CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1919 vulnerabilities reference this CWE, most recent first.
GHSA-8383-GF95-58M6
Vulnerability from github – Published: 2025-05-23 06:30 – Updated: 2025-05-23 06:30An issue was discovered in CyberDAVA before 1.1.20. A privilege escalation vulnerability allows a low-privileged user to escalate their privilege by abusing the following API due to the lack of access control: /api/v2/users/user//role/ROLE/ (admin access can be achieved).
{
"affected": [],
"aliases": [
"CVE-2025-48695"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-23T05:15:25Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in CyberDAVA before 1.1.20. A privilege escalation vulnerability allows a low-privileged user to escalate their privilege by abusing the following API due to the lack of access control: /api/v2/users/user/\u003cuser id\u003e/role/ROLE/\u003cTarget role\u003e (admin access can be achieved).",
"id": "GHSA-8383-gf95-58m6",
"modified": "2025-05-23T06:30:31Z",
"published": "2025-05-23T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48695"
},
{
"type": "WEB",
"url": "https://github.com/michaelcheung-research/Vulnerability-Disclosure/blob/main/CVE-2025-CyberDava1/README.md?plain=1"
},
{
"type": "WEB",
"url": "https://www.cyberdava.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-83J8-7M3H-36P8
Vulnerability from github – Published: 2024-09-17 15:31 – Updated: 2024-09-17 15:31Privilege Escalation vulnerability in favethemes Houzez Login Register houzez-login-register.This issue affects Houzez Login Register: from n/a through 3.2.5.
{
"affected": [],
"aliases": [
"CVE-2024-21743"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T14:15:16Z",
"severity": "HIGH"
},
"details": "Privilege Escalation vulnerability in favethemes Houzez Login Register houzez-login-register.This issue affects Houzez Login Register: from n/a through 3.2.5.",
"id": "GHSA-83j8-7m3h-36p8",
"modified": "2024-09-17T15:31:23Z",
"published": "2024-09-17T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21743"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/houzez-login-register/wordpress-houzez-login-register-plugin-3-2-5-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-847C-3V8Q-4F53
Vulnerability from github – Published: 2025-03-23 03:30 – Updated: 2025-03-23 03:30A vulnerability has been found in JIZHICMS up to 1.7.0 and classified as problematic. This vulnerability affects unknown code of the file /user/release.html of the component Article Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-2639"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-23T03:15:11Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in JIZHICMS up to 1.7.0 and classified as problematic. This vulnerability affects unknown code of the file /user/release.html of the component Article Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-847c-3v8q-4f53",
"modified": "2025-03-23T03:30:34Z",
"published": "2025-03-23T03:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2639"
},
{
"type": "WEB",
"url": "https://github.com/H3rmesk1t/vulnerability-paper/blob/main/jizhiCMS-1.7.0-Incorrect%20Access%20Control3.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.300640"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.300640"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.519634"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-847H-PFGV-F8C6
Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 00:31Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation.This issue affects xSmart: from n/a through <= 1.2.9.4.
{
"affected": [],
"aliases": [
"CVE-2025-50007"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T17:15:57Z",
"severity": "HIGH"
},
"details": "Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation.This issue affects xSmart: from n/a through \u003c= 1.2.9.4.",
"id": "GHSA-847h-pfgv-f8c6",
"modified": "2026-01-27T00:31:10Z",
"published": "2026-01-22T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50007"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84CC-V9FV-H9VV
Vulnerability from github – Published: 2025-12-08 03:31 – Updated: 2025-12-08 03:31A vulnerability was determined in SourceCodester Online Student Clearance System 1.0. The affected element is an unknown function of the file /Admin/delete-fee.php of the component Fee Table Handler. Executing manipulation of the argument ID can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
{
"affected": [],
"aliases": [
"CVE-2025-14206"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-08T01:16:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in SourceCodester Online Student Clearance System 1.0. The affected element is an unknown function of the file /Admin/delete-fee.php of the component Fee Table Handler. Executing manipulation of the argument ID can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.",
"id": "GHSA-84cc-v9fv-h9vv",
"modified": "2025-12-08T03:31:00Z",
"published": "2025-12-08T03:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14206"
},
{
"type": "WEB",
"url": "https://github.com/rassec2/dbcve/issues/8"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.334649"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.334649"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.700465"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-857M-R47G-PCM9
Vulnerability from github – Published: 2025-09-26 03:31 – Updated: 2025-09-26 03:31A vulnerability was determined in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Affected is an unknown function of the file /user/info/lookupList. Executing manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10992"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-26T02:15:51Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Affected is an unknown function of the file /user/info/lookupList. Executing manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-857m-r47g-pcm9",
"modified": "2025-09-26T03:31:07Z",
"published": "2025-09-26T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10992"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325919"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325919"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.653738"
},
{
"type": "WEB",
"url": "https://www.cnblogs.com/aibot/p/19063472"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-868V-2585-2WV2
Vulnerability from github – Published: 2026-07-12 12:31 – Updated: 2026-07-12 12:31A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload["note"] results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-15499"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-12T12:16:44Z",
"severity": "LOW"
},
"details": "A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload[\"note\"] results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-868v-2585-2wv2",
"modified": "2026-07-12T12:31:47Z",
"published": "2026-07-12T12:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15499"
},
{
"type": "WEB",
"url": "https://gist.github.com/YLChen-007/2bab96d5bedef784f90c97009fff8a19"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15499"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/844656"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377806"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377806/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-86C6-3G63-5W64
Vulnerability from github – Published: 2023-09-29 00:30 – Updated: 2023-09-29 20:38The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/vault"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-5077"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-29T20:38:23Z",
"nvd_published_at": "2023-09-29T00:15:12Z",
"severity": "HIGH"
},
"details": "The Vault and Vault Enterprise (\"Vault\") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.",
"id": "GHSA-86c6-3g63-5w64",
"modified": "2023-09-29T20:38:23Z",
"published": "2023-09-29T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5077"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/vault"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability"
}
GHSA-86PJ-HRWX-9VHG
Vulnerability from github – Published: 2023-08-14 21:30 – Updated: 2024-04-04 06:56In startActivityInner of ActivityStarter.java, there is a possible way to launch an activity into PiP mode from the background due to BAL bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21269"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-14T21:15:12Z",
"severity": "HIGH"
},
"details": "In startActivityInner of ActivityStarter.java, there is a possible way to launch an activity into PiP mode from the background due to BAL bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
"id": "GHSA-86pj-hrwx-9vhg",
"modified": "2024-04-04T06:56:08Z",
"published": "2023-08-14T21:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21269"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/70ec64dc5a2a816d6aa324190a726a85fd749b30"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-08-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-86QM-25MG-CP7Q
Vulnerability from github – Published: 2026-02-20 21:31 – Updated: 2026-02-20 21:31A vulnerability was identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This issue affects the function addSales/updateSales/deleteSales of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\SalesController.java of the component Sales Endpoint. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-2852"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T19:23:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This issue affects the function addSales/updateSales/deleteSales of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\bus\\controller\\SalesController.java of the component Sales Endpoint. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-86qm-25mg-cp7q",
"modified": "2026-02-20T21:31:23Z",
"published": "2026-02-20T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2852"
},
{
"type": "WEB",
"url": "https://github.com/yeqifu/warehouse/issues/63"
},
{
"type": "WEB",
"url": "https://github.com/yeqifu/warehouse/issues/63#issue-3846671301"
},
{
"type": "WEB",
"url": "https://github.com/yeqifu/warehouse"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.347088"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.347088"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.754431"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.