CWE-280
AllowedImproper Handling of Insufficient Permissions or Privileges
Abstraction: Base · Status: Draft
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
256 vulnerabilities reference this CWE, most recent first.
GHSA-3XC3-G6FP-66XR
Vulnerability from github – Published: 2024-09-30 09:30 – Updated: 2024-09-30 09:30Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service.
{
"affected": [],
"aliases": [
"CVE-2024-8451"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-30T07:15:04Z",
"severity": "HIGH"
},
"details": "Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service.",
"id": "GHSA-3xc3-g6fp-66xr",
"modified": "2024-09-30T09:30:46Z",
"published": "2024-09-30T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8451"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-8052-ac0ea-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-8051-5048e-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3XM4-5347-4Q37
Vulnerability from github – Published: 2025-03-03 03:31 – Updated: 2025-03-04 18:33In Bluetooth Stack SW, there is a possible information disclosure due to a missing permission check. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00396437; Issue ID: MSV-2184.
{
"affected": [],
"aliases": [
"CVE-2025-20649"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-03T03:15:09Z",
"severity": "MODERATE"
},
"details": "In Bluetooth Stack SW, there is a possible information disclosure due to a missing permission check. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00396437; Issue ID: MSV-2184.",
"id": "GHSA-3xm4-5347-4q37",
"modified": "2025-03-04T18:33:28Z",
"published": "2025-03-03T03:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20649"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/March-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-435F-W5X3-Q9JC
Vulnerability from github – Published: 2025-04-07 06:30 – Updated: 2025-04-07 06:30Memory write permission bypass vulnerability in the kernel futex module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
{
"affected": [],
"aliases": [
"CVE-2025-31173"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-07T04:15:21Z",
"severity": "HIGH"
},
"details": "Memory write permission bypass vulnerability in the kernel futex module\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.",
"id": "GHSA-435f-w5x3-q9jc",
"modified": "2025-04-07T06:30:28Z",
"published": "2025-04-07T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31173"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4CJW-FJ8X-XJ3R
Vulnerability from github – Published: 2024-07-10 09:30 – Updated: 2024-07-11 15:30Improper handling of insufficient permissions or privileges vulnerability exists in ajaxterm module of Webmin prior to 2.003. If this vulnerability is exploited, a console session may be hijacked by an unauthorized user. As a result, data within a system may be referred, a webpage may be altered, or a server may be permanently halted.
{
"affected": [],
"aliases": [
"CVE-2024-36451"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T07:15:03Z",
"severity": "HIGH"
},
"details": "Improper handling of insufficient permissions or privileges vulnerability exists in ajaxterm module of Webmin prior to 2.003. If this vulnerability is exploited, a console session may be hijacked by an unauthorized user. As a result, data within a system may be referred, a webpage may be altered, or a server may be permanently halted.",
"id": "GHSA-4cjw-fj8x-xj3r",
"modified": "2024-07-11T15:30:46Z",
"published": "2024-07-10T09:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36451"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN81442045"
},
{
"type": "WEB",
"url": "https://webmin.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FWV-VP29-WX8M
Vulnerability from github – Published: 2026-04-01 12:31 – Updated: 2026-04-07 21:32Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information
{
"affected": [],
"aliases": [
"CVE-2026-24096"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-01T11:15:58Z",
"severity": "MODERATE"
},
"details": "Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information",
"id": "GHSA-4fwv-vp29-wx8m",
"modified": "2026-04-07T21:32:35Z",
"published": "2026-04-01T12:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24096"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/18989"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4H67-FM2H-4QRP
Vulnerability from github – Published: 2026-04-17 18:31 – Updated: 2026-04-17 18:31Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files.
This is caused by improper handling of GPU memory reservation protections.
