Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5445 vulnerabilities reference this CWE, most recent first.

GHSA-HW2X-9XXC-78JF

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-07-13 00:01
VLAI
Details

Certain NETGEAR devices are affected by privilege escalation. This affects D8500 before 1.0.3.44, R6400v2 before 1.0.2.66, R6700 before 1.0.2.6, R6700v3 before 1.0.2.66, R6900 before 1.0.2.4, R6900P before 1.3.2.126, R7000 before 1.0.9.42, R7000P before 1.3.2.126, R7100LG before 1.0.0.50, R7300DST before 1.0.0.70, R7900 before 1.0.3.10, R8300 before 1.0.2.130, and R8500 before 1.0.2.130.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-11T00:17:00Z",
    "severity": "HIGH"
  },
  "details": "Certain NETGEAR devices are affected by privilege escalation. This affects D8500 before 1.0.3.44, R6400v2 before 1.0.2.66, R6700 before 1.0.2.6, R6700v3 before 1.0.2.66, R6900 before 1.0.2.4, R6900P before 1.3.2.126, R7000 before 1.0.9.42, R7000P before 1.3.2.126, R7100LG before 1.0.0.50, R7300DST before 1.0.0.70, R7900 before 1.0.3.10, R8300 before 1.0.2.130, and R8500 before 1.0.2.130.",
  "id": "GHSA-hw2x-9xxc-78jf",
  "modified": "2022-07-13T00:01:35Z",
  "published": "2022-05-24T19:10:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38539"
    },
    {
      "type": "WEB",
      "url": "https://kb.netgear.com/000063760/Security-Advisory-for-Vertical-Privilege-Escalation-on-Some-Routers-and-Gateways-PSV-2018-0385"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HW5C-F5H3-CR4P

Vulnerability from github – Published: 2024-06-17 21:31 – Updated: 2024-08-26 15:31
VLAI
Details

Insecure Permissions vulnerability in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to escalate privileges via a crafted command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-17T21:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "Insecure Permissions vulnerability in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to escalate privileges via a crafted command.",
  "id": "GHSA-hw5c-f5h3-cr4p",
  "modified": "2024-08-26T15:31:13Z",
  "published": "2024-06-17T21:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ri5c/Jlink-Router-RCE"
    },
    {
      "type": "WEB",
      "url": "http://jlink.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HW95-W73V-WF42

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

Accidental logging of system root password in the migration log in all versions of GitLab CE/EE allows an attacker with local file system access to obtain system root-level privileges

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-05T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Accidental logging of system root password in the migration log in all versions of GitLab CE/EE allows an attacker with local file system access to obtain system root-level privileges",
  "id": "GHSA-hw95-w73v-wf42",
  "modified": "2022-05-24T19:19:53Z",
  "published": "2022-05-24T19:19:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39913"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39913.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/28074"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HWF9-PW8H-7MW6

Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11
VLAI
Details

An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations.To exploit the vulnerability, an attacker would require unprivileged execution on the victim system, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0779, CVE-2020-0798, CVE-2020-0814, CVE-2020-0842.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0843"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-12T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An elevation of privilege vulnerability exists in Windows Installer because of the way Windows Installer handles certain filesystem operations.To exploit the vulnerability, an attacker would require unprivileged execution on the victim system, aka \u0027Windows Installer Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0779, CVE-2020-0798, CVE-2020-0814, CVE-2020-0842.",
  "id": "GHSA-hwf9-pw8h-7mw6",
  "modified": "2022-05-24T17:11:00Z",
  "published": "2022-05-24T17:11:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0843"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0843"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HWFW-3RF5-M49W

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2023-12-28 21:30
VLAI
Details

Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-15T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability",
  "id": "GHSA-hwfw-3rf5-m49w",
  "modified": "2023-12-28T21:30:30Z",
  "published": "2022-05-24T19:14:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36967"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36967"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HWGJ-F8QR-8J83

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-05-26 21:31
VLAI
Details

Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T18:17:20Z",
    "severity": "MODERATE"
  },
  "details": "Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally.",
  "id": "GHSA-hwgj-f8qr-8j83",
  "modified": "2026-05-26T21:31:36Z",
  "published": "2026-04-14T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32181"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32181"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2026-32181-detection-script-dos-vulnerability-in-windows-connected-user-experiences-and-telemetry-service"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2026-32181-mitigation-script-dos-vulnerability-in-windows-connected-user-experiences-and-telemetry-service"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HWJ5-GQWH-GH6C

Vulnerability from github – Published: 2025-09-25 15:30 – Updated: 2025-09-25 15:30
VLAI
Details

ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup.

This issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-25T14:15:46Z",
    "severity": "LOW"
  },
  "details": "ZohoCorp ManageEngine Endpoint Central was impacted by an improper privilege management issue in the agent setup.\n\nThis issue affects Endpoint Central: through 11.4.2500.25, through 11.4.2508.13.",
  "id": "GHSA-hwj5-gqwh-gh6c",
  "modified": "2025-09-25T15:30:24Z",
  "published": "2025-09-25T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5494"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/desktop-central/privilege-escalation-endpointcentral-agent.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HWJJ-QJX2-4MRX

Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11
VLAI
Details

An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations, aka 'Windows Work Folder Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-12T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An elevation of privilege vulnerability exists when the Windows Work Folder Service improperly handles file operations, aka \u0027Windows Work Folder Service Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0777, CVE-2020-0797, CVE-2020-0800, CVE-2020-0864, CVE-2020-0865, CVE-2020-0866.",
  "id": "GHSA-hwjj-qjx2-4mrx",
  "modified": "2022-05-24T17:11:04Z",
  "published": "2022-05-24T17:11:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0897"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0897"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HWRJ-QGQ6-7MH4

Vulnerability from github – Published: 2025-06-02 15:31 – Updated: 2025-06-02 15:31
VLAI
Details

The SolarWinds Dameware Mini Remote Control was determined to be affected by Incorrect Permissions Local Privilege Escalation Vulnerability. This vulnerability requires local access and a valid low privilege account to be susceptible to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-02T13:15:21Z",
    "severity": "HIGH"
  },
  "details": "The SolarWinds Dameware Mini Remote Control was determined to be affected by Incorrect Permissions Local Privilege Escalation Vulnerability. This vulnerability requires local access and a valid low privilege account to be susceptible to this vulnerability.",
  "id": "GHSA-hwrj-qgq6-7mh4",
  "modified": "2025-06-02T15:31:22Z",
  "published": "2025-06-02T15:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26396"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/dameware/content/release_notes/dameware_12-3-2_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26396"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HWVM-HRP8-HMQ8

Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2026-04-01 18:31
VLAI
Details

Improper Privilege Management vulnerability in Hamid Alinia – idehweb Login with phone number allows Privilege Escalation.This issue affects Login with phone number: from n/a through 1.7.16.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T09:15:36Z",
    "severity": "HIGH"
  },
  "details": "Improper Privilege Management vulnerability in Hamid Alinia \u2013 idehweb Login with phone number allows Privilege Escalation.This issue affects Login with phone number: from n/a through 1.7.16.",
  "id": "GHSA-hwvm-hrp8-hmq8",
  "modified": "2026-04-01T18:31:47Z",
  "published": "2024-05-17T09:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32507"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/login-with-phone-number/vulnerability/wordpress-login-with-phone-number-plugin-1-7-16-privilege-escalation-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/login-with-phone-number/wordpress-login-with-phone-number-plugin-1-7-16-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.