CWE-1268
AllowedPolicy Privileges are not Assigned Consistently Between Control and Data Agents
Abstraction: Base · Status: Draft
The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.
1 vulnerability references this CWE, most recent first.
GHSA-X56M-FJH7-273X
Vulnerability from github – Published: 2026-04-09 00:32 – Updated: 2026-04-14 15:30Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-5892"
],
"database_specific": {
"cwe_ids": [
"CWE-1268"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T22:16:29Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-x56m-fjh7-273x",
"modified": "2026-04-14T15:30:29Z",
"published": "2026-04-09T00:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5892"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/487568011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Access-control-policy definition and programming flow must be sufficiently tested in pre-silicon and post-silicon testing.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.