Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-267 (特权定义了不安全动作) — Vulnerability Class 42

42 vulnerabilities classified as CWE-267 (特权定义了不安全动作). AI Chinese analysis included.

CWE-267 represents a design flaw where a defined privilege, role, or capability inherently permits unsafe actions that were not originally intended by the system architects. This weakness arises when the scope of a permission is overly broad or poorly defined, allowing authorized entities to execute operations that compromise security or integrity. Attackers typically exploit this by leveraging legitimate credentials to perform unauthorized activities, such as accessing sensitive data or modifying system configurations, because the privilege itself grants excessive capabilities. Developers can mitigate this risk by adhering to the principle of least privilege, ensuring that each role is granted only the minimum permissions necessary for its specific function. Rigorous threat modeling and regular code reviews help identify and restrict unintended action paths within privilege definitions, thereby preventing abuse even when assigned to correct entities.

MITRE CWE Description
A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.
Mitigations (2)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and Design, OperationRun your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database ad…
Examples (1)
This code intends to allow only Administrators to print debug information about a system.
public enum Roles { ADMIN,USER,GUEST } public void printDebugInfo(User requestingUser){ if(isAuthenticated(requestingUser)){ switch(requestingUser.role){ case GUEST: System.out.println("You are not authorized to perform this command"); break; default: System.out.println(currentDebugState()); break; } } else{ System.out.println("You must be logged in to perform this command"); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-27314 Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass — Apache Cassandra 8.8AIHighAI2026-04-07
CVE-2026-2460 Hitachi Energy Relion REB500 安全漏洞 — Relion REB500 7.3 -2026-02-24
CVE-2026-2459 Hitachi Energy Relion REB500 安全漏洞 — Relion REB500 7.1 -2026-02-24
CVE-2025-14349 Business Logic Error in Universal Software's FlexCity/Kiosk — FlexCity/Kiosk 8.8 High2026-02-13
CVE-2026-0945 Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002 — Role Delegation 8.8AIHighAI2026-02-04
CVE-2025-13979 Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117 — Mini site 5.4AIMediumAI2026-01-28
CVE-2026-23526 CVAT vulnerable to privilege escalation of users with staff status — cvat 6.5AIMediumAI2026-01-21
CVE-2025-53900 Kiteworks MFT has a Privilege Defined With Unsafe Actions — security-advisories 6.5 Medium2025-11-29
CVE-2025-41244 VMSA-2025-0015: VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244,CVE-2025-41245, CVE-2025-41246) — VCF operations 7.8 High2025-09-29
CVE-2025-7691 Privilege Defined With Unsafe Actions in GitLab — GitLab 6.5 Medium2025-09-26
CVE-2025-26467 Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only) — Apache Cassandra 8.8 -2025-08-25
CVE-2025-47811 Wing FTP Server 安全漏洞 — Wing FTP Server 4.1 Medium2025-07-10
CVE-2025-7030 Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085 — Two-factor Authentication (TFA) 8.1AIHighAI2025-07-08
CVE-2025-23015 Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions — Apache Cassandra 8.8 -2025-02-04
CVE-2024-7571 Ivanti Secure Access Client 安全漏洞 — Secure Access Client 7.8 High2024-11-12
CVE-2024-8539 Ivanti Secure Access Client 安全漏洞 — Secure Access Client 7.1 High2024-11-12
CVE-2024-47906 Ivanti Connect Secure 安全漏洞 — Connect Secure 7.8 High2024-11-12
CVE-2024-8631 Privilege Defined With Unsafe Actions in GitLab — GitLab 5.5 Medium2024-09-12
CVE-2024-20411 Cisco NX-OS Bash Arbitrary Code Execution Vulnerability — Cisco NX-OS Software 6.7 Medium2024-08-28
CVE-2024-42365 Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan — asterisk 7.4 High2024-08-08
CVE-2024-39866 Siemens SINEMA Remote Connect 安全漏洞 — SINEMA Remote Connect Server 8.8 High2024-07-09
CVE-2023-28049 Dell Command | Monitor 安全漏洞 — Dell Command Monitor (DCM) 4.7 Medium2024-02-06
CVE-2023-41966 Sielco Radio Link and Analog FM Transmitters Privilege Defined With Unsafe Actions — Analog FM transmitter 6.5 Medium2023-10-26
CVE-2023-43746 BIG-IP Appliance mode external monitor vulnerability — BIG-IP 8.7 High2023-10-10
CVE-2023-44218 SonicWALL NetExtender 安全漏洞 — NetExtender 8.8 High2023-10-03
CVE-2023-32457 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 7.5 High2023-08-29
CVE-2023-22647 Rancher Labs Rancher 安全漏洞 — Rancher 9.9 Critical2023-06-01
CVE-2023-2983 Privilege Defined With Unsafe Actions in pimcore/pimcore — pimcore/pimcore 8.8 -2023-05-30
CVE-2021-44547 Odoo 安全漏洞 — Odoo Community 7.2 -2023-04-25
CVE-2021-23186 Odoo 安全漏洞 — Odoo Community 6.5 -2023-04-25

Vulnerabilities classified as CWE-267 (特权定义了不安全动作) represent 42 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.