A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
View on MITREClient-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.
Do not rely on client side data. Always perform server side authentication.
No detection method information available for this CWE.
SCADA system only uses client-side authentication, allowing adversaries to impersonate other users.
View DetailsClient-side check for a password allows access to a server using crafted XML requests from a modified client.
View DetailsCWE-603: Use of Client-Side Authentication is a Common Weakness Enumeration (CWE) entry maintained by MITRE. A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check. Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.
If exploited, CWE-603 (Use of Client-Side Authentication) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism and Gain Privileges or Assume Identity.
Recommended mitigations for CWE-603 include: Do not rely on client side data. Always perform server side authentication.
CWE-603 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-603, including CVE-2022-33139 and CVE-2006-0230. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-603 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.