Home/CWE/Reliance on Security Through Obscurity
Weakness

Reliance on Security Through Obscurity

CWE-656 · Class · Draft

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.

Extended description

This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker.

however, it is a significant risk if used as the primary means of protection.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-657 · Violation of Secure Design Principles
ChildOfCWE-693 · Protection Mechanism Failure
Related
CanPrecedeCWE-259 · Use of Hard-coded Password
CanPrecedeCWE-321 · Use of Hard-coded Cryptographic Key
CanPrecedeCWE-472 · External Control of Assumed-Immutable Web Parameter

CVEs With This Weakness

11
CVEs tagged with this weakness.
CVECVE-2026-7161
CVECVE-2026-42363
CVECVE-2025-7020
CVECVE-2025-59093
CVECVE-2025-25983
CVECVE-2024-9138
CVECVE-2024-5244
CVECVE-2024-12297
CVECVE-2020-10286
CVECVE-2020-10284
CVECVE-2020-10277
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin