CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1917 vulnerabilities reference this CWE, most recent first.
GHSA-J55V-W58W-8MXC
Vulnerability from github – Published: 2026-07-07 06:31 – Updated: 2026-07-07 06:31An Incorrect Privilege Assignment (CWE-266) vulnerability in the Command Centre Server allows an authenticated operator with limited privileges to perform some operations that they would not normally be authorized to perform. Version of Command Centre affected: 9.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.
{
"affected": [],
"aliases": [
"CVE-2026-26053"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T05:16:50Z",
"severity": "MODERATE"
},
"details": "An\u00a0Incorrect Privilege Assignment (CWE-266)\u00a0vulnerability in\u00a0the Command Centre Server\u00a0allows an\u00a0authenticated operator with limited privileges\u00a0to perform some operations that they would not normally be authorized to perform.\u00a0Version of Command Centre affected:\u00a09.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.",
"id": "GHSA-j55v-w58w-8mxc",
"modified": "2026-07-07T06:31:24Z",
"published": "2026-07-07T06:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26053"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-26053"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J57C-VPQ3-6X56
Vulnerability from github – Published: 2024-12-18 21:30 – Updated: 2026-04-01 18:32Incorrect Privilege Assignment vulnerability in wpweb WooCommerce PDF Vouchers allows Privilege Escalation.This issue affects WooCommerce PDF Vouchers: from n/a before 4.9.9.
{
"affected": [],
"aliases": [
"CVE-2024-54383"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-18T19:15:11Z",
"severity": "CRITICAL"
},
"details": "Incorrect Privilege Assignment vulnerability in wpweb WooCommerce PDF Vouchers allows Privilege Escalation.This issue affects WooCommerce PDF Vouchers: from n/a before 4.9.9.",
"id": "GHSA-j57c-vpq3-6x56",
"modified": "2026-04-01T18:32:52Z",
"published": "2024-12-18T21:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54383"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/woocommerce-pdf-vouchers/vulnerability/wordpress-woocommerce-pdf-vouchers-plugin-4-9-9-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J584-J2VJ-3F93
Vulnerability from github – Published: 2024-06-20 16:19 – Updated: 2025-02-05 21:20Impact
When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account.
To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add {{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}.
As an admin, go to the user profile and click the "Disable this account" button.
Then, reload the page. If the logs show attacker - Hello from Groovy! then the instance is vulnerable.
Patches
This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
Workarounds
We're not aware of any workaround except upgrading.
References
- https://jira.xwiki.org/browse/XWIKI-21611
- https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 13.5"
},
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "13.4.7"
},
{
"fixed": "14.10.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "13.10.3"
},
{
"fixed": "14.10.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "15.6-rc-1"
},
{
"fixed": "15.10.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0-rc-1"
},
{
"fixed": "16.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37899"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-20T16:19:14Z",
"nvd_published_at": "2024-06-20T23:15:52Z",
"severity": "CRITICAL"
},
"details": "### Impact\nWhen an admin disables a user account, the user\u0027s profile is executed with the admin\u0027s rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account.\n\nTo reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger(\"attacker\").error(\"Hello from Groovy!\"){{/groovy}}`.\nAs an admin, go to the user profile and click the \"Disable this account\" button.\nThen, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable.\n\n### Patches\nThis has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.\n\n### Workarounds\nWe\u0027re not aware of any workaround except upgrading.\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-21611\n* https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "GHSA-j584-j2vj-3f93",
"modified": "2025-02-05T21:20:52Z",
"published": "2024-06-20T16:19:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37899"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/046c36519a2df392c922c16d0d38472b98c414d0"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/233b08b26580df4b7a595882dac65ed4e4a2419c"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/2b55c29562ccd20f8f0f85075f0c95b4ee9cd9be"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/f8409419c5d0ddefe1bee55e73629a54275fa735"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-21611"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XWiki Platform allows remote code execution from user account"
}
GHSA-J5M3-H4XF-6RR9
Vulnerability from github – Published: 2025-09-05 15:31 – Updated: 2026-04-01 18:36Incorrect Privilege Assignment vulnerability in John Luetke Media Author allows Privilege Escalation. This issue affects Media Author: from n/a through 1.0.4.
