VYPR

CWE-1220

Insufficient Granularity of Access Control

BaseIncomplete

Description

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180

CVEs mapped to this weakness (47)

page 2 of 3
  • CVE-2023-32259MedMar 19, 2024
    risk 0.42cvss 6.5epss 0.00

    Insufficient Granularity of Access Control vulnerability in OpenText™ Service Management Automation X (SMAX), OpenText™ Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Service Management Automation X (SMAX)…

  • CVE-2024-39323HigJul 2, 2024
    risk 0.39cvss 7.1epss 0.00

    aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end.…

  • CVE-2026-20107MedFeb 25, 2026
    risk 0.36cvss 5.5epss 0.00

    A vulnerability in the Object Model CLI component of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. To exploit this…

  • CVE-2024-21971MedFeb 12, 2025
    risk 0.36cvss 5.5epss 0.00

    Improper input validation in AMD Crash Defender could allow an attacker to provide the Windows® system process ID to a kernel-mode driver, resulting in an operating system crash, potentially leading to denial of service.

  • CVE-2025-54461MedOct 16, 2025
    risk 0.34cvss 5.3epss 0.00

    ChatLuck contains an insufficient granularity of access control vulnerability in Invitation of Guest Users. If exploited, an uninvited guest user may register itself as a guest user.

  • CVE-2024-2412MedMar 13, 2024
    risk 0.34cvss 5.3epss 0.00

    The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled.

  • CVE-2025-8306MedJan 8, 2026
    risk 0.33cvss epss 0.00

    Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access…

  • CVE-2024-6696MedFeb 20, 2025
    risk 0.32cvss 4.9epss 0.00

    The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control…

  • CVE-2026-0873MedFeb 4, 2026
    risk 0.31cvss epss 0.00

    On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator.

  • CVE-2025-48517MedFeb 10, 2026
    risk 0.30cvss epss 0.00

    Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an ASID in the range meant for SEV-SNP guests potentially resulting in a partial loss of confidentiality.

  • CVE-2026-37981MedMay 19, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for…

  • CVE-2025-48514MedFeb 10, 2026
    risk 0.26cvss epss 0.00

    Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.

  • CVE-2026-40690MedApr 24, 2026
    risk 0.21cvss 4.3epss 0.00

    The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized…

  • CVE-2026-38743MedApr 24, 2026
    risk 0.21cvss 4.3epss 0.00

    The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including their request parameters) and full…

  • CVE-2026-9088LowJun 5, 2026
    risk 0.18cvss 2.7epss 0.00

    A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured…

  • CVE-2024-52814LowNov 22, 2024
    risk 0.11cvss 2.8epss 0.00

    Argo Helm is a collection of community maintained charts for `argoproj.github.io` projects. Prior to version 0.45.0, the `workflow-role`) lacks granularity in its privileges, giving permissions to `workflowtasksets` and `workflowartifactgctasks` to all workflow Pods, when only…

  • CVE-2024-6867Sep 13, 2024
    risk 0.00cvss epss 0.00

    An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the…

  • CVE-2024-39324Jul 2, 2024
    risk 0.00cvss epss 0.00

    aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end.…

  • CVE-2024-5389Jun 9, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the…

  • CVE-2024-2035Jun 6, 2024
    risk 0.00cvss epss 0.01

    An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user…