Common Weakness Enumeration

CWE-1220

Allowed

Insufficient Granularity of Access Control

Abstraction: Base · Status: Incomplete

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

176 vulnerabilities reference this CWE, most recent first.

GHSA-F83P-PG86-P922

Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:41
VLAI
Summary
usememos/memos has Insufficient Granularity of Access Control
Details

usememos/memos 0.9.0 and prior allows an attacker to archive any user's public or private post.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/usememos/memos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T19:57:52Z",
    "nvd_published_at": "2022-12-28T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "usememos/memos 0.9.0 and prior allows an attacker to archive any user\u0027s public or private post.",
  "id": "GHSA-f83p-pg86-p922",
  "modified": "2023-01-10T15:41:37Z",
  "published": "2022-12-28T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4801"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usememos/memos"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/b0795261-0f97-4f0b-be44-9dc079e01593"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "usememos/memos has Insufficient Granularity of Access Control"
}

GHSA-FHCH-V2X2-XM9C

Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-10-16 09:30
VLAI
Details

ChatLuck contains an insufficient granularity of access control vulnerability in Invitation of Guest Users. If exploited, an uninvited guest user may register itself as a guest user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54461"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-16T09:15:34Z",
    "severity": "MODERATE"
  },
  "details": "ChatLuck contains an insufficient granularity of access control vulnerability in Invitation of Guest Users. If exploited, an uninvited guest user may register itself as a guest user.",
  "id": "GHSA-fhch-v2x2-xm9c",
  "modified": "2025-10-16T09:30:25Z",
  "published": "2025-10-16T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54461"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN13030751"
    },
    {
      "type": "WEB",
      "url": "https://www.chatluck.com/support/package/mainte/pchatluck-%e8%a3%bd%e5%93%81%e3%81%ab%e3%81%8a%e3%81%91%e3%82%8b%e3%80%81%e8%a4%87%e6%95%b0%e3%81%ae%e3%82%bb%e3%82%ad%e3%83%a5%e3%83%aa%e3%83%86%e3%82%a3%e4%b8%8a%e3%81%ae%e5%95%8f%e9%a1%8c%e3%81%ab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FJCX-F2HR-QJJR

Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31
VLAI
Details

Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T20:16:45Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.",
  "id": "GHSA-fjcx-f2hr-qjjr",
  "modified": "2026-02-10T21:31:31Z",
  "published": "2026-02-10T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48514"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3023.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FWHJ-J6CR-5QW4

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2025-11-04 21:31
VLAI
Details

IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T13:46:23Z",
    "severity": "MODERATE"
  },
  "details": "IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access.  IBM X-Force ID:  266807.",
  "id": "GHSA-fwhj-j6cr-5qw4",
  "modified": "2025-11-04T21:31:29Z",
  "published": "2024-05-14T15:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43040"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/266807"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7151040"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G7HC-WVJ4-V52X

Vulnerability from github – Published: 2025-11-05 17:48 – Updated: 2025-11-05 17:48
VLAI
Details

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device.

This vulnerability exists because certain files lack proper data protection mechanisms. An attacker with read-only Administrator privileges could exploit this vulnerability by performing actions where the results should only be viewable to a high-privileged user. A successful exploit could allow the attacker to view passwords that are normally not visible to read-only administrators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-05T17:15:37Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device.\n\n This vulnerability exists because certain files lack proper data protection mechanisms. An attacker with read-only Administrator privileges could exploit this vulnerability by performing actions where the results should only be viewable to a high-privileged user. A successful exploit could allow the attacker to view passwords that are normally not visible to read-only administrators.",
  "id": "GHSA-g7hc-wvj4-v52x",
  "modified": "2025-11-05T17:48:28Z",
  "published": "2025-11-05T17:48:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20305"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multiple-vulns-O9BESWJH"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G94W-VC32-H449

