CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
GHSA-HQQV-9X3V-MP7W
Vulnerability from github – Published: 2021-03-18 19:27 – Updated: 2021-03-16 16:31The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.0"
},
{
"fixed": "6.8.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7014"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-16T16:31:12Z",
"nvd_published_at": "2020-06-03T18:15:00Z",
"severity": "MODERATE"
},
"details": "The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.",
"id": "GHSA-hqqv-9x3v-mp7w",
"modified": "2021-03-16T16:31:12Z",
"published": "2021-03-18T19:27:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7014"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200619-0003"
},
{
"type": "WEB",
"url": "https://www.elastic.co/community/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Privilege Escalation Flaw in Elasticsearch"
}
GHSA-HR5R-CGX8-R3QW
Vulnerability from github – Published: 2026-06-21 09:30 – Updated: 2026-06-21 09:30A vulnerability has been found in Ezbsystems UltraISO Premium Edition up to 9.76. Affected by this issue is some unknown functionality in the library bootpt64.sys of the component Kernel Driver. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-12786"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-21T09:16:25Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in Ezbsystems UltraISO Premium Edition up to 9.76. Affected by this issue is some unknown functionality in the library bootpt64.sys of the component Kernel Driver. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-hr5r-cgx8-r3qw",
"modified": "2026-06-21T09:30:51Z",
"published": "2026-06-21T09:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12786"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-12786"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/835614"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/372528"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/372528/cti"
},
{
"type": "WEB",
"url": "https://winslow1984.com/books/cve-collection/page/ultraiso-premium-976-kernel-driver-bootpt64sys-local-privilege-escalation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HR68-HVGV-XXQF
Vulnerability from github – Published: 2024-12-20 03:30 – Updated: 2024-12-20 15:05Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/nomad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-12678"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-20T15:05:17Z",
"nvd_published_at": "2024-12-20T02:15:05Z",
"severity": "MODERATE"
},
"details": "Nomad Community and Nomad Enterprise (\"Nomad\") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.",
"id": "GHSA-hr68-hvgv-xxqf",
"modified": "2024-12-20T15:05:17Z",
"published": "2024-12-20T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12678"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/nomad/commit/359a71861ef044cb5d749a36ff0e44b172c8f1a6"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-29-nomad-allocations-vulnerable-to-privilege-escalation-within-a-namespace-using-unredacted-workload-identity-token/72119"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/nomad"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hashicorp Nomad Incorrect Privilege Assignment vulnerability"
}
GHSA-HRGC-CVJX-7MFP
Vulnerability from github – Published: 2025-07-10 00:31 – Updated: 2025-07-10 00:31An incorrect privilege assignment vulnerability in Palo Alto Networks Autonomous Digital Experience Manager allows a locally authenticated low privileged user on macOS endpoints to escalate their privileges to root.
{
"affected": [],
"aliases": [
"CVE-2025-0139"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-09T23:15:24Z",
"severity": "MODERATE"
},
"details": "An incorrect privilege assignment vulnerability in Palo Alto Networks Autonomous Digital Experience Manager allows a locally authenticated low privileged user on macOS endpoints to escalate their privileges to root.",
"id": "GHSA-hrgc-cvjx-7mfp",
"modified": "2025-07-10T00:31:55Z",
"published": "2025-07-10T00:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0139"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2025-0139"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-HRH8-RVCH-7HH9
Vulnerability from github – Published: 2025-10-28 15:30 – Updated: 2026-04-23 18:31A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster.
TrustyAI is creating a role trustyai-service-operator-lmeval-user-role and a CRB trustyai-service-operator-default-lmeval-user-rolebinding which is being applied to system:authenticated making it so that every single user or service account can get a list of pods running in any namespace on the cluster
Additionally users can access all persistentvolumeclaims and lmevaljobs
{
"affected": [],
"aliases": [
"CVE-2025-12103"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-28T14:15:55Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster.\n\nTrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster \n\nAdditionally users can access all `persistentvolumeclaims` and `lmevaljobs`",
"id": "GHSA-hrh8-rvch-7hh9",
"modified": "2026-04-23T18:31:32Z",
"published": "2025-10-28T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12103"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21117"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10184"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-12103"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405966"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HW72-FMXV-278R
Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-01-14 15:30A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of privilege via specific shell commands
{
"affected": [],
"aliases": [
"CVE-2024-33503"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T14:15:29Z",
"severity": "MODERATE"
},
"details": "A improper privilege management in Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of privilege via specific shell commands",
"id": "GHSA-hw72-fmxv-278r",
"modified": "2025-01-14T15:30:52Z",
"published": "2025-01-14T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33503"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-127"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWM7-RR3P-6982
Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30Editor Privilege Escalation in AI Engine <= 3.4.9 versions.
{
"affected": [],
"aliases": [
"CVE-2026-27407"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T21:16:41Z",
"severity": "HIGH"
},
"details": "Editor Privilege Escalation in AI Engine \u003c= 3.4.9 versions.",
"id": "GHSA-hwm7-rr3p-6982",
"modified": "2026-06-15T21:30:43Z",
"published": "2026-06-15T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27407"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/ai-engine/vulnerability/wordpress-ai-engine-plugin-3-4-9-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWVM-HRP8-HMQ8
Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2026-04-01 18:31Improper Privilege Management vulnerability in Hamid Alinia – idehweb Login with phone number allows Privilege Escalation.This issue affects Login with phone number: from n/a through 1.7.16.
{
"affected": [],
"aliases": [
"CVE-2024-32507"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T09:15:36Z",
"severity": "HIGH"
},
"details": "Improper Privilege Management vulnerability in Hamid Alinia \u2013 idehweb Login with phone number allows Privilege Escalation.This issue affects Login with phone number: from n/a through 1.7.16.",
"id": "GHSA-hwvm-hrp8-hmq8",
"modified": "2026-04-01T18:31:47Z",
"published": "2024-05-17T09:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32507"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/login-with-phone-number/vulnerability/wordpress-login-with-phone-number-plugin-1-7-16-privilege-escalation-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/login-with-phone-number/wordpress-login-with-phone-number-plugin-1-7-16-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HX2Q-32G5-49FM
Vulnerability from github – Published: 2024-11-20 18:32 – Updated: 2024-11-20 18:32A vulnerability classified as critical was found in Code4Berry Decoration Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /decoration/admin/update_image.php of the component User Image Handler. The manipulation of the argument productimage1 leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-11484"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-20T16:15:19Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical was found in Code4Berry Decoration Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /decoration/admin/update_image.php of the component User Image Handler. The manipulation of the argument productimage1 leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-hx2q-32g5-49fm",
"modified": "2024-11-20T18:32:17Z",
"published": "2024-11-20T18:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11484"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.285499"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.285499"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.441913"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J363-JRWQ-XW9C
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.
{
"affected": [],
"aliases": [
"CVE-2026-56247"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:29Z",
"severity": "HIGH"
},
"details": "Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.",
"id": "GHSA-j363-jrwq-xw9c",
"modified": "2026-07-01T00:34:12Z",
"published": "2026-07-01T00:34:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-55q2-p3m2-x66x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56247"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/capgo-privilege-escalation-via-cross-scope-rbac-role-assignment"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.