CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-285
- CWE-286
- CWE-287
- CWE-282
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 45 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-36036 | Hig | 0.47 | 7.2 | 0.02 | Sep 6, 2023 | Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker… | ||
| CVE-2022-43759 | Hig | 0.47 | 7.2 | 0.01 | Feb 7, 2023 | A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to… | ||
| CVE-2016-5714 | Hig | 0.47 | 7.2 | 0.02 | Oct 18, 2017 | Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol… | ||
| CVE-2015-4649 | Hig | 0.47 | 7.2 | 0.02 | Aug 29, 2017 | Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to gain root privileges via unspecified vectors, a different vulnerability than CVE-2015-3654. | ||
| CVE-2015-3657 | Hig | 0.47 | 7.2 | 0.01 | Aug 29, 2017 | Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated lower-level administrators to gain "Super Admin" privileges via unspecified vectors. | ||
| CVE-2015-3654 | Hig | 0.47 | 7.2 | 0.02 | Aug 29, 2017 | Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to gain root privileges via unspecified vectors, a different vulnerability than CVE-2015-4649. | ||
| CVE-2015-3653 | Hig | 0.47 | 7.2 | 0.02 | Aug 29, 2017 | Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to write to arbitrary files within the underlying operating system and consequently cause a denial of service or gain privileges by leveraging incorrect… | ||
| CVE-2017-6016 | Hig | 0.47 | 7.3 | 0.00 | May 19, 2017 | An Improper Access Control issue was discovered in LCDS - Leao Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA. The following versions are affected: Versions 4.1 and prior versions released before January 20, 2017. An Improper Access Control vulnerability has been… | ||
| CVE-2016-8032 | Hig | 0.47 | 7.3 | 0.00 | Mar 31, 2017 | Software Integrity Attacks vulnerability in Intel Security Anti-Virus Engine (AVE) 5200 through 5800 allows local attackers to bypass local security protection via a crafted input file. | ||
| CVE-2016-9111 | Med | 0.47 | 6.8 | 0.02 | Nov 7, 2016 | Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4.5 allow an attacker to bypass the authentication requirement by leveraging physical access to a VDI for temporary disconnection of a LAN cable. NOTE: as of 20161208, the vendor could not reproduce the issue,… | ||
| CVE-2016-3319 | Hig | 0.47 | 7.0 | 0.19 | Aug 9, 2016 | The PDF library in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 Gold and 1511, and Microsoft Edge allows remote attackers to execute arbitrary code via a crafted PDF file, aka "Microsoft PDF Remote Code Execution Vulnerability." | ||
| CVE-2026-53855 | Hig | 0.46 | 8.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell… | ||
| CVE-2026-5230 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. | ||
| CVE-2026-45649 | Hig | 0.46 | 7.1 | 0.00 | Jun 9, 2026 | Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally. | ||
| CVE-2026-42863 | — | Hig | 0.46 | 8.1 | 0.00 | Jun 8, 2026 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as… | |
| CVE-2026-45707 | Hig | 0.46 | 8.1 | 0.00 | May 29, 2026 | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key… | ||
| CVE-2026-45301 | Hig | 0.46 | 8.1 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the… | ||
| CVE-2026-33377 | Hig | 0.46 | 7.1 | 0.00 | May 13, 2026 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege. | ||
| CVE-2026-41102 | Hig | 0.46 | 7.1 | 0.00 | May 12, 2026 | Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally. | ||
| CVE-2026-41101 | Hig | 0.46 | 7.1 | 0.00 | May 12, 2026 | Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally. |
- risk 0.47cvss 7.2epss 0.02
Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker…
- risk 0.47cvss 7.2epss 0.01
A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to…
- risk 0.47cvss 7.2epss 0.02
Puppet Enterprise 2015.3.3 and 2016.x before 2016.4.0, and Puppet Agent 1.3.6 through 1.7.0 allow remote attackers to bypass a host whitelist protection mechanism and execute arbitrary code on Puppet nodes via vectors related to command validation, aka "Puppet Execution Protocol…
- risk 0.47cvss 7.2epss 0.02
Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to gain root privileges via unspecified vectors, a different vulnerability than CVE-2015-3654.
- risk 0.47cvss 7.2epss 0.01
Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated lower-level administrators to gain "Super Admin" privileges via unspecified vectors.
- risk 0.47cvss 7.2epss 0.02
Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to gain root privileges via unspecified vectors, a different vulnerability than CVE-2015-4649.
- risk 0.47cvss 7.2epss 0.02
Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to write to arbitrary files within the underlying operating system and consequently cause a denial of service or gain privileges by leveraging incorrect…
- risk 0.47cvss 7.3epss 0.00
An Improper Access Control issue was discovered in LCDS - Leao Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA. The following versions are affected: Versions 4.1 and prior versions released before January 20, 2017. An Improper Access Control vulnerability has been…
- risk 0.47cvss 7.3epss 0.00
Software Integrity Attacks vulnerability in Intel Security Anti-Virus Engine (AVE) 5200 through 5800 allows local attackers to bypass local security protection via a crafted input file.
- risk 0.47cvss 6.8epss 0.02
Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4.5 allow an attacker to bypass the authentication requirement by leveraging physical access to a VDI for temporary disconnection of a LAN cable. NOTE: as of 20161208, the vendor could not reproduce the issue,…
- risk 0.47cvss 7.0epss 0.19
The PDF library in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 Gold and 1511, and Microsoft Edge allows remote attackers to execute arbitrary code via a crafted PDF file, aka "Microsoft PDF Remote Code Execution Vulnerability."
- risk 0.46cvss 8.1epss 0.00
OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell…
- risk 0.46cvss 7.1epss 0.00
Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
- risk 0.46cvss 7.1epss 0.00
Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.
- risk 0.46cvss 8.1epss 0.00
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as…
- risk 0.46cvss 8.1epss 0.00
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key…
- risk 0.46cvss 8.1epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the…
- risk 0.46cvss 7.1epss 0.00
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
- risk 0.46cvss 7.1epss 0.00
Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.
- risk 0.46cvss 7.1epss 0.00
Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.