CWE-280
AllowedImproper Handling of Insufficient Permissions or Privileges
Abstraction: Base · Status: Draft
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
256 vulnerabilities reference this CWE, most recent first.
GHSA-JHJM-5XJG-MPQP
Vulnerability from github – Published: 2023-03-21 21:30 – Updated: 2025-02-26 22:17Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.xuxueli:xxl-job"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"last_affected": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27087"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-21T22:41:55Z",
"nvd_published_at": "2023-03-21T19:15:00Z",
"severity": "HIGH"
},
"details": "Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter.",
"id": "GHSA-jhjm-5xjg-mpqp",
"modified": "2025-02-26T22:17:31Z",
"published": "2023-03-21T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27087"
},
{
"type": "WEB",
"url": "https://github.com/xuxueli/xxl-job/issues/3096"
},
{
"type": "PACKAGE",
"url": "https://github.com/xuxueli/xxl-job"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Xuxueli xxl-job allows attacker to obtain sensitive information via the pageList parameter"
}
GHSA-JPGH-F7HM-PWMF
Vulnerability from github – Published: 2024-03-26 15:30 – Updated: 2024-03-26 15:30In some rare cases, there is a password type validation missing in Revert Password check and for some features it could be disabled. Fixed Version: Win ZApp 4.3.0.121 and later.
{
"affected": [],
"aliases": [
"CVE-2023-41972"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-26T15:15:48Z",
"severity": "HIGH"
},
"details": "In some rare cases, there is a password type validation missing in Revert Password check and for some features it could be disabled. Fixed Version: Win ZApp 4.3.0.121 and later.",
"id": "GHSA-jpgh-f7hm-pwmf",
"modified": "2024-03-26T15:30:50Z",
"published": "2024-03-26T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41972"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Windows\u0026applicable_version=4.3.0.121\u0026deployment_date=2023-09-01\u0026id=1463196"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JVRP-C78H-QQVJ
Vulnerability from github – Published: 2025-06-27 18:30 – Updated: 2025-07-01 18:30Software installed and running inside a Guest VM may conduct improper GPU system calls to prevent other Guests from running work on the GPU.
{
"affected": [],
"aliases": [
"CVE-2025-46708"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-27T17:15:33Z",
"severity": "MODERATE"
},
"details": "Software installed and running inside a Guest VM may conduct improper GPU system calls to prevent other Guests from running work on the GPU.",
"id": "GHSA-jvrp-c78h-qqvj",
"modified": "2025-07-01T18:30:35Z",
"published": "2025-06-27T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46708"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-M6F8-HJRV-MW5F
Vulnerability from github – Published: 2023-03-27 22:17 – Updated: 2023-03-27 22:17Impact
Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL. The URL includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource, and each of these can have arbitrary values.
While not trivial to exploit, it could be achieved by brute-forcing or guessing common names.
Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security).
Patches
Apiman 3.1.0.Final and later resolves this issue.
Workarounds
Only provide Apiman Manager accounts to known users, do not allow anonymous/unknown users to create an Apiman Manager account.
Note that this does not affect the Apiman Gateway.
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.0.0.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.apiman:apiman-manager-api-rest-impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28640"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-280",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-27T22:17:57Z",
"nvd_published_at": "2023-03-27T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nDue to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL. The URL includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource, and each of these can have arbitrary values.\n\nWhile not trivial to exploit, it could be achieved by brute-forcing or guessing common names.\n\nAccess to the non-permitted API Keys could allow use of other users\u0027 resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security).\n\n### Patches\n\nApiman 3.1.0.Final and later resolves this issue. \n\n### Workarounds\n\nOnly provide Apiman Manager accounts to known users, do not allow anonymous/unknown users to create an Apiman Manager account.\n\nNote that this does **not** affect the Apiman Gateway.\n\n### References\n\n* [Blog post disclosing issue](https://www.apiman.io/blog/potential-permissions-bypass-disclosure/)\n",
"id": "GHSA-m6f8-hjrv-mw5f",
"modified": "2023-03-27T22:17:57Z",
"published": "2023-03-27T22:17:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apiman/apiman/security/advisories/GHSA-m6f8-hjrv-mw5f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28640"
},
{
"type": "PACKAGE",
"url": "https://github.com/apiman/apiman"
},
{
"type": "WEB",
"url": "https://www.apiman.io/blog/potential-permissions-bypass-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apiman vulnerable to permissions bypass due to missing check on API key URL"
}
GHSA-M6HC-99RM-C9WC
Vulnerability from github – Published: 2026-06-09 15:32 – Updated: 2026-06-09 15:32When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
{
"affected": [],
"aliases": [
"CVE-2026-11764"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T13:16:35Z",
"severity": "LOW"
},
"details": "When creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary.",
"id": "GHSA-m6hc-99rm-c9wc",
"modified": "2026-06-09T15:32:17Z",
"published": "2026-06-09T15:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11764"
},
{
"type": "WEB",
"url": "https://pretix.eu/about/en/blog/20260609-release-2026-5-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M6W2-P258-GXQP
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-02 21:32A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.
{
"affected": [],
"aliases": [
"CVE-2026-2340"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:16:44Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Samba\u2019s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.",
"id": "GHSA-m6w2-p258-gxqp",
"modified": "2026-07-02T21:32:03Z",
"published": "2026-05-27T15:33:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2340"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22644"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22963"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25979"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28053"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28054"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28055"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28056"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28057"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29863"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-2340"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447318"
},
{
"type": "WEB",
"url": "https://bugzilla.samba.org/show_bug.cgi?id=15997"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M8CJ-M32X-WPWV
Vulnerability from github – Published: 2022-02-08 00:00 – Updated: 2022-05-10 00:00NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-21814"
],
"database_specific": {
"cwe_ids": [
"CWE-280",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-07T20:15:00Z",
"severity": "MODERATE"
},
"details": "NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.",
"id": "GHSA-m8cj-m32x-wpwv",
"modified": "2022-05-10T00:00:49Z",
"published": "2022-02-08T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21814"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5312"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5321"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MXG4-3MFG-79GM
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2024-01-13 06:30An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator.
{
"affected": [],
"aliases": [
"CVE-2020-8219"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-30T13:15:00Z",
"severity": "MODERATE"
},
"details": "An insufficient permission check vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to change the password of a full administrator.",
"id": "GHSA-mxg4-3mfg-79gm",
"modified": "2024-01-13T06:30:22Z",
"published": "2022-05-24T17:24:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8219"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P3PH-4R57-HH5X
Vulnerability from github – Published: 2026-05-07 12:31 – Updated: 2026-05-11 18:31Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.
{
"affected": [],
"aliases": [
"CVE-2026-6805"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-07T10:16:06Z",
"severity": "MODERATE"
},
"details": "Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.",
"id": "GHSA-p3ph-4r57-hh5x",
"modified": "2026-05-11T18:31:36Z",
"published": "2026-05-07T12:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6805"
},
{
"type": "WEB",
"url": "https://info.cryptobox.com/doc/v4.40/4.40.en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P4QH-CJ7J-R785
Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-05-26 21:31Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-20817"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T18:16:08Z",
"severity": "HIGH"
},
"details": "Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-p4qh-cj7j-r785",
"modified": "2026-05-26T21:31:35Z",
"published": "2026-01-13T18:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20817"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20817"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-20817-detection-script-eop-vulnerabilit-in-windows-error-reporting"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-20817-mitigation-script-eop-vulnerability-in-windows-error-reporting"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.
No CAPEC attack patterns related to this CWE.