{
"affected": [],
"aliases": [
"CVE-2025-58841"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T14:15:57Z",
"severity": "MODERATE"
},
"details": "Incorrect Privilege Assignment vulnerability in John Luetke Media Author allows Privilege Escalation. This issue affects Media Author: from n/a through 1.0.4.",
"id": "GHSA-j5m3-h4xf-6rr9",
"modified": "2026-04-01T18:36:05Z",
"published": "2025-09-05T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58841"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/media-author/vulnerability/wordpress-media-author-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J646-J4CF-JJ5H
Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2026-04-01 18:35Incorrect Privilege Assignment vulnerability in pebas CouponXL allows Privilege Escalation. This issue affects CouponXL: from n/a through 4.5.0.
{
"affected": [],
"aliases": [
"CVE-2025-39489"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-23T13:15:30Z",
"severity": "CRITICAL"
},
"details": "Incorrect Privilege Assignment vulnerability in pebas CouponXL allows Privilege Escalation. This issue affects CouponXL: from n/a through 4.5.0.",
"id": "GHSA-j646-j4cf-jj5h",
"modified": "2026-04-01T18:35:14Z",
"published": "2025-05-23T15:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39489"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/couponxl/vulnerability/wordpress-couponxl-4-5-0-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J6M2-HPV6-29C4
Vulnerability from github – Published: 2026-06-01 06:30 – Updated: 2026-06-01 06:30A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project tagged the reported issue as bug.
{
"affected": [],
"aliases": [
"CVE-2026-10218"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T04:16:20Z",
"severity": "LOW"
},
"details": "A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project tagged the reported issue as bug.",
"id": "GHSA-j6m2-hpv6-29c4",
"modified": "2026-06-01T06:30:25Z",
"published": "2026-06-01T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10218"
},
{
"type": "WEB",
"url": "https://github.com/nextlevelbuilder/goclaw/issues/1120"
},
{
"type": "WEB",
"url": "https://github.com/nextlevelbuilder/goclaw"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-10218"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/821938"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367497"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367497/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J6Q4-MVCW-HPGM
Vulnerability from github – Published: 2026-01-19 09:30 – Updated: 2026-02-23 09:31A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used.
{
"affected": [],
"aliases": [
"CVE-2026-1141"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-19T07:16:22Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used.",
"id": "GHSA-j6q4-mvcw-hpgm",
"modified": "2026-02-23T09:31:21Z",
"published": "2026-01-19T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1141"
},
{
"type": "WEB",
"url": "https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul"
},
{
"type": "WEB",
"url": "https://phpgurukul.com"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.341733"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.341733"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.735483"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.736668"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J79V-M8QF-H9JX
Vulnerability from github – Published: 2025-09-26 00:31 – Updated: 2025-09-26 00:31A weakness has been identified in JeecgBoot up to 3.8.2. The impacted element is an unknown function of the file /sys/role/exportXls. This manipulation causes improper authorization. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10979"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-25T23:15:48Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in JeecgBoot up to 3.8.2. The impacted element is an unknown function of the file /sys/role/exportXls. This manipulation causes improper authorization. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-j79v-m8qf-h9jx",
"modified": "2025-09-26T00:31:19Z",
"published": "2025-09-26T00:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10979"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325850"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325850"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.653337"
},
{
"type": "WEB",
"url": "https://www.cnblogs.com/aibot/p/19063353"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J7J8-2M3C-HF7J
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 21:31Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4.
{
"affected": [],
"aliases": [
"CVE-2026-32520"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T17:17:04Z",
"severity": "CRITICAL"
},
"details": "Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through \u003c= 1.0.4.",
"id": "GHSA-j7j8-2m3c-hf7j",
"modified": "2026-03-26T21:31:25Z",
"published": "2026-03-25T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32520"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/rewardswp/vulnerability/wordpress-rewardswp-plugin-1-0-4-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J824-HJ46-XVFV
Vulnerability from github – Published: 2026-06-05 18:31 – Updated: 2026-06-05 18:31A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-11336"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T16:16:41Z",
"severity": "LOW"
},
"details": "A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-j824-hj46-xvfv",
"modified": "2026-06-05T18:31:39Z",
"published": "2026-06-05T18:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11336"
},
{
"type": "WEB",
"url": "https://github.com/tittuvarghese/CollegeManagementSystem/issues/5"
},
{
"type": "WEB",
"url": "https://github.com/tittuvarghese/CollegeManagementSystem"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-11336"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/832582"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/368874"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/368874/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.