CWE-1220
AllowedInsufficient Granularity of Access Control
Abstraction: Base · Status: Incomplete
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
176 vulnerabilities reference this CWE, most recent first.
GHSA-F83P-PG86-P922
Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:41usememos/memos 0.9.0 and prior allows an attacker to archive any user's public or private post.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4801"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T19:57:52Z",
"nvd_published_at": "2022-12-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "usememos/memos 0.9.0 and prior allows an attacker to archive any user\u0027s public or private post.",
"id": "GHSA-f83p-pg86-p922",
"modified": "2023-01-10T15:41:37Z",
"published": "2022-12-28T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4801"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/b0795261-0f97-4f0b-be44-9dc079e01593"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "usememos/memos has Insufficient Granularity of Access Control"
}
GHSA-FHCH-V2X2-XM9C
Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-16 09:30ChatLuck contains an insufficient granularity of access control vulnerability in Invitation of Guest Users. If exploited, an uninvited guest user may register itself as a guest user.
{
"affected": [],
"aliases": [
"CVE-2025-54461"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T09:15:34Z",
"severity": "MODERATE"
},
"details": "ChatLuck contains an insufficient granularity of access control vulnerability in Invitation of Guest Users. If exploited, an uninvited guest user may register itself as a guest user.",
"id": "GHSA-fhch-v2x2-xm9c",
"modified": "2025-10-16T09:30:25Z",
"published": "2025-10-16T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54461"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN13030751"
},
{
"type": "WEB",
"url": "https://www.chatluck.com/support/package/mainte/pchatluck-%e8%a3%bd%e5%93%81%e3%81%ab%e3%81%8a%e3%81%91%e3%82%8b%e3%80%81%e8%a4%87%e6%95%b0%e3%81%ae%e3%82%bb%e3%82%ad%e3%83%a5%e3%83%aa%e3%83%86%e3%82%a3%e4%b8%8a%e3%81%ae%e5%95%8f%e9%a1%8c%e3%81%ab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FJCX-F2HR-QJJR
Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.
{
"affected": [],
"aliases": [
"CVE-2025-48514"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T20:16:45Z",
"severity": "MODERATE"
},
"details": "Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.",
"id": "GHSA-fjcx-f2hr-qjjr",
"modified": "2026-02-10T21:31:31Z",
"published": "2026-02-10T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48514"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3023.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FWHJ-J6CR-5QW4
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2025-11-04 21:31IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.
{
"affected": [],
"aliases": [
"CVE-2023-43040"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T13:46:23Z",
"severity": "MODERATE"
},
"details": "IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.",
"id": "GHSA-fwhj-j6cr-5qw4",
"modified": "2025-11-04T21:31:29Z",
"published": "2024-05-14T15:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43040"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/266807"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00025.html"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7151040"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G7HC-WVJ4-V52X
Vulnerability from github – Published: 2025-11-05 17:48 – Updated: 2025-11-05 17:48A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device.
This vulnerability exists because certain files lack proper data protection mechanisms. An attacker with read-only Administrator privileges could exploit this vulnerability by performing actions where the results should only be viewable to a high-privileged user. A successful exploit could allow the attacker to view passwords that are normally not visible to read-only administrators.
{
"affected": [],
"aliases": [
"CVE-2025-20305"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-05T17:15:37Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device.\n\n This vulnerability exists because certain files lack proper data protection mechanisms. An attacker with read-only Administrator privileges could exploit this vulnerability by performing actions where the results should only be viewable to a high-privileged user. A successful exploit could allow the attacker to view passwords that are normally not visible to read-only administrators.",
"id": "GHSA-g7hc-wvj4-v52x",
"modified": "2025-11-05T17:48:28Z",
"published": "2025-11-05T17:48:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20305"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multiple-vulns-O9BESWJH"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G94W-VC32-H449
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-14 18:31Insufficient Granularity of Access Control vulnerability in Drupal Paragraphs table allows Content Spoofing.This issue affects Paragraphs table: from 0.0.0 before 1.23.0, from 2.0.0 before 2.0.2.
