CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-285
- CWE-286
- CWE-287
- CWE-282
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 12 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-7408 | Hig | 0.58 | 8.8 | 0.04 | Mar 3, 2017 | The dbclient in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary code via a crafted (1) -m or (2) -c argument. | ||
| CVE-2016-4286 | Hig | 0.58 | 8.8 | 0.06 | Oct 13, 2016 | Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185 on Windows and OS X and before 11.2.202.637 on Linux allows attackers to bypass intended access restrictions via unspecified vectors. | ||
| CVE-2016-0183 | Hig | 0.58 | 8.8 | 0.16 | May 11, 2016 | The Windows font library in Microsoft Office 2010 SP2, Word 2010 SP2, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2 allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Microsoft Office Graphics RCE… | ||
| CVE-2026-50884 | Hig | 0.57 | 8.8 | 0.00 | Jun 15, 2026 | Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components. | ||
| CVE-2026-50564 | Cri | 0.57 | 9.9 | 0.00 | Jun 10, 2026 | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the… | ||
| CVE-2026-50563 | Cri | 0.57 | 9.9 | 0.00 | Jun 10, 2026 | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it… | ||
| CVE-2026-50545 | Cri | 0.57 | 9.9 | 0.00 | Jun 10, 2026 | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec… | ||
| CVE-2026-46614 | Cri | 0.57 | 9.8 | 0.00 | Jun 10, 2026 | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/ and… | ||
| CVE-2026-11179 | Hig | 0.57 | 8.8 | 0.00 | Jun 4, 2026 | Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-5228 | Hig | 0.57 | 8.8 | 0.00 | Jun 4, 2026 | Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mobile App: from 1.3.0 through 04062026. | ||
| CVE-2026-42074 | Cri | 0.57 | 9.8 | 0.01 | Jun 2, 2026 | OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own… | ||
| CVE-2026-9614 | Hig | 0.57 | 8.8 | 0.01 | Jun 1, 2026 | An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access. | ||
| CVE-2026-46827 | Hig | 0.57 | 8.8 | 0.00 | May 28, 2026 | Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle… | ||
| CVE-2026-44926 | Hig | 0.57 | 8.8 | 0.00 | May 20, 2026 | InfoScale CmdServer before 7.4.2 mishandles access control. | ||
| CVE-2026-44774 | Cri | 0.57 | 9.9 | 0.00 | May 15, 2026 | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The… | ||
| CVE-2024-36323 | — | Hig | 0.57 | — | 0.00 | May 15, 2026 | Improper isolation of VCN-JPEG HW register space could allow a malicious Guest Virtual Machine (VM) or a process to perform unauthorized access to the register space of the JPEG cores assigned a victim VM/process, potentially gaining arbitrary read/write access to the victim… | |
| CVE-2026-41086 | Hig | 0.57 | 8.8 | 0.00 | May 12, 2026 | Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2026-40420 | Hig | 0.57 | 8.8 | 0.00 | May 12, 2026 | Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally. | ||
| CVE-2025-43524 | Hig | 0.57 | 8.8 | 0.00 | May 12, 2026 | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.2. An app may be able to break out of its sandbox. | ||
| CVE-2026-20887 | Hig | 0.57 | — | 0.00 | May 12, 2026 | Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable remote code execution. This… |
- risk 0.58cvss 8.8epss 0.04
The dbclient in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary code via a crafted (1) -m or (2) -c argument.
- risk 0.58cvss 8.8epss 0.06
Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185 on Windows and OS X and before 11.2.202.637 on Linux allows attackers to bypass intended access restrictions via unspecified vectors.
- risk 0.58cvss 8.8epss 0.16
The Windows font library in Microsoft Office 2010 SP2, Word 2010 SP2, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2 allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Microsoft Office Graphics RCE…
- risk 0.57cvss 8.8epss 0.00
Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.
- risk 0.57cvss 9.9epss 0.00
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the…
- risk 0.57cvss 9.9epss 0.00
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it…
- risk 0.57cvss 9.9epss 0.00
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec…
- risk 0.57cvss 9.8epss 0.00
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/ and…
- risk 0.57cvss 8.8epss 0.00
Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.57cvss 8.8epss 0.00
Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mobile App: from 1.3.0 through 04062026.
- risk 0.57cvss 9.8epss 0.01
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own…
- risk 0.57cvss 8.8epss 0.01
An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.
- risk 0.57cvss 8.8epss 0.00
Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle…
- risk 0.57cvss 8.8epss 0.00
InfoScale CmdServer before 7.4.2 mishandles access control.
- risk 0.57cvss 9.9epss 0.00
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The…
- risk 0.57cvss —epss 0.00
Improper isolation of VCN-JPEG HW register space could allow a malicious Guest Virtual Machine (VM) or a process to perform unauthorized access to the register space of the JPEG cores assigned a victim VM/process, potentially gaining arbitrary read/write access to the victim…
- risk 0.57cvss 8.8epss 0.00
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
- risk 0.57cvss 8.8epss 0.00
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
- risk 0.57cvss 8.8epss 0.00
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.2. An app may be able to break out of its sandbox.
- risk 0.57cvss —epss 0.00
Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable remote code execution. This…