VYPR

CWE-648

Incorrect Use of Privileged APIs

BaseIncompleteLikelihood: Low

Description

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-107 · CAPEC-234

CVEs mapped to this weakness (31)

page 1 of 2
  • CVE-2023-4972CriSep 14, 2023
    risk 0.64cvss 9.8epss 0.01

    Incorrect Use of Privileged APIs vulnerability in Yepas Digital Yepas allows Collect Data as Provided by Users. This issue affects Digital Yepas: before 1.0.1.

  • CVE-2026-41225CriMay 13, 2026
    risk 0.59cvss 9.1epss 0.00

    A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not…

  • CVE-2025-2311CriMar 20, 2025
    risk 0.59cvss 9.0epss 0.00

    Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information…

  • CVE-2024-37018CriMay 31, 2024
    risk 0.59cvss 9.1epss 0.00

    The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken by discovery packets.

  • CVE-2026-41329CriApr 21, 2026
    risk 0.57cvss 9.9epss 0.00

    OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve…

  • CVE-2025-5997HigJul 28, 2025
    risk 0.57cvss 8.8epss 0.00

    Incorrect Use of Privileged APIs vulnerability in Beamsec PhishPro allows Privilege Abuse. This issue affects PhishPro: before 7.5.4.2.

  • CVE-2025-7344HigJul 21, 2025
    risk 0.57cvss 8.8epss 0.01

    The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their privileges to administrator level via a specific API.

  • CVE-2022-26323HigApr 17, 2025
    risk 0.57cvss epss 0.00

    Incorrect Use of Privileged APIs vulnerability in OpenText™ Operations Bridge Manager, OpenText™ Operations Bridge Suite (Containerized), OpenText™ UCMDB ( Classic and Containerized) allows Privilege Escalation.  The vulnerability could allow authenticated attackers to…

  • CVE-2026-41386CriApr 28, 2026
    risk 0.52cvss 9.1epss 0.00

    OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and…

  • CVE-2026-9560HigMay 26, 2026
    risk 0.51cvss 7.8epss 0.01

    Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel

  • CVE-2024-32008HigNov 11, 2025
    risk 0.51cvss 7.8epss 0.00

    A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to an exposed debug interface on the localhost. This allows any local user to gain code execution as…

  • CVE-2026-35669HigApr 10, 2026
    risk 0.50cvss 8.8epss 0.00

    OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated…

  • CVE-2026-35663HigApr 10, 2026
    risk 0.50cvss 8.8epss 0.00

    OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges.

  • CVE-2026-35639HigApr 9, 2026
    risk 0.50cvss 8.8epss 0.00

    OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient…

  • CVE-2023-4993HigFeb 15, 2024
    risk 0.49cvss 7.5epss 0.00

    Incorrect Use of Privileged APIs vulnerability in Utarit Information Technologies SoliPay Mobile App allows Collect Data as Provided by Users. This issue affects SoliPay Mobile App: before 5.0.8.

  • CVE-2023-6151HigNov 28, 2023
    risk 0.49cvss 7.5epss 0.01

    Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users. This issue affects e-municipality module: before v.105.

  • CVE-2023-6150HigNov 28, 2023
    risk 0.49cvss 7.5epss 0.01

    Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users. This issue affects e-municipality module: before v.105.

  • CVE-2026-20122MedKEVFeb 25, 2026
    risk 0.47cvss 5.4epss 0.07

    A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected…

  • CVE-2023-6522HigApr 5, 2024
    risk 0.47cvss 7.2epss 0.00

    Incorrect Use of Privileged APIs vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users. This issue affects Extreme XDS: before 3914.

  • CVE-2026-35645HigApr 9, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to…