthorized Actor
function processInput(data) {
    // Missing strict validation or sanitization
    executeOrStoreConfig(data);
}

Secure Alternative

// SECURE: Proper validation mitigating Exposure of Sensitive Information to an Unauthorized Actor
function processInput(data) {
    if (!isValid(data)) throw new Error('Invalid input');
    const safeData = sanitize(data);
    executeOrStoreConfig(safeData);
}

Remediation

Ensure robust input validation, boundary checking, and adherence to secure architecture frameworks when designing PII & Secrets solutions. Use automated code scanning or binary analysis to detect flaws early in the SDLC.

CVEs Classified Under CWE-20025 vulnerabilities

The following CVEs have been classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Each CVE represents a specific vulnerability instance of this weakness type.

CVE-2026-32938SiYuan is a personal knowledge management system
CVSS 9.9CRITICALMar 20, 2026
CVE-2026-32865OPEXUS eComplaint and eCASE before version 10
CVSS 9.8CRITICALMar 19, 2026
CVE-2026-32890Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server
CVSS 9.6CRITICALMar 20, 2026
CVE-2025-59434[Flowise] Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function
CVSS 9.5CRITICALSep 12, 2025
CVE-2026-32633Glances is an open-source system cross-platform monitoring tool
CVSS 9.1CRITICALMar 18, 2026
CVE-2026-23659Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network
CVSS 8.6HIGHMar 19, 2026
CVE-2025-67732[dify] Plaintext API Key Exposure via Model Provider Configuration Endpoint
CVSS 8HIGHJan 4, 2026
CVE-2025-31491[AutoGPT] Leakage of cross-domain cookies and protected headers in requests redirect
CVSS 8HIGHApr 11, 2025
CVE-2026-2476Mattermost Plugins versions <=2
CVSS 7.6HIGHMar 16, 2026
CVE-2026-33180HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java
CVSS 7.5HIGHMar 20, 2026
CVE-2026-32609Glances is an open-source system cross-platform monitoring tool
CVSS 7.5HIGHMar 18, 2026
CVE-2026-32596Glances is an open-source system cross-platform monitoring tool
CVSS 7.5HIGHMar 18, 2026
CVE-2026-29108SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application
CVSS 6.5MEDIUMMar 20, 2026
CVE-2026-33355Discourse is an open-source discussion platform
CVSS 6.5MEDIUMMar 19, 2026
CVE-2026-33163Parse Server is an open source backend that can be deployed to any infrastructure that can run Node
CVSS 6.5MEDIUMMar 18, 2026
CVE-2026-1267IBM Planning Analytics Local 2
CVSS 6.5MEDIUMMar 17, 2026
CVE-2026-33041WWBN AVideo is an open source video platform
CVSS 5.3MEDIUMMar 20, 2026
CVE-2026-32002OpenClaw versions prior to 2026
CVSS 5.3MEDIUMMar 19, 2026
CVE-2026-32099Discourse is an open-source discussion platform
CVSS 4.3MEDIUMMar 19, 2026
CVE-2026-2571The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3
CVSS 4.3MEDIUMMar 19, 2026
CVE-2026-33004Jenkins LoadNinja Plugin 2
CVSS 4.3MEDIUMMar 18, 2026
CVE-2026-28506Outline is a service that allows for collaborative documentation
CVSS 4.3MEDIUMMar 17, 2026
CVE-2026-33422Discourse is an open-source discussion platform
CVSS 3.5LOWMar 20, 2026
CVE-2025-31494[AutoGPT] Cross-user sharing of node execution results through WebSockets API
CVSS 3LOWApr 11, 2025
CVE-2026-33394Discourse is an open-source discussion platform
CVSS 2.7LOWMar 19, 2026

Supplemental Intelligence & References

📋 OWASP Top 10

🔗 External References