Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1220 — Vulnerability Class 68

68 vulnerabilities classified as CWE-1220. AI Chinese analysis included.

CWE-1220 represents a critical access control weakness where security policies are implemented with insufficient granularity, resulting in overly broad permissions that fail to restrict unauthorized access to sensitive assets. This vulnerability typically arises when developers apply coarse-grained controls, such as granting read or write access to entire directories or device groups rather than specific files or components. Attackers exploit this by leveraging legitimate but excessive privileges to access or modify security-sensitive data that should remain isolated. In integrated circuits, this might manifest as allowing a low-privilege processor core to access high-security memory regions intended for cryptographic keys. To mitigate this risk, developers must adopt the principle of least privilege, ensuring that access rights are assigned at the most specific level necessary for functionality. Rigorous code reviews and automated static analysis tools can help identify overly permissive configurations before deployment, thereby enforcing strict boundaries between trusted and untrusted agents within the system architecture.

MITRE CWE Description
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. Integrated circuits and hardware engines can expose accesses to assets (device configuration, keys, etc.) to trusted firmware or a software module (commonly set by BIOS/bootloader). This access is typically access-controlled. Upon a power reset, the hardware or system usually starts with default values in registers, and the trusted firmware (Boot firmware) configures the necessary access-control protection. A common weakness that can exist in such protection schemes is that access controls or policies are not granular enough. This condition allows agents beyond trusted agents to access assets and could lead to a loss of functionality or the ability to set up the device securely. This further results in security risks from leaked, sensitive, key material to modification of device configuration.
Common Consequences (1)
Confidentiality, Integrity, Availability, Access ControlModify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Other
Mitigations (1)
Architecture and Design, Implementation, TestingAccess-control-policy protections must be reviewed for design inconsistency and common weaknesses. Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
Effectiveness: High
Examples (2)
Consider a system with a register for storing AES key for encryption or decryption. The key is 128 bits, implemented as a set of four 32-bit registers. The key registers are assets and registers, AES_KEY_READ_POLICY and AES_KEY_WRITE_POLICY, and are defined to provide necessary access controls. The read-policy register defines which agents can read the AES-key registers, and write-policy register …
Register Field description AES_ENC_DEC_KEY_0 AES key [0:31] for encryption or decryption Default 0x00000000 AES_ENC_DEC_KEY_1 AES key [32:63] for encryption or decryption Default 0x00000000 AES_ENC_DEC_KEY_2 AES key [64:95] for encryption or decryption Default 0x00000000 AES_ENC_DEC_KEY_4 AES key [96:127] for encryption or decryption Default 0x00000000 AES_KEY_READ_WRITE_POLICY [31:0] Default 0x00000006 - meaning agent with identities "1" and "2" can both read from and write to key registers
Bad · Other
AES_KEY_READ_POLICY [31:0] Default 0x00000002 - meaning only Crypto engine with identity "1" can read registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3 AES_KEY_WRITE_POLICY [31:0] Default 0x00000004 - meaning only trusted firmware with identity "2" can program registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3
Good · Other
Within the AXI node interface wrapper module in the RISC-V AXI module of the HACK@DAC'19 CVA6 SoC [REF-1346], an access control mechanism is employed to regulate the access of different privileged users to peripherals.
