CWE-269
Improper Privilege Management
Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-122 · CAPEC-233 · CAPEC-58
CVEs mapped to this weakness (1,039)
page 17 of 52| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10602 | — | Hig | 0.53 | 8.1 | 0.02 | Jun 1, 2018 | haxe is a cross-platform toolkit haxe downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the… | |
| CVE-2016-10594 | Hig | 0.53 | 8.1 | 0.01 | Jun 1, 2018 | ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks. | ||
| CVE-2016-10585 | — | Hig | 0.53 | 8.1 | 0.02 | Jun 1, 2018 | libxl provides Node bindings for the libxl library for reading and writing excel (XLS and XLSX) spreadsheets. libxl downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the… | |
| CVE-2016-10593 | Hig | 0.53 | 8.1 | 0.02 | May 29, 2018 | ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled… | ||
| CVE-2016-10591 | — | Hig | 0.53 | 8.1 | 0.02 | May 29, 2018 | Prince is a Node API for executing XML/HTML to PDF renderer PrinceXML via prince(1) CLI. prince downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an… | |
| CVE-2017-1000241 | Hig | 0.53 | 8.1 | 0.01 | Nov 17, 2017 | The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulnerability can allow an authenticated non-administrator users to view and modify information only accessible to administrators. | ||
| CVE-2017-9940 | Hig | 0.53 | 8.1 | 0.01 | Aug 8, 2017 | A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could allow an attacker with access to a low-privileged user account to read or write files on the file system of the SiPass integrated server over the network. | ||
| CVE-2017-7922 | Hig | 0.53 | 7.6 | 0.10 | Jun 21, 2017 | An Improper Privilege Management issue was discovered in Cambium Networks ePMP. The privileges for SNMP community strings are not properly restricted, which may allow an attacker to gain access to sensitive information and possibly allow for configuration changes. | ||
| CVE-2016-3169 | Hig | 0.53 | 8.1 | 0.02 | Apr 12, 2016 | The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array. | ||
| CVE-2026-10868 | Cri | 0.52 | — | 0.00 | Jun 4, 2026 | A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An… | ||
| CVE-2026-47413 | cri | 0.52 | — | 0.00 | Jun 1, 2026 | ## Summary **Type:** Privilege escalation / cross-tenant member injection. The `POST /workspaces/{workspace_id}/members` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`) and forwards the request body's `user_id` and `role`… | ||
| CVE-2026-47416 | cri | 0.52 | — | 0.00 | May 29, 2026 | ## Summary **Type:** Vertical privilege escalation. The `PATCH /workspaces/{workspace_id}/members/{user_id}` endpoint is gated by `require_workspace_member(workspace_id)`, which defaults to `min_role="member"` and is never overridden by the route. The handler then calls… | ||
| CVE-2026-47407 | cri | 0.52 | — | 0.00 | May 29, 2026 | ## Summary The Platform server exposes resources under `/api/v1/workspaces/{workspace_id}/...` and protects them with a `require_workspace_member(workspace_id)` FastAPI dependency. The dependency only checks that the caller is a member of the workspace_id in the URL prefix. The… | ||
| CVE-2026-43534 | Cri | 0.52 | 9.1 | 0.00 | May 5, 2026 | OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context. | ||
| CVE-2026-41386 | Cri | 0.52 | 9.1 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and… | ||
| CVE-2026-40572 | Cri | 0.52 | 9.0 | 0.00 | Apr 18, 2026 | NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden regions,… | ||
| CVE-2026-40484 | Cri | 0.52 | 9.1 | 0.01 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which… | ||
| CVE-2025-54594 | Cri | 0.52 | 9.1 | 0.00 | Aug 6, 2025 | react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a… | ||
| CVE-2025-7341 | Cri | 0.52 | 9.1 | 0.01 | Jul 15, 2025 | The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This… | ||
| CVE-2024-22036 | Cri | 0.52 | 9.1 | 0.01 | Apr 16, 2025 | A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land… |
- risk 0.53cvss 8.1epss 0.02
haxe is a cross-platform toolkit haxe downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the…
- risk 0.53cvss 8.1epss 0.01
ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
- risk 0.53cvss 8.1epss 0.02
libxl provides Node bindings for the libxl library for reading and writing excel (XLS and XLSX) spreadsheets. libxl downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the…
- risk 0.53cvss 8.1epss 0.02
ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…
- risk 0.53cvss 8.1epss 0.02
Prince is a Node API for executing XML/HTML to PDF renderer PrinceXML via prince(1) CLI. prince downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an…
- risk 0.53cvss 8.1epss 0.01
The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulnerability can allow an authenticated non-administrator users to view and modify information only accessible to administrators.
- risk 0.53cvss 8.1epss 0.01
A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could allow an attacker with access to a low-privileged user account to read or write files on the file system of the SiPass integrated server over the network.
- risk 0.53cvss 7.6epss 0.10
An Improper Privilege Management issue was discovered in Cambium Networks ePMP. The privileges for SNMP community strings are not properly restricted, which may allow an attacker to gain access to sensitive information and possibly allow for configuration changes.
- risk 0.53cvss 8.1epss 0.02
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
- risk 0.52cvss —epss 0.00
A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An…
- risk 0.52cvss —epss 0.00
## Summary **Type:** Privilege escalation / cross-tenant member injection. The `POST /workspaces/{workspace_id}/members` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role="member"`) and forwards the request body's `user_id` and `role`…
- risk 0.52cvss —epss 0.00
## Summary **Type:** Vertical privilege escalation. The `PATCH /workspaces/{workspace_id}/members/{user_id}` endpoint is gated by `require_workspace_member(workspace_id)`, which defaults to `min_role="member"` and is never overridden by the route. The handler then calls…
- risk 0.52cvss —epss 0.00
## Summary The Platform server exposes resources under `/api/v1/workspaces/{workspace_id}/...` and protects them with a `require_workspace_member(workspace_id)` FastAPI dependency. The dependency only checks that the caller is a member of the workspace_id in the URL prefix. The…
- risk 0.52cvss 9.1epss 0.00
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.
- risk 0.52cvss 9.1epss 0.00
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and…
- risk 0.52cvss 9.0epss 0.00
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden regions,…
- risk 0.52cvss 9.1epss 0.01
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which…
- risk 0.52cvss 9.1epss 0.00
react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a…
- risk 0.52cvss 9.1epss 0.01
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This…
- risk 0.52cvss 9.1epss 0.01
A vulnerability has been identified within Rancher where a cluster or node driver can be used to escape the chroot jail and gain root access to the Rancher container itself. In production environments, further privilege escalation is possible based on living off the land…