{
"affected": [],
"aliases": [
"CVE-2026-21733"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-17T17:16:35Z",
"severity": "HIGH"
},
"details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files.\n\nThis is caused by improper handling of GPU memory reservation protections.",
"id": "GHSA-4h67-fm2h-4qrp",
"modified": "2026-04-17T18:31:52Z",
"published": "2026-04-17T18:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21733"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4QRG-GPHX-M2CH
Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2025-11-24 15:30Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information
{
"affected": [],
"aliases": [
"CVE-2025-58121"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T16:15:44Z",
"severity": "MODERATE"
},
"details": "Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information",
"id": "GHSA-4qrg-gphx-m2ch",
"modified": "2025-11-24T15:30:27Z",
"published": "2025-11-18T18:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58121"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/18983"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4X26-G7HR-M7G8
Vulnerability from github – Published: 2023-11-02 12:30 – Updated: 2023-11-02 12:30Dell PowerScale OneFS 8.2.x, 9.0.0.x-9.5.0.x contains an improper handling of insufficient permissions. A low privileged remote attacker could potentially exploit this vulnerability to cause information disclosure.
{
"affected": [],
"aliases": [
"CVE-2023-43087"
],
"database_specific": {
"cwe_ids": [
"CWE-280",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-02T11:15:14Z",
"severity": "MODERATE"
},
"details": "\nDell PowerScale OneFS 8.2.x, 9.0.0.x-9.5.0.x contains an improper handling of insufficient permissions. A low privileged remote attacker could potentially exploit this vulnerability to cause information disclosure.\n\n",
"id": "GHSA-4x26-g7hr-m7g8",
"modified": "2023-11-02T12:30:16Z",
"published": "2023-11-02T12:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43087"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000218934/powerscale-onefs-security-updates-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4X3H-P6XH-H5X5
Vulnerability from github – Published: 2026-06-02 12:31 – Updated: 2026-06-02 12:31LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database.
{
"affected": [],
"aliases": [
"CVE-2026-10549"
],
"database_specific": {
"cwe_ids": [
"CWE-280"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-02T10:16:20Z",
"severity": "MODERATE"
},
"details": "LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database.",
"id": "GHSA-4x3h-p6xh-h5x5",
"modified": "2026-06-02T12:31:25Z",
"published": "2026-06-02T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10549"
},
{
"type": "WEB",
"url": "https://ydb.tech/docs/ru/security-changelog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-54R5-WR8X-X5V3
Vulnerability from github – Published: 2022-12-20 00:30 – Updated: 2024-10-07 21:00Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-j94p-hv25-rm5g. This link is maintained to preserve external references.
Original Description
Apiman 1.5.7 through 2.2.3.Final has insufficient checks for read permissions within the Apiman Manager REST API. A malicious user may be able to find and subscribe to private APIs they do not have permission for, thus accessing API Management-protected resources they should not be allowed to access. The root cause of the issue is the Apiman project's accidental acceptance of a large contribution that was not fully compatible with the security model of Apiman versions before 3.0.0.Final. Because of this, 3.0.0.Final is not affected by the vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.3.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.apiman:apiman-manager-api-rest-impl"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.7"
},
{
"fixed": "3.0.0.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-280"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-20T17:37:18Z",
"nvd_published_at": "2022-12-20T00:15:00Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-j94p-hv25-rm5g. This link is maintained to preserve external references.\n\n## Original Description\nApiman 1.5.7 through 2.2.3.Final has insufficient checks for read permissions within the Apiman Manager REST API. A malicious user may be able to find and subscribe to private APIs they do not have permission for, thus accessing API Management-protected resources they should not be allowed to access. The root cause of the issue is the Apiman project\u0027s accidental acceptance of a large contribution that was not fully compatible with the security model of Apiman versions before 3.0.0.Final. Because of this, 3.0.0.Final is not affected by the vulnerability.",
"id": "GHSA-54r5-wr8x-x5v3",
"modified": "2024-10-07T21:00:34Z",
"published": "2022-12-20T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47551"
},
{
"type": "WEB",
"url": "https://github.com/apiman/apiman/discussions/2409"
},
{
"type": "WEB",
"url": "https://www.apiman.io/blog/permissions-bypass-disclosure"
},
{
"type": "PACKAGE",
"url": "https://www.github.com/apiman/apiman"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Apiman has insufficient checks for read permissions",
"withdrawn": "2024-10-07T21:00:34Z"
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.
No CAPEC attack patterns related to this CWE.