CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
633 vulnerabilities reference this CWE, most recent first.
GHSA-2H55-W7Q6-9V78
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 148870.
{
"affected": [],
"aliases": [
"CVE-2018-1785"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-26T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 148870.",
"id": "GHSA-2h55-w7q6-9v78",
"modified": "2022-05-13T01:05:03Z",
"published": "2022-05-13T01:05:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1785"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148870"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10729873"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041716"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2P84-F2F6-W7C4
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-07-13 00:01In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.
{
"affected": [],
"aliases": [
"CVE-2021-37546"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-06T14:15:00Z",
"severity": "MODERATE"
},
"details": "In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.",
"id": "GHSA-2p84-f2f6-w7c4",
"modified": "2022-07-13T00:01:34Z",
"published": "2022-05-24T19:10:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37546"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2P8X-JCRP-PQ93
Vulnerability from github – Published: 2022-05-17 03:44 – Updated: 2022-05-17 03:44Huawei AR routers with software before V200R007C00SPC100; Quidway S9300 routers with software before V200R009C00; S12700 routers with software before V200R008C00SPC500; S9300, Quidway S5300, and S5300 routers with software before V200R007C00; and S5700 routers with software before V200R007C00SPC500 makes it easier for remote authenticated administrators to obtain encryption keys and ciphertext passwords via vectors related to key storage.
{
"affected": [],
"aliases": [
"CVE-2015-8086"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-10-03T21:59:00Z",
"severity": "MODERATE"
},
"details": "Huawei AR routers with software before V200R007C00SPC100; Quidway S9300 routers with software before V200R009C00; S12700 routers with software before V200R008C00SPC500; S9300, Quidway S5300, and S5300 routers with software before V200R007C00; and S5700 routers with software before V200R007C00SPC500 makes it easier for remote authenticated administrators to obtain encryption keys and ciphertext passwords via vectors related to key storage.",
"id": "GHSA-2p8x-jcrp-pq93",
"modified": "2022-05-17T03:44:03Z",
"published": "2022-05-17T03:44:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8086"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/hw-455876"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/76897"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2RCC-9G8P-Q2VR
Vulnerability from github – Published: 2025-06-04 15:30 – Updated: 2025-06-04 15:30Weak server key used for TLS encryption. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938.
{
"affected": [],
"aliases": [
"CVE-2025-48960"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-04T14:15:29Z",
"severity": "MODERATE"
},
"details": "Weak server key used for TLS encryption. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938.",
"id": "GHSA-2rcc-9g8p-q2vr",
"modified": "2025-06-04T15:30:40Z",
"published": "2025-06-04T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48960"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-6403"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2RHR-9V3P-VV9J
Vulnerability from github – Published: 2024-03-06 12:30 – Updated: 2024-03-06 12:30This vulnerability exists in AppSamvid software due to the usage of a weaker cryptographic algorithm (hash) SHA1 in user login component. An attacker with local administrative privileges could exploit this to obtain the password of AppSamvid on the targeted system.
Successful exploitation of this vulnerability could allow the attacker to take complete control of the application on the targeted system.
{
"affected": [],
"aliases": [
"CVE-2024-25102"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-06T12:15:45Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in AppSamvid software due to the usage of a weaker cryptographic algorithm (hash) SHA1 in user login component. An attacker with local administrative privileges could exploit this to obtain the password of AppSamvid on the targeted system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to take complete control of the application on the targeted system.\n",
"id": "GHSA-2rhr-9v3p-vv9j",
"modified": "2024-03-06T12:30:28Z",
"published": "2024-03-06T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25102"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0081"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2VCR-G749-75QC
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
{
"affected": [],
"aliases": [
"CVE-2019-18630"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-04T23:15:00Z",
"severity": "HIGH"
},
"details": "On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.",
"id": "GHSA-2vcr-g749-75qc",
"modified": "2022-05-24T17:43:43Z",
"published": "2022-05-24T17:43:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18630"
},
{
"type": "WEB",
"url": "https://securitydocs.business.xerox.com/wp-content/uploads/2021/03/cert_Security_Mini_Bulletin_XRX20I_for_ALB80xx-C80xx_v1.2.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2W26-5WWQ-P3H6
Vulnerability from github – Published: 2022-05-17 02:47 – Updated: 2025-04-20 03:36On the TP-Link TL-SG108E 1.0, admin network communications are RC4 encoded, even though RC4 is deprecated. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.