{
"affected": [],
"aliases": [
"CVE-2024-13272"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:36Z",
"severity": "MODERATE"
},
"details": "Insufficient Granularity of Access Control vulnerability in Drupal Paragraphs table allows Content Spoofing.This issue affects Paragraphs table: from 0.0.0 before 1.23.0, from 2.0.0 before 2.0.2.",
"id": "GHSA-g94w-vc32-h449",
"modified": "2025-01-14T18:31:55Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13272"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GGF6-638M-VQMG
Vulnerability from github – Published: 2022-09-15 03:34 – Updated: 2023-06-27 22:21Impact
Improper Authorization functions leads to non-privileged users running privileged API calls. If you have added users to your Netmaker platform who whould not have admin privileges, they could use their auth token to run admin-level functions via the API.
In addition, differing response codes based on function calls allowed non-users to potentially brute force the determination of names of networks on the system.
Patches
This problem has been patched in v0.15.1. To apply:
- docker-compose down
- docker pull gravitl/netmaker:v0.15.1
- docker-compose up -d
For more information
If you have any questions or comments about this advisory:
Email us at info@netmaker.io This vulnerability was brought to our attention by @tweidinger
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gravitl/netmaker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36110"
],
"database_specific": {
"cwe_ids": [
"CWE-1220",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-15T03:34:21Z",
"nvd_published_at": "2022-09-09T20:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nImproper Authorization functions leads to non-privileged users running privileged API calls. If you have added users to your Netmaker platform who whould not have admin privileges, they could use their auth token to run admin-level functions via the API.\n\nIn addition, differing response codes based on function calls allowed non-users to potentially brute force the determination of names of networks on the system.\n\n### Patches\nThis problem has been patched in v0.15.1. To apply:\n\n1. docker-compose down\n2. docker pull gravitl/netmaker:v0.15.1\n3. docker-compose up -d\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nEmail us at [info@netmaker.io](mailto:info@netmaker.io)\nThis vulnerability was brought to our attention by @tweidinger",
"id": "GHSA-ggf6-638m-vqmg",
"modified": "2023-06-27T22:21:05Z",
"published": "2022-09-15T03:34:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36110"
},
{
"type": "PACKAGE",
"url": "https://github.com/gravitl/netmaker"
},
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Netmaker vulnerable to Insufficient Granularity of Access Control"
}
GHSA-GV9W-2WPQ-7538
Vulnerability from github – Published: 2026-02-25 18:31 – Updated: 2026-02-25 18:31A vulnerability in the Object Model CLI component of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. To exploit this vulnerability, the attacker must have valid user credentials and any role that includes CLI access.
This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by issuing crafted commands at the CLI prompt. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2026-20107"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T17:25:27Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Object Model CLI component of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. To exploit this vulnerability, the attacker must have valid user credentials and any role that includes CLI access.\n\nThis vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by issuing crafted commands at the CLI prompt. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.",
"id": "GHSA-gv9w-2wpq-7538",
"modified": "2026-02-25T18:31:38Z",
"published": "2026-02-25T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20107"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apic-dos-rNus8EFw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GXH8-W3X9-26PQ
Vulnerability from github – Published: 2024-03-13 03:31 – Updated: 2024-03-13 03:31The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled.
{
"affected": [],
"aliases": [
"CVE-2024-2412"
],
"database_specific": {
"cwe_ids": [
"CWE-1220",
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-13T03:15:06Z",
"severity": "MODERATE"
},
"details": "The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled.",
"id": "GHSA-gxh8-w3x9-26pq",
"modified": "2024-03-13T03:31:06Z",
"published": "2024-03-13T03:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2412"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7696-0951f-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HGXW-5XV9-C3CC
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30Insufficient granularity of access control in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-40365"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T18:17:15Z",
"severity": "HIGH"
},
"details": "Insufficient granularity of access control in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.",
"id": "GHSA-hgxw-5xv9-c3cc",
"modified": "2026-05-12T18:30:44Z",
"published": "2026-05-12T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40365"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40365"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
- Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.