CWE-272
AllowedLeast Privilege Violation
Abstraction: Base · Status: Incomplete
The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
54 vulnerabilities reference this CWE, most recent first.
GHSA-H64C-RQQH-Q3FP
Vulnerability from github – Published: 2024-08-20 12:30 – Updated: 2024-12-03 18:31Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0p12, 2.2.0p32, 2.1.0p47 and 2.0.0 (EOL) allows local users to escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2024-28829"
],
"database_specific": {
"cwe_ids": [
"CWE-272"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-20T10:15:05Z",
"severity": "MODERATE"
},
"details": "Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0p12, 2.2.0p32, 2.1.0p47 and 2.0.0 (EOL) allows local users to escalate privileges.",
"id": "GHSA-h64c-rqqh-q3fp",
"modified": "2024-12-03T18:31:02Z",
"published": "2024-08-20T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28829"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/16249"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J8PH-9C6M-2F5W
Vulnerability from github – Published: 2026-02-03 06:31 – Updated: 2026-02-06 21:30A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to “root” using the export option of seccertmgmt and seccryptocfg commands.
{
"affected": [],
"aliases": [
"CVE-2025-9711"
],
"database_specific": {
"cwe_ids": [
"CWE-272"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T06:15:53Z",
"severity": "HIGH"
},
"details": "A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to \u201croot\u201d using the export option of seccertmgmt and seccryptocfg commands.",
"id": "GHSA-j8ph-9c6m-2f5w",
"modified": "2026-02-06T21:30:48Z",
"published": "2026-02-03T06:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9711"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36852"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MXR3-8WHJ-J74R
Vulnerability from github – Published: 2025-04-22 01:07 – Updated: 2025-04-22 01:07Summary
Harden-Runner includes a policy option disable-sudo to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction.
For an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version v2.12.0.
Impact
An attacker with the ability to run their malicious code on a runner configured with disable-sudo: true can escalate privileges to root using Docker, defeating the intended security control.
Affected Configuration
• Harden-Runner configurations that use disable-sudo: true on GitHub-hosted runners or on ephemeral self-hosted VM-based runners.
• This issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.
Mitigation / Fix
This vulnerability has been fixed in Harden-Runner version v2.12.0. Users should migrate to the stronger disable-sudo-and-containers policy. This setting:
• Disables sudo access,
• Removes access to dockerd and containerd sockets,
• Uninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.
Additional Improvements
• The disable-sudo option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own.
• Harden-Runner now includes detections to alert on attempts to evade the disable-sudo policy.
Credits
Reported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "GitHub Actions",
"name": "step-security/harden-runner"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.0"
},
{
"fixed": "2.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32955"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-268",
"CWE-272"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-22T01:07:03Z",
"nvd_published_at": "2025-04-21T21:15:20Z",
"severity": "MODERATE"
},
"details": "### Summary\nHarden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. \n\nFor an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version `v2.12.0`.\n\n### Impact\nAn attacker with the ability to run their malicious code on a runner configured with `disable-sudo: true` can escalate privileges to root using Docker, defeating the intended security control.\n\n### Affected Configuration\n\u2022\tHarden-Runner configurations that use `disable-sudo: true` on GitHub-hosted runners or on ephemeral self-hosted VM-based runners.\n\u2022\tThis issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.\n\n### Mitigation / Fix\nThis vulnerability has been fixed in Harden-Runner version `v2.12.0`. Users should migrate to the stronger `disable-sudo-and-containers` policy. This setting:\n\u2022\tDisables sudo access,\n\u2022\tRemoves access to dockerd and containerd sockets,\n\u2022\tUninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.\n\n\n### Additional Improvements\n\u2022\tThe `disable-sudo` option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own. \n\u2022\tHarden-Runner now includes detections to alert on attempts to evade the `disable-sudo` policy.\n\n\n### Credits\nReported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.",
"id": "GHSA-mxr3-8whj-j74r",
"modified": "2025-04-22T01:07:03Z",
"published": "2025-04-22T01:07:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-mxr3-8whj-j74r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32955"
},
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/commit/0634a2670c59f64b4a01f0f96f84700a4088b9f0"
},
{
"type": "PACKAGE",
"url": "https://github.com/step-security/harden-runner"
},
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/releases/tag/v2.12.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Harden-Runner allows evasion of \u0027disable-sudo\u0027 policy"
}
GHSA-PMPQ-66CP-597X
Vulnerability from github – Published: 2026-01-26 12:30 – Updated: 2026-01-27 21:31The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.
{
"affected": [],
"aliases": [
"CVE-2025-59106"
],
"database_specific": {
"cwe_ids": [
"CWE-272"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-26T10:16:08Z",
"severity": "HIGH"
},
"details": "The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.",
"id": "GHSA-pmpq-66cp-597x",
"modified": "2026-01-27T21:31:46Z",
"published": "2026-01-26T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59106"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/dkaccess"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/dormakaba"
},
{
"type": "WEB",
"url": "https://www.dormakabagroup.com/en/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PVJH-6P44-VCV3
Vulnerability from github – Published: 2025-07-23 03:32 – Updated: 2025-07-23 03:32The Social Streams plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their user meta information in the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their user type to that of an administrator.
