CWE-280
AllowedImproper Handling of Insufficient Permissions or Privileges
Abstraction: Base · Status: Draft
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
256 vulnerabilities reference this CWE, most recent first.
GHSA-P5GM-92H4-6PV6
Vulnerability from github – Published: 2026-05-08 20:21 – Updated: 2026-06-08 19:55Impact
The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.
Patches
Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.
Workarounds
Site owners using Wagtail's API can avoid the vulnerability by adding authentication to the Documents and Images APIs.
Acknowledgements
Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue.
For more information
If there are any questions or comments about this advisory:
- Visit Wagtail's support channels
- Send an email to security@wagtail.org (view the security policy for more information).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "7.1"
},
{
"fixed": "7.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44201"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T20:21:38Z",
"nvd_published_at": "2026-05-11T16:17:35Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe Documents and Images [API](https://docs.wagtail.org/en/stable/advanced_topics/api/index.html) incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.\n\n### Patches\n\nPatched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.\n\n### Workarounds\n\nSite owners using Wagtail\u0027s API can avoid the vulnerability by adding [authentication](https://docs.wagtail.org/en/stable/advanced_topics/api/v2/configuration.html#authentication) to the Documents and Images APIs.\n\n\n### Acknowledgements\n\nWagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue.\n\n### For more information\nIf there are any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.org/en/stable/support.html)\n* Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).",
"id": "GHSA-p5gm-92h4-6pv6",
"modified": "2026-06-08T19:55:51Z",
"published": "2026-05-08T20:21:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44201"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-150.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/wagtail/wagtail"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Wagtail has improper restriction handling on Documents and Images API"
}
GHSA-PC2J-FVGW-H6VH
Vulnerability from github – Published: 2025-05-13 00:31 – Updated: 2025-11-03 21:33The issue was addressed with additional permissions checks. This issue is fixed in macOS Sequoia 15.4, macOS Ventura 13.7.6, macOS Sonoma 14.7.6. A malicious app may be able to gain root privileges.
{
"affected": [],
"aliases": [
"CVE-2025-30453"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-12T22:15:21Z",
"severity": "HIGH"
},
"details": "The issue was addressed with additional permissions checks. This issue is fixed in macOS Sequoia 15.4, macOS Ventura 13.7.6, macOS Sonoma 14.7.6. A malicious app may be able to gain root privileges.",
"id": "GHSA-pc2j-fvgw-h6vh",
"modified": "2025-11-03T21:33:48Z",
"published": "2025-05-13T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30453"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122717"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122718"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFF8-M8JX-77FJ
Vulnerability from github – Published: 2025-03-24 12:30 – Updated: 2025-03-24 15:30Software installed and run as a non-privileged user may conduct improper GPU system calls to issue reads and writes to arbitrary physical memory pages.
Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform, altering their behaviour.
{
"affected": [],
"aliases": [
"CVE-2025-0478"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-24T12:15:13Z",
"severity": "HIGH"
},
"details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to issue reads and writes to arbitrary physical memory pages.\n\nUnder certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform, altering their behaviour.",
"id": "GHSA-pff8-m8jx-77fj",
"modified": "2025-03-24T15:30:45Z",
"published": "2025-03-24T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0478"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJ78-8H7F-MG7F
Vulnerability from github – Published: 2024-07-17 09:30 – Updated: 2026-04-08 18:33The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_func function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site and upload arbitrary files. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
{
"affected": [],
"aliases": [
"CVE-2024-6660"
],
"database_specific": {
"cwe_ids": [
"CWE-280",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-17T07:15:03Z",
"severity": "HIGH"
},
"details": "The BookingPress \u2013 Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_func function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site and upload arbitrary files. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.",
"id": "GHSA-pj78-8h7f-mg7f",
"modified": "2026-04-08T18:33:33Z",
"published": "2024-07-17T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6660"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_import_export.php#L1491"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_import_export.php#L410"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_import_export.php#L476"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3116857/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_import_export.php?contextall=1"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/851ff861-474e-4063-88ff-d8d35b10e9a0?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQ39-F58P-6F4P
Vulnerability from github – Published: 2024-04-08 09:31 – Updated: 2024-08-01 15:31Vulnerability of package name verification being bypassed in the HwIms module. Impact: Successful exploitation of this vulnerability will affect availability.
