Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5451 vulnerabilities reference this CWE, most recent first.

GHSA-WP38-8HXJ-7V28

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-05-24 17:08
VLAI
Details

An elevation of privilege vulnerability exists in the way that the Windows Client License Service (ClipSVC) handles objects in memory, aka 'Windows Client License Service Elevation of Privilege Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-11T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An elevation of privilege vulnerability exists in the way that the Windows Client License Service (ClipSVC) handles objects in memory, aka \u0027Windows Client License Service Elevation of Privilege Vulnerability\u0027.",
  "id": "GHSA-wp38-8hxj-7v28",
  "modified": "2022-05-24T17:08:28Z",
  "published": "2022-05-24T17:08:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0701"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0701"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WP7F-392C-HJ4C

Vulnerability from github – Published: 2026-02-15 06:31 – Updated: 2026-02-15 06:31
VLAI
Details

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-15T04:15:54Z",
    "severity": "HIGH"
  },
  "details": "The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the \u0027save_custom_user_profile_fields\u0027 function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the \u0027ec_store_admin_access\u0027 parameter during a profile update and gain store manager access to the site.",
  "id": "GHSA-wp7f-392c-hj4c",
  "modified": "2026-02-15T06:31:35Z",
  "published": "2026-02-15T06:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1750"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/ecwid-shopping-cart/tags/7.0.7/includes/class-ec-store-admin-access.php#L28"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3460721/ecwid-shopping-cart#file2"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d29f77c-b86d-4058-b528-27631e8a1f2e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP84-35M6-8R5H

Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2024-09-11 21:30
VLAI
Details

A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-25T18:17:31Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the ClearPass OnGuard Linux agent could\u00a0allow malicious users on a Linux instance to elevate their\u00a0user privileges to those of a higher role. A successful\u00a0exploit allows malicious users to execute arbitrary code\u00a0with root level privileges on the Linux instance.",
  "id": "GHSA-wp84-35m6-8r5h",
  "modified": "2024-09-11T21:30:35Z",
  "published": "2023-10-25T18:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43506"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPC2-299V-98F6

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:26
VLAI
Details

CloudCTI HIP Integrator Recognition Configuration Tool allows privilege escalation via its EXQUISE integration. This tool communicates with a service (Recognition Update Client Service) via an insecure communication channel (Named Pipe). The data (JSON) sent via this channel is used to import data from CRM software using plugins (.dll files). The plugin to import data from the EXQUISE software (DatasourceExquiseExporter.dll) can be persuaded to start arbitrary programs (including batch files) that are executed using the same privileges as Recognition Update Client Service (NT AUTHORITY\SYSTEM), thus elevating privileges. This occurs because a higher-privileged process executes scripts from a directory writable by a lower-privileged user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-14T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "CloudCTI HIP Integrator Recognition Configuration Tool allows privilege escalation via its EXQUISE integration. This tool communicates with a service (Recognition Update Client Service) via an insecure communication channel (Named Pipe). The data (JSON) sent via this channel is used to import data from CRM software using plugins (.dll files). The plugin to import data from the EXQUISE software (DatasourceExquiseExporter.dll) can be persuaded to start arbitrary programs (including batch files) that are executed using the same privileges as Recognition Update Client Service (NT AUTHORITY\\SYSTEM), thus elevating privileges. This occurs because a higher-privileged process executes scripts from a directory writable by a lower-privileged user.",
  "id": "GHSA-wpc2-299v-98f6",
  "modified": "2024-04-04T02:26:17Z",
  "published": "2022-05-24T16:58:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9745"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KPN-CISO/CVE-2019-9745/blob/master/README.md"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudcti.nl/Site/Security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPG9-4G4V-F9RC

Vulnerability from github – Published: 2026-03-03 21:32 – Updated: 2026-04-24 20:58
VLAI
Summary
OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels
Details

Summary

In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(...) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true.

This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.

Security model note

OpenClaw’s documented trust model is a personal assistant model (one trusted operator), not an adversarial multi-user boundary.

  • OpenClaw does not treat one shared gateway/chat surface as a hardened per-user auth boundary.
  • Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries.

This report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress.

Details

Relevant path: 1. Voice transcript run omitted senderIsOwner in Discord voice manager. 2. Missing senderIsOwner defaulted to true in agentCommand. 3. Owner-only tool policy is keyed on senderIsOwner. 4. gateway and cron are owner-only tools.

Impact

  • Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants.
  • No gateway-auth boundary bypass was required.
  • Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended).

Severity rationale

Downgraded from high to medium to align with OpenClaw’s trust model and deployment assumptions: - Requires participation in the same voice environment as the trusted operator workflow. - Requires Discord voice path conditions (joined voice channel + transcript flow). - Does not introduce a new cross-gateway or unauthenticated boundary bypass.

