CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5443 vulnerabilities reference this CWE, most recent first.
GHSA-PQ9Q-4FCV-7RVJ
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-09-21 00:00Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this to be possible.
{
"affected": [],
"aliases": [
"CVE-2020-8300"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-16T14:15:00Z",
"severity": "MODERATE"
},
"details": "Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this to be possible.",
"id": "GHSA-pq9q-4fcv-7rvj",
"modified": "2022-09-21T00:00:39Z",
"published": "2022-05-24T19:05:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8300"
},
{
"type": "WEB",
"url": "https://support.citrix.com/article/CTX297155"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PQGG-8W8H-W2QQ
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
{
"affected": [],
"aliases": [
"CVE-2021-0146"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-17T20:15:00Z",
"severity": "MODERATE"
},
"details": "Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.",
"id": "GHSA-pqgg-8w8h-w2qq",
"modified": "2022-05-24T19:20:59Z",
"published": "2022-05-24T19:20:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0146"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211210-0006"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQPM-XC7W-528J
Vulnerability from github – Published: 2024-01-31 18:31 – Updated: 2024-02-09 18:31In Telerik JustDecompile versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component. In an environment where an existing Telerik JustDecompile install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2024-0219"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-31T16:15:45Z",
"severity": "HIGH"
},
"details": "In Telerik JustDecompile versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component.\u00a0 In an environment where an existing Telerik JustDecompile install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.",
"id": "GHSA-pqpm-xc7w-528j",
"modified": "2024-02-09T18:31:06Z",
"published": "2024-01-31T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0219"
},
{
"type": "WEB",
"url": "https://docs.telerik.com/devtools/justdecompile/knowledge-base/legacy-installer-vulnerability"
},
{
"type": "WEB",
"url": "https://www.telerik.com/products/decompiler.aspx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQQF-7HXM-RJ5R
Vulnerability from github – Published: 2026-02-11 14:23 – Updated: 2026-02-18 23:30Summary
Calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres)
Details
Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies).
PoC
I was able to extract the JWT used by the bot/agent populating sample_athena.default in the Collate Sandbox. To prove this out, I mutated the description to this UUID: fe2e4cc1-da72-4acf-8535-112a3cfa9c7e, which you can see @ https://sandbox.open-metadata.org/database/sample_athena.default.
Steps to Reproduce
- Create a Collate Sandbox account; these are non-admin accounts by default with minimal permissions.
- Open the Developer Console
- Go to the Services Page. In this case, sample_athena, though other services
-
In the Network tab, introspect the request made to api/v1/services/ingestionPipelines, and find the jwtToken in the response:
-
Use the JWT to issue (potentially destructive) API calls
-
Resulting mutated description:
Note that this is also the case for these services, among others: * acme_nexus_redshift * sample_postgres
Proposed Remediation
Redact jwtToken in API payload. Implement role-based filtering - Only return JWT tokens to users with explicit admin/service account permissions (for Admins) Rotate Ingestion Bot Tokens in affected environments
Impact
What kind of vulnerability is it? Who is impacted?
- Vulnerability Type: Privilege Escalation
- Risk: User impersonation, even for those with read-only access, can lead to destructive outcomes if malicious actors leverage the leaked JWT.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.open-metadata:openmetadata-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26010"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-11T14:23:02Z",
"nvd_published_at": "2026-02-11T21:16:21Z",
"severity": "HIGH"
},
"details": "### Summary\nCalls issued by the UI against `/api/v1/ingestionPipelines` leak JWTs used by `ingestion-bot` for certain services (Glue / Redshift / Postgres)\n\n### Details\nAny read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). \n\n\n### PoC\nI was able to extract the JWT used by the bot/agent populating [sample_athena.default](https://sandbox.open-metadata.org/database/sample_athena.default) in the Collate Sandbox. To prove this out, I mutated the description to this UUID: `fe2e4cc1-da72-4acf-8535-112a3cfa9c7e,` which you can see @ https://sandbox.open-metadata.org/database/sample_athena.default.\n\n#### Steps to Reproduce\n\n* Create a Collate Sandbox account; these are non-admin accounts by default with minimal permissions.\n* Open the Developer Console\n* Go to the Services Page. In this case, [sample_athena](https://sandbox.open-metadata.org/service/databaseServices/sample_athena?showDeletedTables=false\u0026currentPage=1), though other services \n* In the Network tab, introspect the request made to api/v1/services/ingestionPipelines, and find the jwtToken in the response:\n\u003cimg width=\"1329\" height=\"299\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0c405776-159e-4188-9591-ed8cc71bc596\" /\u003e\n\n* Use the JWT to issue (potentially destructive) API calls\n\u003cimg width=\"3024\" height=\"1798\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ab40b528-4d2b-404b-8f8a-482a1693e179\" /\u003e\n\n* Resulting mutated description:\n\u003cimg width=\"622\" height=\"399\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3fa630ff-93b5-4b7d-8e3c-220f8a84a23a\" /\u003e\n\nNote that this is also the case for these services, among others:\n* [acme_nexus_redshift](https://sandbox.open-metadata.org/service/databaseServices/acme_nexus_redshift) \n* [sample_postgres](https://sandbox.open-metadata.org/service/databaseServices/sample_postgres)\n\n### Proposed Remediation\nRedact jwtToken in API payload.\nImplement role-based filtering - Only return JWT tokens to users with explicit admin/service account permissions\n(for Admins) Rotate Ingestion Bot Tokens in affected environments\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n* Vulnerability Type: Privilege Escalation\n* Risk: User impersonation, even for those with read-only access, can lead to destructive outcomes if malicious actors leverage the leaked JWT.",
"id": "GHSA-pqqf-7hxm-rj5r",
"modified": "2026-02-18T23:30:21Z",
"published": "2026-02-11T14:23:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26010"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-metadata/OpenMetadata"
},
{
"type": "WEB",
"url": "https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-release"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Leaky JWTs in OpenMetadata exposing highly-privileged bot users"
}
GHSA-PQR6-X3HM-VW74
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2024-01-01 00:30An elevation of privilege vulnerability exists in the way that the Wininit.dll handles objects in memory, aka 'WinINet API Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-1012"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-11T17:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists in the way that the Wininit.dll handles objects in memory, aka \u0027WinINet API Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-pqr6-x3hm-vw74",
"modified": "2024-01-01T00:30:40Z",
"published": "2022-05-24T17:27:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1012"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1012"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQR7-FJ5C-47J9
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-05-24 17:08An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731.
{
"affected": [],
"aliases": [
"CVE-2020-0691"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-11T22:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka \u0027Win32k Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731.",
"id": "GHSA-pqr7-fj5c-47j9",
"modified": "2022-05-24T17:08:27Z",
"published": "2022-05-24T17:08:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0691"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0691"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PQWR-PHVV-V49F
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 17:29In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint http://0.0.0.0:8080/api/v1/users/{uuid_administrator}. This action is restricted by the user interface but can be performed through direct API calls.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-7039"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T17:29:56Z",
"nvd_published_at": "2025-03-20T10:15:35Z",
"severity": "HIGH"
},
"details": "In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls.",
"id": "GHSA-pqwr-phvv-v49f",
"modified": "2025-03-21T17:29:56Z",
"published": "2025-03-20T12:32:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7039"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/27fc8a5a-546e-4cf2-8edb-df42e36518fc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI Allows Admin Deletion via API Endpoint"
}
GHSA-PR55-M2R8-WVG6
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1054.
{
"affected": [],
"aliases": [
"CVE-2020-1143"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-21T23:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka \u0027Win32k Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1054.",
"id": "GHSA-pr55-m2r8-wvg6",
"modified": "2022-05-24T17:18:31Z",
"published": "2022-05-24T17:18:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1143"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1143"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PR6P-6X97-5C59
Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-05-27 00:31This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. An attacker with root privileges may be able to delete protected system files.
{
"affected": [],
"aliases": [
"CVE-2025-46310"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T23:16:03Z",
"severity": "MODERATE"
},
"details": "This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. An attacker with root privileges may be able to delete protected system files.",
"id": "GHSA-pr6p-6x97-5c59",
"modified": "2026-05-27T00:31:26Z",
"published": "2026-02-12T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46310"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125110"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126349"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126350"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PR6W-W2R2-GM2G
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2019-11154"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-14T17:15:00Z",
"severity": "LOW"
},
"details": "Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.",
"id": "GHSA-pr6w-w2r2-gm2g",
"modified": "2022-05-24T17:00:57Z",
"published": "2022-05-24T17:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11154"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00288.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.