Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1019

1019 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-7467 Read More & Accordion <= 3.5.7 - Privilege Escalation via importData — Read More & Accordion 8.8 High2026-05-20
CVE-2026-7284 Easy Elements for Elementor <= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register — Easy Elements for Elementor – Addons & Website Templates 9.8 Critical2026-05-20
CVE-2026-8719 AI Engine 3.4.9 - Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token — AI Engine – The Chatbot, AI Framework & MCP for WordPress 8.8 High2026-05-17
CVE-2026-45395 Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution — open-webui 7.2 High2026-05-15
CVE-2026-45675 Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts — open-webui 8.1 High2026-05-15
CVE-2026-6228 Frontend Admin by DynamiApps <= 3.28.36 - Unauthenticated Privilege Escalation via Edit User Form — Frontend Admin by DynamiApps 8.8 High2026-05-15
CVE-2025-62625 AMD Processors 安全漏洞 — AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics--2026-05-14
CVE-2026-5193 Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.13 - Authenticated (Author+) Limited Privilege Escalation via register_user — Essential Addons for Elementor – Popular Elementor Templates & Widgets 6.5 Medium2026-05-14
CVE-2026-42289 ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation — CRM 8.8 High2026-05-12
CVE-2026-44224 Wiki.js: Privilege Escalation via Missing Group Validation in users.update — wiki--2026-05-12
CVE-2026-44218 ciguard: Container image runs as root (no USER directive) — ciguard 3.0 Low2026-05-12
CVE-2026-33821 Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability — Dynamics 365 7.7 High2026-05-12
CVE-2026-43886 Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access — outline 8.2 High2026-05-11
CVE-2026-42609 Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic — grav 8.1 High2026-05-11
CVE-2026-26946 Dell ECS 安全漏洞 — ECS 6.7 Medium2026-05-11
CVE-2026-42562 Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control) — plainpad 8.3 High2026-05-09
CVE-2026-41163 bubblewrap vulnerable to privilege escalation in setuid mode via ptrace — bubblewrap 8.4 -2026-05-09
CVE-2026-44987 SysReptor: Privilege Escalation from User Admin to Superuser — sysreptor 3.8 Low2026-05-08
CVE-2026-42185 People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation — people 5.5 Medium2026-05-08
CVE-2026-40001 Local privilege escalation vulnerability in ZTE PROCESS Guard service of the cloud computer client — ZTE PROCESS Guard service 5.2 Medium2026-05-06
CVE-2026-7778 runZero Platform dashboard configuration exposure — Platform 5.0 Medium2026-05-05
CVE-2025-13618 Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration — Mentoring 9.8 Critical2026-05-05
CVE-2026-24072 Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr — Apache HTTP Server 5.5 -2026-05-04
CVE-2026-7641 Import and export users and customers <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation via Multisite Capability Meta Fields — Import and export users and customers 8.8 High2026-05-02
CVE-2026-6389 IBM Turbonomic Prometurbo agent used by IBM Turbonomic Application Resource Management is affected by a single vulnerability — Turbonomic prometurbo agent 8.8 High2026-04-30
CVE-2026-5141 Improper Access Control in TUBITAK BILGEM's Pardus Software Center — Pardus Software Center 8.8 High2026-04-29
CVE-2026-6741 LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability — LatePoint – Calendar Booking Plugin for Appointments and Events 8.8 High2026-04-27
CVE-2026-7106 Highland Software Custom Role Manager <= 1.0.0 - Authenticated (Subscriber+) Privilege Escalation — Highland Software Custom Role Manager 8.8 High2026-04-27
CVE-2026-41359 OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence — OpenClaw 7.1 High2026-04-23
CVE-2026-1726 Multiple Vulnerabilities in IBM Guardium Key Lifecycle Manager — Guardium Key Lifecycle Manager 4.3AIMediumAI2026-04-22

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1019 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.