On April 15, NIST announced a significant change in how the National Vulnerability Database enriches CVE records, limiting full scoring and classification to fewer cases. This adjustment formalizes an ongoing trend that challenges the foundational data many container security and compliance systems depend on.
- NIST limits full enrichment to prioritized CVEs, others marked 'Not Scheduled'.
- Container image vulnerability scans face propagation of unenriched CVEs in dependency chains.
- Programs must update documentation and fallback risk scoring ahead of audits.
Infrastructure signal
NIST has restructured the enrichment process for the National Vulnerability Database, primarily reducing the proportion of CVEs that receive detailed CVSS, CPE, and CWE annotations. While the CVE records continue to be published, most no longer carry the enrichment data that automated vulnerability scanners and compliance systems heavily rely on. This formalizes a gradual backlog that has been developing, driven by a 263% rise in CVE submissions over five years and a further quarterly increase in early 2026.
From a cloud infrastructure perspective, this change introduces uncertainty in risk prioritization and tracking workflows that have historically leveraged NVD as an authoritative secondary risk layer. The reduced enrichment restricts automated correlation and severity scoring, placing more responsibility on teams to interpret and contextualize unscored findings based on alternate sources or fallback mechanisms. This may impact capacity planning and cost forecasting for teams scaling container or cloud platform security scanning operations.
Developer impact
Development and security teams that rely on container scanners must acknowledge that many base and transitive package vulnerabilities will no longer have enriched metadata from NVD. Since container images aggregate dependencies in layered structures, unenriched CVEs in base images propagate uncertainty through every image built on top. This complicates vulnerability prioritization, remediation scheduling, and developer decision-making around dependency upgrades and patching.
Developers and security engineers should consider expanding scanner data sources beyond NVD enrichment, using package-specific advisories and heuristic matching independent of CPE metadata. Projects such as Docker Hardened Images illustrate approaches that bundle signed provenance, SBOMs, and exploitability statements to reduce reliance on the NVD’s full enrichment. Ultimately, workflows must evolve to handle higher ambiguity, increased false positives, and more manual review, impacting developer velocity and incident response times.
What teams should watch
Security operations, compliance, and audit teams need to revisit how they document risk assessments and remediation timelines given the irregular scoring in the NVD. Frameworks referencing CVSS as the baseline risk metric remain intact, but organizations must clearly define fallback procedures for unenriched findings, ensuring consistent treatment across cloud service providers and security assessments.
Teams should monitor NIST communications on enrichment requests and understand that no service level agreements exist for priority changes. Additionally, because the change is global, cloud operators and platform teams across regions must prepare for variable enrichment availability and possibly increased reliance on complementary advisory sources to maintain SLA commitments and audit readiness. Ongoing efforts to enhance observability and integrate multi-source vulnerability intelligence will be critical.