{
"affected": [],
"aliases": [
"CVE-2017-8076"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-23T16:59:00Z",
"severity": "CRITICAL"
},
"details": "On the TP-Link TL-SG108E 1.0, admin network communications are RC4 encoded, even though RC4 is deprecated. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.",
"id": "GHSA-2w26-5wwq-p3h6",
"modified": "2025-04-20T03:36:33Z",
"published": "2022-05-17T02:47:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8076"
},
{
"type": "WEB",
"url": "https://chmod750.com/2017/04/23/vulnerability-disclosure-tp-link"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WRH-3GMH-MGCW
Vulnerability from github – Published: 2024-04-19 18:31 – Updated: 2024-04-19 18:31IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to weaker than expected security. IBM X-Force ID: 236452.
{
"affected": [],
"aliases": [
"CVE-2022-40745"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-19T17:15:51Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to weaker than expected security. IBM X-Force ID: 236452.",
"id": "GHSA-2wrh-3gmh-mgcw",
"modified": "2024-04-19T18:31:13Z",
"published": "2024-04-19T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40745"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/236452"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7148632"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2X45-7FC3-MXWQ
Vulnerability from github – Published: 2025-07-31 21:31 – Updated: 2026-02-27 18:57php-jwt v6.11.0 was discovered to contain weak encryption.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "firebase/php-jwt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-45769"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T00:55:29Z",
"nvd_published_at": "2025-07-31T20:15:33Z",
"severity": "LOW"
},
"details": "php-jwt v6.11.0 was discovered to contain weak encryption.",
"id": "GHSA-2x45-7fc3-mxwq",
"modified": "2026-02-27T18:57:12Z",
"published": "2025-07-31T21:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45769"
},
{
"type": "WEB",
"url": "https://github.com/firebase/php-jwt/issues/611"
},
{
"type": "WEB",
"url": "https://github.com/firebase/php-jwt/issues/618"
},
{
"type": "WEB",
"url": "https://github.com/firebase/php-jwt/issues/620"
},
{
"type": "WEB",
"url": "https://github.com/firebase/php-jwt/pull/613"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/6954"
},
{
"type": "WEB",
"url": "https://github.com/firebase/php-jwt/commit/6b80341bf57838ea2d011487917337901cd71576"
},
{
"type": "WEB",
"url": "https://gist.github.com/ZupeiNie/83756316c4c24fe97a50176a92608db3"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2x45-7fc3-mxwq"
},
{
"type": "WEB",
"url": "https://github.com/firebase"
},
{
"type": "PACKAGE",
"url": "https://github.com/firebase/php-jwt"
},
{
"type": "WEB",
"url": "https://github.com/firebase/php-jwt/releases/tag/v7.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "php-jwt contains weak encryption"
}
GHSA-2XRJ-WRQ4-FF74
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The streaming service (default port 5410/tcp) of the SiNVR 3 Video Server applies weak cryptography when exposing device (camera) passwords. This could allow an unauthenticated remote attacker to read and decrypt the passwords and conduct further attacks.
{
"affected": [],
"aliases": [
"CVE-2019-19299"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-10T20:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The streaming service (default port 5410/tcp) of the SiNVR 3 Video Server applies weak cryptography when exposing device (camera) passwords. This could allow an unauthenticated remote attacker to read and decrypt the passwords and conduct further attacks.",
"id": "GHSA-2xrj-wrq4-ff74",
"modified": "2022-05-24T17:10:37Z",
"published": "2022-05-24T17:10:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19299"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-844761.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.