CWE-268
AllowedPrivilege Chaining
Abstraction: Base · Status: Draft
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.
45 vulnerabilities reference this CWE, most recent first.
GHSA-MXR3-8WHJ-J74R
Vulnerability from github – Published: 2025-04-22 01:07 – Updated: 2025-04-22 01:07Summary
Harden-Runner includes a policy option disable-sudo to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction.
For an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version v2.12.0.
Impact
An attacker with the ability to run their malicious code on a runner configured with disable-sudo: true can escalate privileges to root using Docker, defeating the intended security control.
Affected Configuration
• Harden-Runner configurations that use disable-sudo: true on GitHub-hosted runners or on ephemeral self-hosted VM-based runners.
• This issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.
Mitigation / Fix
This vulnerability has been fixed in Harden-Runner version v2.12.0. Users should migrate to the stronger disable-sudo-and-containers policy. This setting:
• Disables sudo access,
• Removes access to dockerd and containerd sockets,
• Uninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.
Additional Improvements
• The disable-sudo option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own.
• Harden-Runner now includes detections to alert on attempts to evade the disable-sudo policy.
Credits
Reported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "GitHub Actions",
"name": "step-security/harden-runner"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.0"
},
{
"fixed": "2.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32955"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-268",
"CWE-272"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-22T01:07:03Z",
"nvd_published_at": "2025-04-21T21:15:20Z",
"severity": "MODERATE"
},
"details": "### Summary\nHarden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. \n\nFor an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version `v2.12.0`.\n\n### Impact\nAn attacker with the ability to run their malicious code on a runner configured with `disable-sudo: true` can escalate privileges to root using Docker, defeating the intended security control.\n\n### Affected Configuration\n\u2022\tHarden-Runner configurations that use `disable-sudo: true` on GitHub-hosted runners or on ephemeral self-hosted VM-based runners.\n\u2022\tThis issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.\n\n### Mitigation / Fix\nThis vulnerability has been fixed in Harden-Runner version `v2.12.0`. Users should migrate to the stronger `disable-sudo-and-containers` policy. This setting:\n\u2022\tDisables sudo access,\n\u2022\tRemoves access to dockerd and containerd sockets,\n\u2022\tUninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.\n\n\n### Additional Improvements\n\u2022\tThe `disable-sudo` option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own. \n\u2022\tHarden-Runner now includes detections to alert on attempts to evade the `disable-sudo` policy.\n\n\n### Credits\nReported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.",
"id": "GHSA-mxr3-8whj-j74r",
"modified": "2025-04-22T01:07:03Z",
"published": "2025-04-22T01:07:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-mxr3-8whj-j74r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32955"
},
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/commit/0634a2670c59f64b4a01f0f96f84700a4088b9f0"
},
{
"type": "PACKAGE",
"url": "https://github.com/step-security/harden-runner"
},
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/releases/tag/v2.12.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Harden-Runner allows evasion of \u0027disable-sudo\u0027 policy"
}
GHSA-R35R-4X8R-V472
Vulnerability from github – Published: 2025-08-14 15:30 – Updated: 2025-08-14 15:30A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-7973"
],
"database_specific": {
"cwe_ids": [
"CWE-268"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T14:15:35Z",
"severity": "HIGH"
},
"details": "A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.",
"id": "GHSA-r35r-4x8r-v472",
"modified": "2025-08-14T15:30:45Z",
"published": "2025-08-14T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7973"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1738.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WVF7-CF8R-8FW5
Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-06-01 09:31Privilege chaining issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege.
{
"affected": [],
"aliases": [
"CVE-2026-32325"
],
"database_specific": {
"cwe_ids": [
"CWE-268"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T09:16:16Z",
"severity": "HIGH"
},
"details": "Privilege chaining issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege.",
"id": "GHSA-wvf7-cf8r-8fw5",
"modified": "2026-06-01T09:31:13Z",
"published": "2026-06-01T09:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32325"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN67883085"
},
{
"type": "WEB",
"url": "https://www.fsastech.com/ja-jp/resources/security/2026/0529.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XPFF-C35G-J3CR
Vulnerability from github – Published: 2024-05-27 22:28 – Updated: 2024-05-27 22:28A member with the permission EDIT_PERMISSIONS and access to the "Security" section is able to re-assign themselves (or another member) to ADMIN level.
CMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.7-rc1"
},
{
"fixed": "3.5.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0-rc1"
},
{
"fixed": "3.6.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-rc1"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0-rc1"
},
{
"fixed": "4.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-268"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-27T22:28:13Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A member with the permission `EDIT_PERMISSIONS` and access to the \"Security\" section is able to re-assign themselves (or another member) to `ADMIN` level.\n\nCMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.",
"id": "GHSA-xpff-c35g-j3cr",
"modified": "2024-05-27T22:28:13Z",
"published": "2024-05-27T22:28:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/commit/577138882163e4b8782ea043487944d30d88e753"
},
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/commit/e409d6f673c49846086b23677aecdc3fde5fc4d5"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-001-1.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-framework"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases/ss-2018-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "silverstripe/framework Privilege Escalation Risk in Member Edit form"
}
GHSA-XQ83-M7PG-GG42
Vulnerability from github – Published: 2025-05-21 18:33 – Updated: 2025-05-21 18:33A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an authenticated, local attacker to elevate privileges to root on an affected device.
This vulnerability is due to excessive permissions that have been assigned to system commands. An attacker could exploit this vulnerability by executing crafted commands on the underlying operating system. A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of an affected device. To successfully exploit this vulnerability, an attacker would need administrative access to the ESXi hypervisor.
{
"affected": [],
"aliases": [
"CVE-2025-20112"
],
"database_specific": {
"cwe_ids": [
"CWE-268"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T17:15:55Z",
"severity": "MODERATE"
},
"details": "A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an authenticated, local attacker to elevate privileges to root on an affected device.\n\nThis vulnerability is due to excessive permissions that have been assigned to system commands.\u0026nbsp;An attacker could exploit this vulnerability by executing crafted commands on the underlying operating system. A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of an affected device. To successfully exploit this vulnerability, an attacker would need administrative access to the ESXi hypervisor.",
"id": "GHSA-xq83-m7pg-gg42",
"modified": "2025-05-21T18:33:30Z",
"published": "2025-05-21T18:33:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20112"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-kkhZbHR5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.