{
"affected": [],
"aliases": [
"CVE-2025-7722"
],
"database_specific": {
"cwe_ids": [
"CWE-272"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-23T03:15:25Z",
"severity": "HIGH"
},
"details": "The Social Streams plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user\u0027s identity prior to updating their user meta information in the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their user type to that of an administrator.",
"id": "GHSA-pvjh-6p44-vcv3",
"modified": "2025-07-23T03:32:05Z",
"published": "2025-07-23T03:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7722"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/social-streams/trunk/src/php/JsonAPI.php#275"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3f01b88-6f93-4ee8-8d59-9165ebcd4dd1?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWJH-HFQC-XGC7
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2026-39459"
],
"database_specific": {
"cwe_ids": [
"CWE-272"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T16:16:41Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-pwjh-hfqc-xgc7",
"modified": "2026-05-13T18:30:55Z",
"published": "2026-05-13T18:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39459"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000160863"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QRJ2-26JQ-RQ86
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:41Veritas System Recovery before 23.2_Hotfix has incorrect permissions for the Veritas System Recovery folder, and thus low-privileged users can conduct attacks.
{
"affected": [],
"aliases": [
"CVE-2024-35204"
],
"database_specific": {
"cwe_ids": [
"CWE-272"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:39:42Z",
"severity": "HIGH"
},
"details": "Veritas System Recovery before 23.2_Hotfix has incorrect permissions for the Veritas System Recovery folder, and thus low-privileged users can conduct attacks.",
"id": "GHSA-qrj2-26jq-rq86",
"modified": "2024-07-03T18:41:21Z",
"published": "2024-05-14T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35204"
},
{
"type": "WEB",
"url": "https://www.veritas.com/content/support/en_US/article.100065391"
},
{
"type": "WEB",
"url": "https://www.veritas.com/support/en_US/security/VTS24-005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R427-J2H7-WV3M
Vulnerability from github – Published: 2026-06-18 13:04 – Updated: 2026-06-18 13:04Impact
When only the Topic or only the User operators are deployed as part of the Entity Operator in the Kafka custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access KafkaUser custom resources and Secrets when the User operator is not deployed and access KafkaTopic custom resources when the Topic operator is not deployed.
Patches
The issue is fixed in Strimzi 1.0.1 and 1.1.0.
Workarounds
There is no workaround for this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0"
},
"package": {
"ecosystem": "Maven",
"name": "io.strimzi:strimzi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55226"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-272"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:04:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen only the Topic or only the User operators are deployed as part of the Entity Operator in the `Kafka` custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access `KafkaUser` custom resources and Secrets when the User operator is not deployed and access `KafkaTopic` custom resources when the Topic operator is not deployed.\n\n### Patches\n\nThe issue is fixed in Strimzi 1.0.1 and 1.1.0.\n\n### Workarounds\n\nThere is no workaround for this issue.",
"id": "GHSA-r427-j2h7-wv3m",
"modified": "2026-06-18T13:04:49Z",
"published": "2026-06-18T13:04:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-r427-j2h7-wv3m"
},
{
"type": "PACKAGE",
"url": "https://github.com/strimzi/strimzi-kafka-operator"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator"
}
GHSA-RG89-92M2-5HJ6
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-02-26 18:30A user with a default role given to them by the admin can sent DELETE HTTP requests to remove-folder and remove-document to delete folders and source files from the instance even when their role should explicitly not allow this action on the system.
{
"affected": [],
"aliases": [
"CVE-2024-0798"
],
"database_specific": {
"cwe_ids": [
"CWE-272"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-26T16:27:51Z",
"severity": "HIGH"
},
"details": "A user with a `default` role given to them by the admin can sent `DELETE` HTTP requests to `remove-folder` and `remove-document` to delete folders and source files from the instance even when their role should explicitly not allow this action on the system.",
"id": "GHSA-rg89-92m2-5hj6",
"modified": "2024-02-26T18:30:29Z",
"published": "2024-02-26T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0798"
},
{
"type": "WEB",
"url": "https://github.com/mintplex-labs/anything-llm/commit/d5cde8b7c27a47ab45b05b441db16751537f1733"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/607f03a0-ab4d-4905-b253-3d28bbbd363c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V3GW-R3Q8-W5VR
Vulnerability from github – Published: 2026-04-27 21:31 – Updated: 2026-04-27 21:31Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.
{
"affected": [],
"aliases": [
"CVE-2026-32655"
],
"database_specific": {
"cwe_ids": [
"CWE-272"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-27T19:16:47Z",
"severity": "MODERATE"
},
"details": "Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.",
"id": "GHSA-v3gw-r3q8-w5vr",
"modified": "2026-04-27T21:31:02Z",
"published": "2026-04-27T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32655"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.