CWE-269
Improper Privilege Management
Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-122 · CAPEC-233 · CAPEC-58
CVEs mapped to this weakness (1,039)
page 42 of 52| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-64507 | 0.00 | — | 0.00 | Nov 10, 2025 | Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted`… | |||
| CVE-2025-64436 | 0.00 | — | 0.00 | Nov 7, 2025 | KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This… | |||
| CVE-2025-61786 | 0.00 | — | 0.00 | Oct 8, 2025 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync` are not limited by the permission model check `--deny-read=./`. It's possible to retrieve stats from files that the… | |||
| CVE-2025-58437 | 0.00 | — | 0.00 | Sep 6, 2025 | Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a… | |||
| CVE-2025-57759 | 0.00 | — | 0.00 | Aug 28, 2025 | Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. This issue has been patched in versions 5.3.38 and… | |||
| CVE-2025-57760 | 0.00 | — | 0.00 | Aug 25, 2025 | Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative… | |||
| CVE-2025-54996 | 0.00 | — | 0.00 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their… | |||
| CVE-2025-53942 | 0.00 | — | 0.00 | Jul 23, 2025 | authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked… | |||
| CVE-2025-5689 | 0.00 | — | 0.00 | Jun 16, 2025 | A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session. | |||
| CVE-2025-47283 | 0.00 | — | 0.01 | May 19, 2025 | Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener… | |||
| CVE-2025-32974 | 0.00 | — | 0.00 | Apr 30, 2025 | XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is… | |||
| CVE-2024-7039 | 0.00 | — | 0.01 | Mar 20, 2025 | In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is… | |||
| CVE-2025-29924 | 0.00 | — | 0.00 | Mar 19, 2025 | XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view… | |||
| CVE-2024-24778 | 0.00 | — | 0.01 | Mar 3, 2025 | Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know. This issue affects Apache StreamPipes: through 0.95.1. Users are recommended to upgrade to version 0.97.0 which fixes the issue. | |||
| CVE-2024-57604 | 0.00 | — | 0.01 | Feb 12, 2025 | An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the token component. | |||
| CVE-2024-57602 | 0.00 | — | 0.01 | Feb 12, 2025 | An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file. | |||
| CVE-2025-25202 | 0.00 | — | 0.00 | Feb 11, 2025 | Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy _or_ are manually revoking tokens are affected by… | |||
| CVE-2025-24805 | 0.00 | — | 0.00 | Feb 5, 2025 | Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. A local user with minimal privileges is able to make use of an access token for materials for scopes which it… | |||
| CVE-2021-3978 | 0.00 | — | 0.00 | Jan 29, 2025 | When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow… | |||
| CVE-2025-24353 | 0.00 | — | 0.00 | Jan 23, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be… |
- CVE-2025-64507Nov 10, 2025risk 0.00cvss —epss 0.00
Incus is a system container and virtual machine manager. An issue in versions prior to 6.0.6 and 6.19.0 affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted`…
- CVE-2025-64436Nov 7, 2025risk 0.00cvss —epss 0.00
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This…
- CVE-2025-61786Oct 8, 2025risk 0.00cvss —epss 0.00
Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync` are not limited by the permission model check `--deny-read=./`. It's possible to retrieve stats from files that the…
- CVE-2025-58437Sep 6, 2025risk 0.00cvss —epss 0.00
Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a…
- CVE-2025-57759Aug 28, 2025risk 0.00cvss —epss 0.00
Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. This issue has been patched in versions 5.3.38 and…
- CVE-2025-57760Aug 25, 2025risk 0.00cvss —epss 0.00
Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative…
- CVE-2025-54996Aug 9, 2025risk 0.00cvss —epss 0.00
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their…
- CVE-2025-53942Jul 23, 2025risk 0.00cvss —epss 0.00
authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked…
- CVE-2025-5689Jun 16, 2025risk 0.00cvss —epss 0.00
A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session.
- CVE-2025-47283May 19, 2025risk 0.00cvss —epss 0.01
Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 that could allow a user with administrative privileges for a Gardener…
- CVE-2025-32974Apr 30, 2025risk 0.00cvss —epss 0.00
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is…
- CVE-2024-7039Mar 20, 2025risk 0.00cvss —epss 0.01
In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is…
- CVE-2025-29924Mar 19, 2025risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view…
- CVE-2024-24778Mar 3, 2025risk 0.00cvss —epss 0.01
Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know. This issue affects Apache StreamPipes: through 0.95.1. Users are recommended to upgrade to version 0.97.0 which fixes the issue.
- CVE-2024-57604Feb 12, 2025risk 0.00cvss —epss 0.01
An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the token component.
- CVE-2024-57602Feb 12, 2025risk 0.00cvss —epss 0.01
An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.
- CVE-2025-25202Feb 11, 2025risk 0.00cvss —epss 0.00
Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy _or_ are manually revoking tokens are affected by…
- CVE-2025-24805Feb 5, 2025risk 0.00cvss —epss 0.00
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. A local user with minimal privileges is able to make use of an access token for materials for scopes which it…
- CVE-2021-3978Jan 29, 2025risk 0.00cvss —epss 0.00
When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow…
- CVE-2025-24353Jan 23, 2025risk 0.00cvss —epss 0.00
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be…