CWE-1220
AllowedInsufficient Granularity of Access Control
Abstraction: Base · Status: Incomplete
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
176 vulnerabilities reference this CWE, most recent first.
GHSA-QHXP-2823-2PW9
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Insufficient granularity of access control in Windows Event Logging Service allows an authorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-50502"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:57Z",
"severity": "HIGH"
},
"details": "Insufficient granularity of access control in Windows Event Logging Service allows an authorized attacker to execute code over a network.",
"id": "GHSA-qhxp-2823-2pw9",
"modified": "2026-07-14T18:32:28Z",
"published": "2026-07-14T18:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50502"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50502"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QR8X-CPGM-547R
Vulnerability from github – Published: 2023-12-14 18:30 – Updated: 2023-12-14 18:30Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege.
{
"affected": [],
"aliases": [
"CVE-2023-44285"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-14T16:15:47Z",
"severity": "HIGH"
},
"details": "\nDell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege.\n\n",
"id": "GHSA-qr8x-cpgm-547r",
"modified": "2023-12-14T18:30:20Z",
"published": "2023-12-14T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44285"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRJQ-78WX-3J3X
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30Insufficient granularity of access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-35436"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T18:17:13Z",
"severity": "HIGH"
},
"details": "Insufficient granularity of access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-qrjq-78wx-3j3x",
"modified": "2026-05-12T18:30:44Z",
"published": "2026-05-12T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35436"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35436"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R5J4-W8VQ-J3CP
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Insufficient granularity of access control in Windows Filtering Platform (WFP) allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-50405"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:43Z",
"severity": "HIGH"
},
"details": "Insufficient granularity of access control in Windows Filtering Platform (WFP) allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-r5j4-w8vq-j3cp",
"modified": "2026-07-14T18:32:21Z",
"published": "2026-07-14T18:32:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50405"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RPPQ-5VQ8-CRRP
Vulnerability from github – Published: 2025-01-24 03:30 – Updated: 2025-02-05 21:32An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint.
{
"affected": [],
"aliases": [
"CVE-2024-11931"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-24T03:15:06Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.6.4, from 17.7 prior to 17.7.3, and from 17.8 prior to 17.8.1. Under certain conditions, it may have been possible for users with developer role to exfiltrate protected CI variables via CI lint.",
"id": "GHSA-rppq-5vq8-crrp",
"modified": "2025-02-05T21:32:34Z",
"published": "2025-01-24T03:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11931"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released/https://about.gitlab.com/releases/2025/01/22/patch-release-gitlab-17-8-1-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/480901"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VC7J-99JW-JRQM
Vulnerability from github – Published: 2024-07-02 21:20 – Updated: 2024-07-05 17:54aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "aimeos/ai-admin-graphql"
},
"ranges": [
{
"events": [
{
"introduced": "2022.04.1"
},
{
"fixed": "2022.10.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "aimeos/ai-admin-graphql"
},
"ranges": [
{
"events": [
{
"introduced": "2023.04.1"
},
{
"fixed": "2023.10.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "aimeos/ai-admin-graphql"
},
"ranges": [
{
"events": [
{
"introduced": "2024.04.1"
},
{
"fixed": "2024.04.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39323"
],
"database_specific": {
"cwe_ids": [
"CWE-1220",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-02T21:20:33Z",
"nvd_published_at": "2024-07-02T16:15:04Z",
"severity": "HIGH"
},
"details": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.\n\n",
"id": "GHSA-vc7j-99jw-jrqm",
"modified": "2024-07-05T17:54:36Z",
"published": "2024-07-02T21:20:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aimeos/ai-admin-graphql/security/advisories/GHSA-vc7j-99jw-jrqm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39323"
},
{
"type": "WEB",
"url": "https://github.com/aimeos/ai-admin-graphql/commit/2d89d98cdcad880a9244b50736b08c1a171379ca"
},
{
"type": "WEB",
"url": "https://github.com/aimeos/ai-admin-graphql/commit/54d6b7cf4530cb3b95f52775c24056c48e6d26e9"
},
{
"type": "WEB",
"url": "https://github.com/aimeos/ai-admin-graphql/commit/787028de0a3ecbf3e9f63ab1454eac99ce7693a9"
},
{
"type": "PACKAGE",
"url": "https://github.com/aimeos/ai-admin-graphql"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account"
}
GHSA-VCVR-9MWV-W2G3
Vulnerability from github – Published: 2025-08-13 18:31 – Updated: 2025-08-13 18:31An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.
{
"affected": [],
"aliases": [
"CVE-2025-2498"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T18:15:30Z",
"severity": "LOW"
},
"details": "An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.",
"id": "GHSA-vcvr-9mwv-w2g3",
"modified": "2025-08-13T18:31:25Z",
"published": "2025-08-13T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2498"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3037722"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/525515"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VFH3-25RF-469V
Vulnerability from github – Published: 2025-04-07 12:33 – Updated: 2025-04-07 12:33Memory corruption while assigning memory from the source DDR memory(HLOS) to ADSP.
{
"affected": [],
"aliases": [
"CVE-2024-33058"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-07T11:15:47Z",
"severity": "HIGH"
},
"details": "Memory corruption while assigning memory from the source DDR memory(HLOS) to ADSP.",
"id": "GHSA-vfh3-25rf-469v",
"modified": "2025-04-07T12:33:17Z",
"published": "2025-04-07T12:33:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33058"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VM59-52F9-R52R
Vulnerability from github – Published: 2025-09-30 15:30 – Updated: 2025-11-05 00:31A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
{
"affected": [],
"aliases": [
"CVE-2025-7493"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T15:15:58Z",
"severity": "CRITICAL"
},
"details": "A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator\u0027s name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.",
"id": "GHSA-vm59-52f9-r52r",
"modified": "2025-11-05T00:31:29Z",
"published": "2025-09-30T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7493"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17084"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17085"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17086"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17087"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17129"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17645"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17646"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17647"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17648"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17649"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-7493"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389448"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/30/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2J6-R4XJ-RJCJ
Vulnerability from github – Published: 2026-01-09 12:32 – Updated: 2026-01-09 12:32GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.
{
"affected": [],
"aliases": [
"CVE-2025-11246"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-09T10:15:44Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.",
"id": "GHSA-w2j6-r4xj-rjcj",
"modified": "2026-01-09T12:32:23Z",
"published": "2026-01-09T12:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11246"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3292475"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/573728"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
- Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
- Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.