{
"affected": [],
"aliases": [
"CVE-2023-52537"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T09:15:08Z",
"severity": "HIGH"
},
"details": "Vulnerability of package name verification being bypassed in the HwIms module.\nImpact: Successful exploitation of this vulnerability will affect availability.",
"id": "GHSA-pq39-f58p-6f4p",
"modified": "2024-08-01T15:31:37Z",
"published": "2024-04-08T09:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52537"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/3"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202403-0000001667644725"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWM3-7FV4-G6XX
Vulnerability from github – Published: 2026-05-08 20:20 – Updated: 2026-06-08 19:55Impact
A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
Patches
Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.
Workarounds
No workaround is available.
Acknowledgements
Wagtail thanks Vishal Shukla @shukla304 for reporting this issue.
For more information
If there are any questions or comments about this advisory:
- Visit Wagtail's support channels
- Send an email to security@wagtail.org (view the security policy for more information).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "7.1"
},
{
"fixed": "7.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44199"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T20:20:12Z",
"nvd_published_at": "2026-05-11T16:17:35Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA CMS user with limited access to form pages could delete submissions to form pages they don\u0027t have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don\u0027t. \n\nThe vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.\n\n### Patches\n\nPatched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.\n\n### Workarounds\n\nNo workaround is available.\n\n\n### Acknowledgements\n\nWagtail thanks Vishal Shukla @shukla304 for reporting this issue.\n\n### For more information\nIf there are any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.org/en/stable/support.html)\n* Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).",
"id": "GHSA-pwm3-7fv4-g6xx",
"modified": "2026-06-08T19:55:40Z",
"published": "2026-05-08T20:20:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44199"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-148.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/wagtail/wagtail"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Wagtail has improper permission handling when deleting form submissions"
}
GHSA-PWPC-5PP8-7QW9
Vulnerability from github – Published: 2026-02-24 15:30 – Updated: 2026-02-27 21:31RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.
{
"affected": [],
"aliases": [
"CVE-2026-1772"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-24T14:16:22Z",
"severity": "MODERATE"
},
"details": "RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.",
"id": "GHSA-pwpc-5pp8-7qw9",
"modified": "2026-02-27T21:31:19Z",
"published": "2026-02-24T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1772"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000237\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PWQ2-C6F6-F36F
Vulnerability from github – Published: 2024-02-20 09:30 – Updated: 2024-02-20 09:30In OPPO Usercenter Credit SDK, there's a possible escalation of privilege due to loose permission check, This could lead to application internal information leak w/o user interaction.
{
"affected": [],
"aliases": [
"CVE-2024-1608"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T09:15:08Z",
"severity": "CRITICAL"
},
"details": "In OPPO Usercenter Credit SDK, there\u0027s a possible escalation of privilege due to loose permission check, This could lead to application internal information leak w/o user interaction.",
"id": "GHSA-pwq2-c6f6-f36f",
"modified": "2024-02-20T09:30:32Z",
"published": "2024-02-20T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1608"
},
{
"type": "WEB",
"url": "https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1759867611954552832"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q2HW-C235-RP9R
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.5. A local attacker may gain access to Keychain items.
{
"affected": [],
"aliases": [
"CVE-2024-27837"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:13:07Z",
"severity": "HIGH"
},
"details": "A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.5. A local attacker may gain access to Keychain items.",
"id": "GHSA-q2hw-c235-rp9r",
"modified": "2026-04-02T21:31:41Z",
"published": "2024-05-14T15:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27837"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120903"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214106"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214106"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/May/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q35R-VVHV-VX5H
Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-04-02 15:31A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-server-spi-private"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-model-jpa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.5.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-3190"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:46:10Z",
"nvd_published_at": "2026-03-26T19:17:06Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.",
"id": "GHSA-q35r-vvhv-vx5h",
"modified": "2026-04-02T15:31:37Z",
"published": "2026-03-26T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3190"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/46723"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/f1baf25cbb1551202570f954102eb2d270ab0694"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-3190"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442572"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure"
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.
No CAPEC attack patterns related to this CWE.