Information disclosure is a category of threat that involves a software system failing to protect information from individuals who are not supposed to have access to the information, for example, allowing an attacker to read data from a database or while it is in transit over a network.

The information that an attacker obtains could potentially be used for other types of attack. For example, an attacker can obtain system information (server OS version, application framework version, and so on), source code details, information from error messages, account credentials, or API keys. The information taken by an attacker can then be used as the basis for further, more damaging attacks.