CWE-921 (Storage of Sensitive Data in a Mechanism without Access Control) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product stores sensitive information in a file system or device that does not have built-in access control.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Mobile | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2025-30016 | 2025-04-08 | SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there … |
| CVE-2025-24843 | 2025-02-28 | Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data. |
| CVE-2024-9334 | 2025-02-27 | Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass. This issue affects Palliu… |
| CVE-2025-24870 | 2025-02-11 | SAP GUI for Windows & RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege esca… |
| CVE-2024-5206 | 2024-06-06 | A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability a… |
| CVE-2023-41818 | 2024-05-03 | An improper use of the SD card for sensitive data vulnerability was reported in the Motorola Device Help application that could allow a local attacker to read system logs. |
| CVE-2023-41965 | 2023-09-18 | Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process. |
| CVE-2023-2665 | 2023-05-12 | Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0. |
| CVE-2021-27456 | 2022-03-23 | Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control. |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Modes_of_Introduction, References, Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Applicable_Platforms, Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Weakness_Ordinalities |