Remediation

  • Always pass explicit senderIsOwner from Discord voice transcript ingress.
  • Fail closed (false) when owner status is unknown for non-local/chat ingress paths.
  • Keep regression tests that verify owner/non-owner voice speaker handling.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.3.1
  • Patched versions: >= 2026.3.2 (released)
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:32:25Z",
    "nvd_published_at": "2026-03-19T22:16:39Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn `openclaw@2026.3.1`, the Discord voice transcript path called `agentCommand(...)` without `senderIsOwner`, and `agentCommand` defaults missing `senderIsOwner` to `true`.\n\nThis could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (`gateway`, `cron`) during voice transcript turns.\n\n### Security model note\nOpenClaw\u2019s documented trust model is a **personal assistant** model (one trusted operator), not an adversarial multi-user boundary.\n\n- OpenClaw does **not** treat one shared gateway/chat surface as a hardened per-user auth boundary.\n- Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries.\n\nThis report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress.\n\n### Details\nRelevant path:\n1. Voice transcript run omitted `senderIsOwner` in Discord voice manager.\n2. Missing `senderIsOwner` defaulted to `true` in `agentCommand`.\n3. Owner-only tool policy is keyed on `senderIsOwner`.\n4. `gateway` and `cron` are owner-only tools.\n\n### Impact\n- Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants.\n- No gateway-auth boundary bypass was required.\n- Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended).\n\n### Severity rationale\nDowngraded from high to **medium** to align with OpenClaw\u2019s trust model and deployment assumptions:\n- Requires participation in the same voice environment as the trusted operator workflow.\n- Requires Discord voice path conditions (joined voice channel + transcript flow).\n- Does not introduce a new cross-gateway or unauthenticated boundary bypass.\n\n### Remediation\n- Always pass explicit `senderIsOwner` from Discord voice transcript ingress.\n- Fail closed (`false`) when owner status is unknown for non-local/chat ingress paths.\n- Keep regression tests that verify owner/non-owner voice speaker handling.\n\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.1`\n- Patched versions: `\u003e= 2026.3.2` (released)",
  "id": "GHSA-wpg9-4g4v-f9rc",
  "modified": "2026-04-24T20:58:59Z",
  "published": "2026-03-03T21:32:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32035"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-missing-owner-flag-validation-in-discord-voice-transcript-handler"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels"
}

GHSA-WPGR-JVP4-G62H

Vulnerability from github – Published: 2024-08-12 21:31 – Updated: 2024-08-13 21:31
VLAI
Details

An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-12T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component.",
  "id": "GHSA-wpgr-jvp4-g62h",
  "modified": "2024-08-13T21:31:55Z",
  "published": "2024-08-12T21:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48171"
    },
    {
      "type": "WEB",
      "url": "https://gccybermonks.com/posts/defectdojo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPJV-J566-PFWC

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2024-01-04 03:30
VLAI
Details

An elevation of privilege vulnerability exists in the way that Microsoft Office Click-to-Run (C2R) components handle objects in memory, aka 'Microsoft Office Click-to-Run Elevation of Privilege Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-17T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists in the way that Microsoft Office Click-to-Run (C2R) components handle objects in memory, aka \u0027Microsoft Office Click-to-Run Elevation of Privilege Vulnerability\u0027.",
  "id": "GHSA-wpjv-j566-pfwc",
  "modified": "2024-01-04T03:30:37Z",
  "published": "2022-05-24T17:26:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1581"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1581"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPM2-8QVV-W4Q9

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-11-16 19:00
VLAI
Details

Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-29T09:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.",
  "id": "GHSA-wpm2-8qvv-w4q9",
  "modified": "2022-11-16T19:00:31Z",
  "published": "2022-05-24T17:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27655"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/security/advisory/Synology_SA_20_14"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1066"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPM6-95M5-FPXF

Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-11 15:30
VLAI
Details

A logic issue was addressed with improved checks. This issue is fixed in iOS 18 and iPadOS 18, watchOS 11, tvOS 18, macOS Sequoia 15. A malicious app may be able to modify other apps without having App Management permission.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-10T19:15:38Z",
    "severity": "MODERATE"
  },
  "details": "A logic issue was addressed with improved checks. This issue is fixed in iOS 18 and iPadOS 18, watchOS 11, tvOS 18, macOS Sequoia 15. A malicious app may be able to modify other apps without having App Management permission.",
  "id": "GHSA-wpm6-95m5-fpxf",
  "modified": "2025-03-11T15:30:58Z",
  "published": "2025-03-10T21:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54560"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121238"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121240"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121248"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121250"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPRM-2272-VJQG

Vulnerability from github – Published: 2025-10-28 21:30 – Updated: 2025-11-07 15:31
VLAI
Details

Local Privilege Escalation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-28T19:15:41Z",
    "severity": "CRITICAL"
  },
  "details": "Local Privilege Escalation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .",
  "id": "GHSA-wprm-2272-vjqg",
  "modified": "2025-11-07T15:31:26Z",
  "published": "2025-10-28T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12425"
    },
    {
      "type": "WEB",
      "url": "https://azure-access.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.