CWE-757 (Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-1677 | 2026-05-11 | Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to m… |
| CVE-2026-6550 | 2026-04-20 | Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass … |
| CVE-2026-32650 | 2026-04-17 | Anviz CrossChex Standard is vulnerable when an attacker manipulates the TDS7 PreLogin to disable encryption, causing database credentials to be sent in plaintext and enabling unauthorized database a… |
| CVE-2026-2673 | 2026-03-13 | Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. … |
| CVE-2025-10693 | 2025-10-31 | When SmartStart Inclusion fails during the onboarding of a Z-Wave PIR sensor, the sensor will join the network as a non-secure device. This vulnerability exists in Silicon Labs' Z-Wave PIR Sensor Refe… |
| CVE-2025-59270 | 2025-09-16 | psPAS PowerShell module does not explicitly enforce TLS 1.2 within the 'Get-PASSAMLResponse' function during the SAML authentication process. An unauthenticated attacker in a 'Man-in-the-Middle' posit… |
| CVE-2025-36582 | 2025-07-01 | Dell NetWorker, versions 19.12.0.1 and prior, contains a Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') vulnerability. An unauthenticated attacker with remote access cou… |
| CVE-2024-8773 | 2025-03-24 | SIMPLE.ERP client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue a… |
| CVE-2025-24154 | 2025-01-27 | An out-of-bounds write was addressed with improved input validation. This issue is fixed in iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, visionOS 2.3. An at… |
| CVE-2024-4995 | 2024-12-18 | Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue af… |
| CVE-2024-38883 | 2024-08-02 | An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Drop Encryption Level attack due to the selectio… |
| CVE-2024-20069 | 2024-06-03 | In modem, there is a possible selection of less-secure algorithm during the VoWiFi IKE due to a missing DH downgrade check. This could lead to remote information disclosure with no additional executio… |
| CVE-2024-23656 | 2024-01-25 | Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.… |
| CVE-2022-33160 | 2023-10-06 | IBM Security Directory Suite 8.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228568. |
| CVE-2023-2974 | 2023-07-04 | A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the … |
| CVE-2022-23000 | 2022-07-25 | The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdat… |
| CVE-2018-25029 | 2022-02-04 | The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a differ… |
| CVE-2021-36326 | 2021-11-30 | Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, l… |
| CVE-2020-16200 | 2020-09-18 | Philips Clinical Collaboration Platform, Versions 12.2.1 and prior, does not properly control the allocation and maintenance of a limited resource, thereby enabling an attacker to influence the amo… |
| CVE-2020-10135 | 2020-05-19 | Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing creden… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2010-04-05 | CWE Content Team | 1.8.1 | — | updated Related_Attack_Patterns |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2017-01-19 | CWE Content Team | 2.10 | — | updated Related_Attack_Patterns, Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Modes_of_Introduction, Relationships |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Type |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Observed_Examples, Relationship_Notes, Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Relationships |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated Observed_Examples |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |