CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-285
- CWE-286
- CWE-287
- CWE-282
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 50 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-9692 | Med | 0.45 | — | 0.00 | Oct 24, 2024 | VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations. | ||
| CVE-2024-21644 | Hig | 0.45 | 7.5 | 0.42 | Jan 8, 2024 | pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77. | ||
| CVE-2020-5244 | Hig | 0.45 | 8.0 | 0.02 | Feb 24, 2020 | In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2. | ||
| CVE-2019-3895 | Hig | 0.45 | 8.0 | 0.01 | Jun 3, 2019 | An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image… | ||
| CVE-2016-2167 | Med | 0.45 | 6.8 | 0.07 | May 5, 2016 | The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of… | ||
| CVE-2026-36933 | Med | 0.44 | 6.8 | 0.00 | Jun 15, 2026 | An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature. | ||
| CVE-2026-36738 | Med | 0.44 | 6.8 | 0.00 | May 13, 2026 | U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Incorrect Access Control. The device exposes a UART interface that lacks authentication, authorization, or access control mechanisms. An attacker with physical access to the UART pins can connect to the… | ||
| CVE-2026-1749 | Med | 0.44 | 6.8 | 0.00 | May 9, 2026 | There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission. | ||
| CVE-2026-44118 | Hig | 0.44 | 7.8 | 0.00 | May 6, 2026 | OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata. | ||
| CVE-2026-34325 | Med | 0.44 | 6.8 | 0.00 | Apr 21, 2026 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows… | ||
| CVE-2026-34314 | Med | 0.44 | 6.8 | 0.00 | Apr 21, 2026 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows low… | ||
| CVE-2026-4105 | Med | 0.44 | 6.7 | 0.00 | Mar 13, 2026 | A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to… | ||
| CVE-2025-14095 | — | Med | 0.44 | 6.8 | 0.00 | Dec 17, 2025 | A "Privilege boundary violation" vulnerability is identified affecting multiple Radiometer Products. Exploitation of this vulnerability gives a user with physical access to the analyzer, the possibility to gain unauthorized access to functionalities outside the restricted… | |
| CVE-2025-22391 | Med | 0.44 | 6.7 | 0.00 | Nov 11, 2025 | Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result… | ||
| CVE-2025-8762 | Med | 0.44 | 6.8 | 0.00 | Aug 13, 2025 | A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper physical access control. It is possible to launch the attack on the physical device. The exploit has… | ||
| CVE-2025-20099 | Med | 0.44 | 6.7 | 0.00 | Aug 12, 2025 | Improper access control for some Intel(R) Rapid Storage Technology installation software may allow an authenticated user to potentially enable escalation of privilege via local access. | ||
| CVE-2023-28907 | Med | 0.44 | 6.7 | 0.00 | Jun 28, 2025 | There is no memory isolation between CPU cores of the MIB3 infotainment. This fact allows an attacker with access to the main operating system to compromise the CPU core responsible for CAN message processing. The vulnerability was originally discovered in Skoda Superb III car… | ||
| CVE-2024-45371 | Med | 0.44 | 6.7 | 0.00 | May 13, 2025 | Improper access control for some Intel(R) Arc™ & Iris(R) Xe graphics software before version 32.0.101.6077 may allow an authenticated user to potentially enable denial of service via local access. | ||
| CVE-2025-24272 | Med | 0.44 | 6.8 | 0.01 | Mar 31, 2025 | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to modify protected parts of the file system. | ||
| CVE-2024-34022 | Med | 0.44 | 6.7 | 0.00 | Nov 13, 2024 | Improper Access Control in some Thunderbolt(TM) Share software before version 1.0.49.9 may allow an authenticated user to potentially enable escalation of privilege via local access. |
- risk 0.45cvss —epss 0.00
VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations.
- risk 0.45cvss 7.5epss 0.42
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
- risk 0.45cvss 8.0epss 0.02
In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2.
- risk 0.45cvss 8.0epss 0.01
An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image…
- risk 0.45cvss 6.8epss 0.07
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of…
- risk 0.44cvss 6.8epss 0.00
An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.
- risk 0.44cvss 6.8epss 0.00
U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Incorrect Access Control. The device exposes a UART interface that lacks authentication, authorization, or access control mechanisms. An attacker with physical access to the UART pins can connect to the…
- risk 0.44cvss 6.8epss 0.00
There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.
- risk 0.44cvss 7.8epss 0.00
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.
- risk 0.44cvss 6.8epss 0.00
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows…
- risk 0.44cvss 6.8epss 0.00
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows low…
- risk 0.44cvss 6.7epss 0.00
A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to…
- risk 0.44cvss 6.8epss 0.00
A "Privilege boundary violation" vulnerability is identified affecting multiple Radiometer Products. Exploitation of this vulnerability gives a user with physical access to the analyzer, the possibility to gain unauthorized access to functionalities outside the restricted…
- risk 0.44cvss 6.7epss 0.00
Improper access control for some SigTest before version 6.1.10 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result…
- risk 0.44cvss 6.8epss 0.00
A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper physical access control. It is possible to launch the attack on the physical device. The exploit has…
- risk 0.44cvss 6.7epss 0.00
Improper access control for some Intel(R) Rapid Storage Technology installation software may allow an authenticated user to potentially enable escalation of privilege via local access.
- risk 0.44cvss 6.7epss 0.00
There is no memory isolation between CPU cores of the MIB3 infotainment. This fact allows an attacker with access to the main operating system to compromise the CPU core responsible for CAN message processing. The vulnerability was originally discovered in Skoda Superb III car…
- risk 0.44cvss 6.7epss 0.00
Improper access control for some Intel(R) Arc™ & Iris(R) Xe graphics software before version 32.0.101.6077 may allow an authenticated user to potentially enable denial of service via local access.
- risk 0.44cvss 6.8epss 0.01
The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to modify protected parts of the file system.
- risk 0.44cvss 6.7epss 0.00
Improper Access Control in some Thunderbolt(TM) Share software before version 1.0.49.9 may allow an authenticated user to potentially enable escalation of privilege via local access.