CWE-276
Incorrect Default Permissions
Description
During installation, installed file permissions are set to allow anyone to modify those files.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-127 · CAPEC-81
CVEs mapped to this weakness (474)
page 18 of 24| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-23253 | Low | 0.21 | 3.3 | 0.00 | Mar 8, 2024 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.4. An app may be able to access a user's Photos Library. | ||
| CVE-2026-27680 | Low | 0.20 | 3.1 | 0.00 | May 14, 2026 | Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is… | ||
| CVE-2025-1699 | — | Low | 0.18 | 2.8 | 0.00 | Jun 11, 2025 | An incorrect default permissions vulnerability was reported in the MotoSignature application that could result in unauthorized access. | |
| CVE-2025-49843 | Low | 0.11 | — | 0.01 | Jun 17, 2025 | conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_headers function in the conda-smithy repository creates files with permissions exceeding 0o600, allowing… | ||
| CVE-2024-5967 | Low | 0.11 | 2.7 | 0.01 | Jun 18, 2024 | A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP… | ||
| CVE-2023-29923 | 0.07 | — | 0.10 | Apr 19, 2023 | PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface. | |||
| CVE-2015-7985 | 0.03 | — | 0.01 | Nov 24, 2015 | Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) for the Install folder, which allows local users to gain privileges via a Trojan horse steam.exe file. | |||
| CVE-2026-53870 | 0.00 | — | 0.00 | Jun 17, 2026 | Hermes Agent before 0.16.0 creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644), exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain… | |||
| CVE-2026-39398 | — | 0.00 | — | — | Apr 9, 2026 | Rejected reason: The affected product and advisory are not public. | ||
| CVE-2026-24780 | 0.00 | — | 0.01 | Jan 29, 2026 | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow… | |||
| CVE-2026-23634 | 0.00 | — | 0.00 | Jan 16, 2026 | Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new… | |||
| CVE-2025-55074 | 0.00 | — | 0.00 | Nov 18, 2025 | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects | |||
| CVE-2025-64436 | 0.00 | — | 0.00 | Nov 7, 2025 | KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This… | |||
| CVE-2025-59349 | 0.00 | — | 0.00 | Sep 17, 2025 | Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given… | |||
| CVE-2024-43166 | 0.00 | — | 0.01 | Sep 3, 2025 | Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue. | |||
| CVE-2025-52900 | 0.00 | — | 0.00 | Jun 26, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same… | |||
| CVE-2025-6264 | 0.00 | — | 0.01 | Jun 20, 2025 | Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions… | |||
| CVE-2025-49842 | Low | 0.00 | — | 0.00 | Jun 17, 2025 | conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. Prior to version 2025.3.24, the conda_forge_webservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases… | ||
| CVE-2024-53351 | — | 0.00 | — | 0.00 | Mar 21, 2025 | Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges. | ||
| CVE-2025-27154 | 0.00 | — | 0.01 | Feb 27, 2025 | Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600)… |
- risk 0.21cvss 3.3epss 0.00
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.4. An app may be able to access a user's Photos Library.
- risk 0.20cvss 3.1epss 0.00
Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is…
- risk 0.18cvss 2.8epss 0.00
An incorrect default permissions vulnerability was reported in the MotoSignature application that could result in unauthorized access.
- risk 0.11cvss —epss 0.01
conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_headers function in the conda-smithy repository creates files with permissions exceeding 0o600, allowing…
- risk 0.11cvss 2.7epss 0.01
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP…
- CVE-2023-29923Apr 19, 2023risk 0.07cvss —epss 0.10
PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.
- CVE-2015-7985Nov 24, 2015risk 0.03cvss —epss 0.01
Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) for the Install folder, which allows local users to gain privileges via a Trojan horse steam.exe file.
- CVE-2026-53870Jun 17, 2026risk 0.00cvss —epss 0.00
Hermes Agent before 0.16.0 creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644), exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain…
- CVE-2026-39398Apr 9, 2026risk 0.00cvss —epss —
Rejected reason: The affected product and advisory are not public.
- CVE-2026-24780Jan 29, 2026risk 0.00cvss —epss 0.01
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow…
- CVE-2026-23634Jan 16, 2026risk 0.00cvss —epss 0.00
Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new…
- CVE-2025-55074Nov 18, 2025risk 0.00cvss —epss 0.00
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects
- CVE-2025-64436Nov 7, 2025risk 0.00cvss —epss 0.00
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This…
- CVE-2025-59349Sep 17, 2025risk 0.00cvss —epss 0.00
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given…
- CVE-2024-43166Sep 3, 2025risk 0.00cvss —epss 0.01
Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.
- CVE-2025-52900Jun 26, 2025risk 0.00cvss —epss 0.00
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same…
- CVE-2025-6264Jun 20, 2025risk 0.00cvss —epss 0.01
Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions…
- risk 0.00cvss —epss 0.00
conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. Prior to version 2025.3.24, the conda_forge_webservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases…
- CVE-2024-53351Mar 21, 2025risk 0.00cvss —epss 0.00
Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.
- CVE-2025-27154Feb 27, 2025risk 0.00cvss —epss 0.01
Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600)…