CWE-1220
AllowedInsufficient Granularity of Access Control
Abstraction: Base · Status: Incomplete
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
176 vulnerabilities reference this CWE, most recent first.
GHSA-59XF-77X2-PV8F
Vulnerability from github – Published: 2026-07-14 18:31 – Updated: 2026-07-14 18:31Insufficient granularity of access control in Microsoft Surface allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-48581"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:16:50Z",
"severity": "HIGH"
},
"details": "Insufficient granularity of access control in Microsoft Surface allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-59xf-77x2-pv8f",
"modified": "2026-07-14T18:31:59Z",
"published": "2026-07-14T18:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48581"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48581"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GR5-VWJ6-RQ22
Vulnerability from github – Published: 2025-04-03 18:30 – Updated: 2025-04-03 18:30Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this vulnerability to execute arbitrary commands with root privileges.
{
"affected": [],
"aliases": [
"CVE-2025-29987"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-03T16:15:36Z",
"severity": "HIGH"
},
"details": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this vulnerability to execute arbitrary commands with root privileges.",
"id": "GHSA-5gr5-vwj6-rq22",
"modified": "2025-04-03T18:30:58Z",
"published": "2025-04-03T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29987"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000300899/dsa-2025-139-dell-technologies-powerprotect-data-domain-security-update-for-a-security-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5QQ8-H7QH-PHFJ
Vulnerability from github – Published: 2026-07-03 18:31 – Updated: 2026-07-03 18:31A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.
{
"affected": [],
"aliases": [
"CVE-2026-14615"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T16:16:55Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak\u0027s administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller\u0027s specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.",
"id": "GHSA-5qq8-h7qh-phfj",
"modified": "2026-07-03T18:31:06Z",
"published": "2026-07-03T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14615"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-14615"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496891"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5R39-9H33-Q5XR
Vulnerability from github – Published: 2025-02-20 00:32 – Updated: 2025-02-20 00:32The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly perform an authorization check in the user console trash content
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.
{
"affected": [],
"aliases": [
"CVE-2024-6696"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-20T00:15:19Z",
"severity": "MODERATE"
},
"details": "The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220)\u00a0\n\n\n\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly perform an authorization check in the user console trash content\n\n\n\n\n\n\n\u00a0An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.",
"id": "GHSA-5r39-9h33-q5xr",
"modified": "2025-02-20T00:32:05Z",
"published": "2025-02-20T00:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6696"
},
{
"type": "WEB",
"url": "https://support.pentaho.com/hc/en-us/articles/34296877157517--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Insufficient-Granularity-of-Access-Control-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6696"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-648G-6726-528F
Vulnerability from github – Published: 2026-05-15 03:30 – Updated: 2026-05-15 03:30Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2024-21962"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-15T03:16:20Z",
"severity": "HIGH"
},
"details": "Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.",
"id": "GHSA-648g-6726-528f",
"modified": "2026-05-15T03:30:36Z",
"published": "2026-05-15T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21962"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4016.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-69W4-P3C2-PWC7
Vulnerability from github – Published: 2024-05-16 21:31 – Updated: 2024-05-16 21:31Improper access control in some Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2023-40070"
],
"database_specific": {
"cwe_ids": [
"CWE-1220",
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T21:15:53Z",
"severity": "HIGH"
},
"details": "Improper access control in some Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-69w4-p3c2-pwc7",
"modified": "2024-05-16T21:31:59Z",
"published": "2024-05-16T21:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40070"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01037.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6G26-7CX5-MRRG
Vulnerability from github – Published: 2026-06-05 09:33 – Updated: 2026-06-26 09:30A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-9088"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T08:16:30Z",
"severity": "LOW"
},
"details": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.",
"id": "GHSA-6g26-7cx5-mrrg",
"modified": "2026-06-26T09:30:46Z",
"published": "2026-06-05T09:33:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-9088"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6H98-C266-Q7CR
Vulnerability from github – Published: 2025-02-12 00:32 – Updated: 2025-09-24 00:30Improper input validation in AMD Crash Defender could allow an attacker to provide the Windows® system process ID to a kernel-mode driver, resulting in an operating system crash, potentially leading to denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-21971"
],
"database_specific": {
"cwe_ids": [
"CWE-1220",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T00:15:08Z",
"severity": "MODERATE"
},
"details": "Improper input validation in AMD Crash Defender could allow an attacker to provide the Windows\u00ae system process ID to a kernel-mode driver, resulting in an operating system crash, potentially leading to denial of service.",
"id": "GHSA-6h98-c266-q7cr",
"modified": "2025-09-24T00:30:40Z",
"published": "2025-02-12T00:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21971"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6JJP-3PP9-H253
Vulnerability from github – Published: 2024-03-19 18:31 – Updated: 2024-03-19 18:31Insufficient Granularity of Access Control vulnerability in OpenText™ Service Management Automation X (SMAX), OpenText™ Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Service Management Automation X (SMAX) versions 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11; and Asset Management X (AMX) versions 2021.08, 2021.11, 2022.05, 2022.11.
{
"affected": [],
"aliases": [
"CVE-2023-32259"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-19T16:15:07Z",
"severity": "MODERATE"
},
"details": "Insufficient Granularity of Access Control vulnerability in OpenText\u2122 Service Management Automation X (SMAX), OpenText\u2122 Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Service Management Automation X (SMAX) versions 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11; and Asset Management X (AMX) versions 2021.08, 2021.11, 2022.05, 2022.11.\n\n",
"id": "GHSA-6jjp-3pp9-h253",
"modified": "2024-03-19T18:31:59Z",
"published": "2024-03-19T18:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32259"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000018803?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7JM2-G593-4QRC
Vulnerability from github – Published: 2026-04-25 23:51 – Updated: 2026-04-25 23:51Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
The agent-facing gateway config.patch / config.apply guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings.
This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium.
Fix
OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching.
Fix commit:
fe30b31a97a917ecc6e92f6c85378b6b20352422
Release
Fixed in OpenClaw 2026.4.20.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1220",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-25T23:51:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nThe agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings.\n\nThis is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium.\n\n## Fix\n\nOpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching.\n\nFix commit:\n\n- `fe30b31a97a917ecc6e92f6c85378b6b20352422`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
"id": "GHSA-7jm2-g593-4qrc",
"modified": "2026-04-25T23:51:11Z",
"published": "2026-04-25T23:51:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/fe30b31a97a917ecc6e92f6c85378b6b20352422"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Agent gateway config mutations could change protected operator settings"
}
Mitigation
- Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
- Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.