CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
moderate-riskIf a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
Abstraction: Base
Common Consequences
Access Control
→
Bypass Protection Mechanism
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2021-34429 | 5.3 | 93.8% | — |
| CVE-2021-28164 | 5.3 | 93.5% | — |
| CVE-2023-23924 | 10.0 | 51.5% | — |
| CVE-2021-28165 | 7.5 | 12.0% | — |
| CVE-2021-31384 | 7.2 | 0.4% | — |
| CVE-2021-32779 | 8.6 | 0.0% | — |
| CVE-2026-0707 | 5.3 | 0.0% | — |
| CVE-2016-20030 | 9.8 | 0.0% | — |
| CVE-2026-4636 | 8.1 | 0.0% | — |
| CVE-2021-32777 | 8.6 | 0.0% | — |
34
/ 100
moderate-risk
Active Threat
34/50 · High
Exploit Availability
0/50 · Minimal