Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-284 (访问控制不恰当) — Vulnerability Class 2062

2062 vulnerabilities classified as CWE-284 (访问控制不恰当). AI Chinese analysis included.

CWE-284 represents a critical security weakness where software fails to properly restrict access to sensitive resources, allowing unauthorized actors to interact with data or functions they should not reach. This flaw typically arises when developers neglect to implement robust authentication or authorization checks, enabling attackers to bypass security controls through direct URL manipulation, token forgery, or privilege escalation techniques. Exploitation often leads to severe consequences, including data breaches, unauthorized system modifications, or complete service disruption. To mitigate this risk, developers must enforce strict access control policies at every layer of the application architecture. This involves implementing comprehensive identity verification, applying the principle of least privilege, and rigorously validating user permissions before granting access to any protected resource, ensuring that only authenticated and authorized users can perform specific actions.

MITRE CWE Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Access control involves the use of several protection mechanisms such as: Authentication (proving the identity of an actor) Authorization (ensuring that a given actor can access a resource), and Accountability (tracking of activities that were performed) When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator. Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies.
Common Consequences (1)
OtherVaries by Context
Mitigations (2)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
This function runs an arbitrary SQL query on a given database, returning the result of the query.
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2025-67645 OpenEMR Vulnerable to Broken Access Control in Profile Edit Endpoint — openemr 8.8 High2026-01-27
CVE-2026-24740 Dozzle Agent Label-Based Access Control Bypass Allows Unauthorized Container Shell Access — dozzle 8.1AIHighAI2026-01-27
CVE-2026-1411 Beetel 777VR1 UART access control — 777VR1 6.1 Medium2026-01-26
CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control) — phpMyFAQ 6.5 Medium2026-01-24
CVE-2026-24304 Azure Resource Manager Elevation of Privilege Vulnerability — Azure Resource Manager 9.9 Critical2026-01-23
CVE-2026-24306 Azure Front Door Elevation of Privilege Vulnerability — Azure Front Door 9.8 Critical2026-01-22
CVE-2026-20912 Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure — Gitea Open Source Git Server 7.5AIHighAI2026-01-22
CVE-2026-20897 Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR) — Gitea Open Source Git Server 6.5AIMediumAI2026-01-22
CVE-2026-20904 Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes — Gitea Open Source Git Server 4.3AIMediumAI2026-01-22
CVE-2026-20888 Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass) — Gitea Open Source Git Server 4.3AIMediumAI2026-01-22
CVE-2026-20883 Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure — Gitea Open Source Git Server 5.3AIMediumAI2026-01-22
CVE-2026-20750 Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR) — Gitea Open Source Git Server 6.5AIMediumAI2026-01-22
CVE-2026-20736 Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check — Gitea Open Source Git Server 6.5AIMediumAI2026-01-22
CVE-2026-0798 Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation — Gitea Open Source Git Server 3.5AILowAI2026-01-22
CVE-2026-24039 Horilla's Improper Access Control Allows Employees to Auto-Approve Documents — horilla 4.3 Medium2026-01-22
CVE-2026-24036 Horilla Exposes Unpublished Job Disclosures through Unauthenticated API — horilla 5.3 Medium2026-01-22
CVE-2026-24055 Langfuse Slack OAuth Installation Endpoint Lacks Authentication, Enabling Arbitrary Project Linking — langfuse 6.5AIMediumAI2026-01-22
CVE-2026-24035 Horilla has Improper Access Control Issue that Allows Unauthorized Document Upload on Behalf of Another Employee — horilla 4.3 Medium2026-01-22
CVE-2025-14083 Keycloak-server: keycloak: improper access control in admin rest api leads to information disclosure — Red Hat build of Keycloak 26.4 2.7 Low2026-01-21
CVE-2025-14977 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure — Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy 8.1 High2026-01-20
CVE-2026-23522 Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion — lobe-chat 3.7 Low2026-01-19
CVE-2026-23496 Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization — pimcore 5.4 Medium2026-01-15
CVE-2026-23494 Pimcore is Missing Function Level Authorization on "Static Routes" Listing — pimcore 4.3 Medium2026-01-15
CVE-2026-23495 Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing — pimcore 4.3 Medium2026-01-15
CVE-2025-64516 GLPI incorrectly authorizes access to documents — glpi 7.5 High2026-01-15
CVE-2025-61973 Epic Games Store 安全漏洞 — Epic Games Store 8.8 High2026-01-15
CVE-2026-22909 SICK TDC-X401GL 安全漏洞 — TDC-X401GL 7.5 High2026-01-15
CVE-2026-21889 Weblate leaks information via screenshots — weblate 5.3AIMediumAI2026-01-14
CVE-2025-14338 Polkit authentication dis isabled by default in inputplumber — inputplumber 8.1AIHighAI2026-01-14
CVE-2026-20949 Microsoft Excel Security Feature Bypass Vulnerability — Microsoft 365 Apps for Enterprise 7.8 High2026-01-13

Vulnerabilities classified as CWE-284 (访问控制不恰当) represent 2062 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.