CWE-648
Incorrect Use of Privileged APIs
Description
The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-107 · CAPEC-234
CVEs mapped to this weakness (31)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-1161 | Hig | 0.46 | 7.1 | 0.00 | Dec 10, 2025 | Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation. This issue affects Nomysem: through May 2025. | ||
| CVE-2026-35625 | Hig | 0.44 | 7.8 | 0.00 | Apr 9, 2026 | OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers can exploit this by triggering local… | ||
| CVE-2024-53007 | Med | 0.42 | 6.4 | 0.00 | Jan 31, 2025 | Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an API call. | ||
| CVE-2025-63291 | Med | 0.35 | 5.4 | 0.00 | Nov 14, 2025 | When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object… | ||
| CVE-2026-22922 | 0.00 | — | 0.00 | Feb 9, 2026 | Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later,… | |||
| CVE-2024-46978 | 0.00 | — | 0.01 | Sep 18, 2024 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user… | |||
| CVE-2023-29507 | 0.00 | — | 0.01 | Apr 16, 2023 | XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is… | |||
| CVE-2022-4796 | — | 0.00 | — | 0.01 | Dec 28, 2022 | Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4805 | — | 0.00 | — | 0.01 | Dec 28, 2022 | Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4687 | — | 0.00 | — | 0.01 | Dec 23, 2022 | Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0. | ||
| CVE-2022-24821 | 0.00 | — | 0.01 | Apr 8, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed… |
- risk 0.46cvss 7.1epss 0.00
Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation. This issue affects Nomysem: through May 2025.
- risk 0.44cvss 7.8epss 0.00
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers can exploit this by triggering local…
- risk 0.42cvss 6.4epss 0.00
Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an API call.
- risk 0.35cvss 5.4epss 0.00
When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object…
- CVE-2026-22922Feb 9, 2026risk 0.00cvss —epss 0.00
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later,…
- CVE-2024-46978Sep 18, 2024risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user…
- CVE-2023-29507Apr 16, 2023risk 0.00cvss —epss 0.01
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is…
- CVE-2022-4796Dec 28, 2022risk 0.00cvss —epss 0.01
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4805Dec 28, 2022risk 0.00cvss —epss 0.01
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4687Dec 23, 2022risk 0.00cvss —epss 0.01
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.
- CVE-2022-24821Apr 8, 2022risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed…