Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5443 vulnerabilities reference this CWE, most recent first.

GHSA-PQ9Q-4FCV-7RVJ

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-09-21 00:00
VLAI
Details

Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this to be possible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-16T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this to be possible.",
  "id": "GHSA-pq9q-4fcv-7rvj",
  "modified": "2022-09-21T00:00:39Z",
  "published": "2022-05-24T19:05:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8300"
    },
    {
      "type": "WEB",
      "url": "https://support.citrix.com/article/CTX297155"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQGG-8W8H-W2QQ

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-17T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.",
  "id": "GHSA-pqgg-8w8h-w2qq",
  "modified": "2022-05-24T19:20:59Z",
  "published": "2022-05-24T19:20:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0146"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211210-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQPM-XC7W-528J

Vulnerability from github – Published: 2024-01-31 18:31 – Updated: 2024-02-09 18:31
VLAI
Details

In Telerik JustDecompile versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component.  In an environment where an existing Telerik JustDecompile install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0219"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-31T16:15:45Z",
    "severity": "HIGH"
  },
  "details": "In Telerik JustDecompile versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component.\u00a0 In an environment where an existing Telerik JustDecompile install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.",
  "id": "GHSA-pqpm-xc7w-528j",
  "modified": "2024-02-09T18:31:06Z",
  "published": "2024-01-31T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0219"
    },
    {
      "type": "WEB",
      "url": "https://docs.telerik.com/devtools/justdecompile/knowledge-base/legacy-installer-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.telerik.com/products/decompiler.aspx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQQF-7HXM-RJ5R

Vulnerability from github – Published: 2026-02-11 14:23 – Updated: 2026-02-18 23:30
VLAI
Summary
Leaky JWTs in OpenMetadata exposing highly-privileged bot users
Details

Summary

Calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres)

Details

Any read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies).

PoC

I was able to extract the JWT used by the bot/agent populating sample_athena.default in the Collate Sandbox. To prove this out, I mutated the description to this UUID: fe2e4cc1-da72-4acf-8535-112a3cfa9c7e, which you can see @ https://sandbox.open-metadata.org/database/sample_athena.default.

Steps to Reproduce

  • Create a Collate Sandbox account; these are non-admin accounts by default with minimal permissions.
  • Open the Developer Console
  • Go to the Services Page. In this case, sample_athena, though other services
  • In the Network tab, introspect the request made to api/v1/services/ingestionPipelines, and find the jwtToken in the response: image

  • Use the JWT to issue (potentially destructive) API calls image

  • Resulting mutated description: image

Note that this is also the case for these services, among others: * acme_nexus_redshift * sample_postgres

Proposed Remediation

Redact jwtToken in API payload. Implement role-based filtering - Only return JWT tokens to users with explicit admin/service account permissions (for Admins) Rotate Ingestion Bot Tokens in affected environments

Impact

What kind of vulnerability is it? Who is impacted?

  • Vulnerability Type: Privilege Escalation
  • Risk: User impersonation, even for those with read-only access, can lead to destructive outcomes if malicious actors leverage the leaked JWT.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.open-metadata:openmetadata-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-11T14:23:02Z",
    "nvd_published_at": "2026-02-11T21:16:21Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nCalls issued by the UI against `/api/v1/ingestionPipelines` leak JWTs used by `ingestion-bot` for certain services (Glue / Redshift / Postgres)\n\n### Details\nAny read-only user can gain access to a highly privileged account, typically which has the Ingestion Bot Role. This enables destructive changes in OpenMetadata instances, and potential data leakage (e.g. sample data, or service metadata which would be unavailable per roles/policies). \n\n\n### PoC\nI was able to extract the JWT used by the bot/agent populating [sample_athena.default](https://sandbox.open-metadata.org/database/sample_athena.default) in the Collate Sandbox. To prove this out, I mutated the description to this UUID: `fe2e4cc1-da72-4acf-8535-112a3cfa9c7e,` which you can see  @ https://sandbox.open-metadata.org/database/sample_athena.default.\n\n#### Steps to Reproduce\n\n* Create a Collate Sandbox account; these are non-admin accounts by default with minimal permissions.\n* Open the Developer Console\n* Go to the Services Page. In this case, [sample_athena](https://sandbox.open-metadata.org/service/databaseServices/sample_athena?showDeletedTables=false\u0026currentPage=1), though other services \n* In the Network tab, introspect the request made to api/v1/services/ingestionPipelines, and find the jwtToken in the response:\n\u003cimg width=\"1329\" height=\"299\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0c405776-159e-4188-9591-ed8cc71bc596\" /\u003e\n\n* Use the JWT to issue (potentially destructive) API calls\n\u003cimg width=\"3024\" height=\"1798\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ab40b528-4d2b-404b-8f8a-482a1693e179\" /\u003e\n\n* Resulting mutated description:\n\u003cimg width=\"622\" height=\"399\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3fa630ff-93b5-4b7d-8e3c-220f8a84a23a\" /\u003e\n\nNote that this is also the case for these services, among others:\n* [acme_nexus_redshift](https://sandbox.open-metadata.org/service/databaseServices/acme_nexus_redshift) \n* [sample_postgres](https://sandbox.open-metadata.org/service/databaseServices/sample_postgres)\n\n### Proposed Remediation\nRedact jwtToken in API payload.\nImplement role-based filtering - Only return JWT tokens to users with explicit admin/service account permissions\n(for Admins) Rotate Ingestion Bot Tokens in affected environments\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n* Vulnerability Type: Privilege Escalation\n* Risk: User impersonation, even for those with read-only access, can lead to destructive outcomes if malicious actors leverage the leaked JWT.",
  "id": "GHSA-pqqf-7hxm-rj5r",
  "modified": "2026-02-18T23:30:21Z",
  "published": "2026-02-11T14:23:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-pqqf-7hxm-rj5r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26010"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-metadata/OpenMetadata"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-metadata/OpenMetadata/releases/tag/1.11.8-release"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Leaky JWTs in OpenMetadata exposing highly-privileged bot users"
}

GHSA-PQR6-X3HM-VW74

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2024-01-01 00:30
VLAI
Details

An elevation of privilege vulnerability exists in the way that the Wininit.dll handles objects in memory, aka 'WinINet API Elevation of Privilege Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-11T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists in the way that the Wininit.dll handles objects in memory, aka \u0027WinINet API Elevation of Privilege Vulnerability\u0027.",
  "id": "GHSA-pqr6-x3hm-vw74",
  "modified": "2024-01-01T00:30:40Z",
  "published": "2022-05-24T17:27:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1012"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQR7-FJ5C-47J9

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-05-24 17:08
VLAI
Details

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-11T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka \u0027Win32k Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0719, CVE-2020-0720, CVE-2020-0721, CVE-2020-0722, CVE-2020-0723, CVE-2020-0724, CVE-2020-0725, CVE-2020-0726, CVE-2020-0731.",
  "id": "GHSA-pqr7-fj5c-47j9",
  "modified": "2022-05-24T17:08:27Z",
  "published": "2022-05-24T17:08:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0691"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0691"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PQWR-PHVV-V49F

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 17:29
VLAI
Summary
Open WebUI Allows Admin Deletion via API Endpoint
Details

In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint http://0.0.0.0:8080/api/v1/users/{uuid_administrator}. This action is restricted by the user interface but can be performed through direct API calls.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-7039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T17:29:56Z",
    "nvd_published_at": "2025-03-20T10:15:35Z",
    "severity": "HIGH"
  },
  "details": "In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls.",
  "id": "GHSA-pqwr-phvv-v49f",
  "modified": "2025-03-21T17:29:56Z",
  "published": "2025-03-20T12:32:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7039"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/27fc8a5a-546e-4cf2-8edb-df42e36518fc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI Allows Admin Deletion via API Endpoint"
}

GHSA-PR55-M2R8-WVG6

Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18
VLAI
Details

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1054.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-21T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka \u0027Win32k Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1054.",
  "id": "GHSA-pr55-m2r8-wvg6",
  "modified": "2022-05-24T17:18:31Z",
  "published": "2022-05-24T17:18:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1143"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1143"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PR6P-6X97-5C59

Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-05-27 00:31
VLAI
Details

This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. An attacker with root privileges may be able to delete protected system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T23:16:03Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. An attacker with root privileges may be able to delete protected system files.",
  "id": "GHSA-pr6p-6x97-5c59",
  "modified": "2026-05-27T00:31:26Z",
  "published": "2026-02-12T00:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46310"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125110"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126349"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126350"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PR6W-W2R2-GM2G

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00
VLAI
Details

Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-14T17:15:00Z",
    "severity": "LOW"
  },
  "details": "Improper directory permissions in Intel(R) PROSet/Wireless WiFi Software before version 21.40 may allow an authenticated user to potentially enable denial of service and information disclosure via local access.",
  "id": "GHSA-pr6w-w2r2-gm2g",
  "modified": "2022-05-24T17:00:57Z",
  "published": "2022-05-24T17:00:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11154"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00288.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.