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-14 18:31
VLAI
Details

Insufficient Granularity of Access Control vulnerability in Drupal Paragraphs table allows Content Spoofing.This issue affects Paragraphs table: from 0.0.0 before 1.23.0, from 2.0.0 before 2.0.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T20:15:36Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient Granularity of Access Control vulnerability in Drupal Paragraphs table allows Content Spoofing.This issue affects Paragraphs table: from 0.0.0 before 1.23.0, from 2.0.0 before 2.0.2.",
  "id": "GHSA-g94w-vc32-h449",
  "modified": "2025-01-14T18:31:55Z",
  "published": "2025-01-09T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13272"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GGF6-638M-VQMG

Vulnerability from github – Published: 2022-09-15 03:34 – Updated: 2023-06-27 22:21
VLAI
Summary
Netmaker vulnerable to Insufficient Granularity of Access Control
Details

Impact

Improper Authorization functions leads to non-privileged users running privileged API calls. If you have added users to your Netmaker platform who whould not have admin privileges, they could use their auth token to run admin-level functions via the API.

In addition, differing response codes based on function calls allowed non-users to potentially brute force the determination of names of networks on the system.

Patches

This problem has been patched in v0.15.1. To apply:

  1. docker-compose down
  2. docker pull gravitl/netmaker:v0.15.1
  3. docker-compose up -d

For more information

If you have any questions or comments about this advisory:

Email us at info@netmaker.io This vulnerability was brought to our attention by @tweidinger

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitl/netmaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-15T03:34:21Z",
    "nvd_published_at": "2022-09-09T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nImproper Authorization functions leads to non-privileged users running privileged API calls. If you have added users to your Netmaker platform who whould not have admin privileges, they could use their auth token to run admin-level functions via the API.\n\nIn addition, differing response codes based on function calls allowed non-users to potentially brute force the determination of names of networks on the system.\n\n### Patches\nThis problem has been patched in v0.15.1. To apply:\n\n1. docker-compose down\n2. docker pull gravitl/netmaker:v0.15.1\n3. docker-compose up -d\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nEmail us at [info@netmaker.io](mailto:info@netmaker.io)\nThis vulnerability was brought to our attention by @tweidinger",
  "id": "GHSA-ggf6-638m-vqmg",
  "modified": "2023-06-27T22:21:05Z",
  "published": "2022-09-15T03:34:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36110"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gravitl/netmaker"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Netmaker vulnerable to Insufficient Granularity of Access Control"
}

GHSA-GV9W-2WPQ-7538

Vulnerability from github – Published: 2026-02-25 18:31 – Updated: 2026-02-25 18:31
VLAI
Details

A vulnerability in the Object Model CLI component of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. To exploit this vulnerability, the attacker must have valid user credentials and any role that includes CLI access.

This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by issuing crafted commands at the CLI prompt. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-25T17:25:27Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Object Model CLI component of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. To exploit this vulnerability, the attacker must have valid user credentials and any role that includes CLI access.\n\nThis vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by issuing crafted commands at the CLI prompt. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.",
  "id": "GHSA-gv9w-2wpq-7538",
  "modified": "2026-02-25T18:31:38Z",
  "published": "2026-02-25T18:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20107"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apic-dos-rNus8EFw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GXH8-W3X9-26PQ

Vulnerability from github – Published: 2024-03-13 03:31 – Updated: 2024-03-13 03:31
VLAI
Details

The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-13T03:15:06Z",
    "severity": "MODERATE"
  },
  "details": "The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled.",
  "id": "GHSA-gxh8-w3x9-26pq",
  "modified": "2024-03-13T03:31:06Z",
  "published": "2024-03-13T03:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2412"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7696-0951f-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HGXW-5XV9-C3CC

Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30
VLAI
Details

Insufficient granularity of access control in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T18:17:15Z",
    "severity": "HIGH"
  },
  "details": "Insufficient granularity of access control in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.",
  "id": "GHSA-hgxw-5xv9-c3cc",
  "modified": "2026-05-12T18:30:44Z",
  "published": "2026-05-12T18:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40365"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40365"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation Testing
  • Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
  • Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.