VYPR

CWE-1220

Insufficient Granularity of Access Control

BaseIncomplete

Description

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180

CVEs mapped to this weakness (47)

page 1 of 3
  • CVE-2025-31201CriKEVApr 16, 2025
    risk 0.76cvss 9.8epss 0.12

    This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of…

  • CVE-2026-33825HigKEVApr 14, 2026
    risk 0.63cvss 7.8epss 0.07

    Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

  • CVE-2026-6356CriApr 22, 2026
    risk 0.62cvss 9.6epss 0.00

    A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information.

  • CVE-2026-6388CriApr 15, 2026
    risk 0.59cvss 9.1epss 0.00

    A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient validation, the attacker can trigger…

  • CVE-2025-7493CriSep 30, 2025
    risk 0.59cvss 9.1epss 0.01

    A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM…

  • CVE-2025-4404CriJun 17, 2025
    risk 0.59cvss 9.1epss 0.02

    A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM…

  • CVE-2026-40365HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.01

    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

  • CVE-2026-35436HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.

  • CVE-2024-21962HigMay 15, 2026
    risk 0.56cvss epss 0.00

    Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.

  • CVE-2025-3648HigJul 8, 2025
    risk 0.53cvss epss 0.02

    A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query…

  • CVE-2022-36110HigSep 9, 2022
    risk 0.50cvss 8.8epss 0.01

    Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run…

  • CVE-2024-21947HigSep 6, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper input validation in the system management mode (SMM) could allow a privileged attacker to overwrite arbitrary memory potentially resulting in arbitrary code execution at the SMM level.

  • CVE-2025-22839HigAug 12, 2025
    risk 0.49cvss 7.5epss 0.00

    Insufficient granularity of access control in the OOB-MSM for some Intel(R) Xeon(R) 6 Scalable processors may allow a privileged user to potentially enable escalation of privilege via adjacent access.

  • CVE-2023-31343HigFeb 11, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.

  • CVE-2023-31342HigFeb 11, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.

  • CVE-2025-20111HigFeb 26, 2025
    risk 0.48cvss 7.4epss 0.00

    A vulnerability in the health monitoring diagnostics of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, adjacent attacker to cause the device to reload unexpectedly, resulting in a denial of service…

  • CVE-2021-46747HigJun 1, 2026
    risk 0.46cvss epss 0.00

    Insufficient granularity of access control in ASP (AMD Secure Processor) may allow an attacker with an untrusted user space application to map sensitive SMN (System Management Network) apertures leading to a potential escalation of privileges.

  • CVE-2024-52799HigNov 21, 2024
    risk 0.46cvss 8.2epss 0.00

    Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code…

  • CVE-2025-20628MedApr 7, 2026
    risk 0.45cvss epss 0.00

    An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a…

  • CVE-2024-39279MedFeb 12, 2025
    risk 0.42cvss 6.5epss 0.00

    Insufficient granularity of access control in UEFI firmware in some Intel(R) processors may allow a authenticated user to potentially enable denial of service via local access.