... for (i=0; i<NB_SUBORDINATE; i++) begin for (j=0; j<NB_MANAGER; j++) begin assign connectivity_map_o[i][j] = access_ctrl_i[i][j][priv_lvl_i] || ((j==6) && access_ctrl_i[i][7][priv_lvl_i]); end end ...
Bad · Verilog
... for (i=0; i<NB_SUBORDINATE; i++) begin for (j=0; j<NB_MANAGER; j++) begin assign connectivity_map_o[i][j] = access_ctrl_i[i][j][priv_lvl_i]; end end ...
Good · Verilog
CVE IDTitleCVSSSeverityPublished
CVE-2026-38743 Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities — Apache Airflow 4.3AIMediumAI2026-04-24
CVE-2026-40690 Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users — Apache Airflow 4.3AIMediumAI2026-04-24
CVE-2026-6388 Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation — Red Hat OpenShift GitOps 9.1 Critical2026-04-15
CVE-2026-33825 Microsoft Defender Elevation of Privilege Vulnerability — Microsoft Defender Antimalware Platform 7.8 High2026-04-14
CVE-2025-20628 Insufficient granularity of access control for Remote Connector Servers in client mode — PingIDM 5.9AIMediumAI2026-04-07
CVE-2026-20107 Cisco Application Policy Infrastructure Controller Denial of Service Vulnerability — Cisco Application Policy Infrastructure Controller (APIC) 5.5 Medium2026-02-25
CVE-2025-48514 AMD Processors 安全漏洞 — AMD EPYC™ 9004 Series Processors 2.3AILowAI2026-02-10
CVE-2025-48517 AMD EPYC 9005 Series 安全漏洞 — AMD EPYC™ 9005 Series Processors 3.2AILowAI2026-02-10
CVE-2024-4147 Insufficient Access Control in lunary-ai/lunary — lunary-ai/lunary 4.3AIMediumAI2026-02-02
CVE-2025-11246 Insufficient Granularity of Access Control in GitLab — GitLab 5.4 Medium2026-01-09
CVE-2025-8306 Improper Access Control in Asseco Infomedica Plus — InfoMedica Plus 8.8 -2026-01-08
CVE-2025-20305 Cisco Identity Services Engine 安全漏洞 — Cisco Identity Services Engine Software 4.3 Medium2025-11-05
CVE-2025-8049 Insufficient Access Control vulnerability has been discovered in OpenText Flipper. — Flipper 7.8AIHighAI2025-10-20
CVE-2025-8053 Insufficient access control vulnerability has been discovered in Opentext Flipper. — Flipper 8.8AIHighAI2025-10-20
CVE-2025-54461 ChatLuck 安全漏洞 — ChatLuck 9.1AICriticalAI2025-10-16
CVE-2025-7493 Freeipa: idm: privilege escalation from host to domain admin in freeipa — Red Hat Enterprise Linux 10 9.1 Critical2025-09-30
CVE-2024-21947 AMD Embedded Processors和AMD Client Processor 安全漏洞 — AMD Ryzen™ Threadripper™ 3000 Processors 7.5 High2025-09-06
CVE-2025-31961 HCL Connections is vulnerable to broken access control — Connections 3.7 Low2025-08-15
CVE-2025-2498 Insufficient Granularity of Access Control in GitLab — GitLab 3.1 Low2025-08-13
CVE-2025-7001 Insufficient Granularity of Access Control in GitLab — GitLab 4.3 Medium2025-07-24
CVE-2025-3648 Data Inference in Now Platform via Conditional ACLs — Now Platform 5.3AIMediumAI2025-07-08
CVE-2025-27026 Improper Access Control Granularity impacting Infinera G42 — G42 4.9 Medium2025-07-02
CVE-2025-4404 Freeipa: idm: privilege escalation from host to domain admin in freeipa 9.1 Critical2025-06-17
CVE-2025-5982 Insufficient Granularity of Access Control in GitLab — GitLab 3.7 Low2025-06-12
CVE-2025-1110 Insufficient Granularity of Access Control in GitLab — GitLab 2.7 Low2025-05-22
CVE-2025-4979 Insufficient Granularity of Access Control in GitLab — GitLab 4.9 Medium2025-05-22
CVE-2025-32703 Visual Studio Information Disclosure Vulnerability — Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) 5.5 Medium2025-05-13
CVE-2025-1278 Insufficient Granularity of Access Control in GitLab — GitLab 5.3 Medium2025-05-09
CVE-2025-2408 Insufficient Granularity of Access Control in GitLab — GitLab 5.3 Medium2025-04-10
CVE-2024-33058 Insufficient Granularity of Access Control in Core — Snapdragon 7.5 High2025-04-07

Vulnerabilities classified as CWE-1220 represent 68 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.