CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5445 vulnerabilities reference this CWE, most recent first.
GHSA-WMQ9-769V-MQMC
Vulnerability from github – Published: 2024-05-07 21:31 – Updated: 2024-07-03 18:39In multiple methods of UserManagerService.java, there is a possible failure to persist or enforce user restrictions due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-0024"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T21:15:08Z",
"severity": "HIGH"
},
"details": "In multiple methods of UserManagerService.java, there is a possible failure to persist or enforce user restrictions due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.",
"id": "GHSA-wmq9-769v-mqmc",
"modified": "2024-07-03T18:39:45Z",
"published": "2024-05-07T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0024"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/6a9250ec7fc9801a883cedd7860076f42fb518ac"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2024-05-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WMW3-3FV3-H54W
Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 21:10Concrete CMS 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without requiring the current password and also resulting in registered users able to disable the per-user-IP-pinning in the session validator which is meant to detect hijacking.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8327"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T21:10:52Z",
"nvd_published_at": "2026-05-21T22:16:50Z",
"severity": "MODERATE"
},
"details": "Concrete CMS 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.\u00a0The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without requiring the current password\u00a0 and also resulting in registered users able to disable the per-user-IP-pinning in the session validator which is meant to detect hijacking.",
"id": "GHSA-wmw3-3fv3-h54w",
"modified": "2026-06-24T21:10:52Z",
"published": "2026-05-22T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8327"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS has a session-hardening bypass and allows password change without reauthorization"
}
GHSA-WMWR-9CJ7-XRGF
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2024-04-04 02:50Valve Source allows local users to gain privileges by writing to the /tmp/hl2_relaunch file, which is later executed in the context of a different user account.
{
"affected": [],
"aliases": [
"CVE-2020-12242"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-27T15:15:00Z",
"severity": "HIGH"
},
"details": "Valve Source allows local users to gain privileges by writing to the /tmp/hl2_relaunch file, which is later executed in the context of a different user account.",
"id": "GHSA-wmwr-9cj7-xrgf",
"modified": "2024-04-04T02:50:20Z",
"published": "2022-05-24T17:16:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12242"
},
{
"type": "WEB",
"url": "https://0xem.ma/cve/2020/04/28/Source-hl2-relaunch-exec.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WP2J-2549-FWHP
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.
{
"affected": [],
"aliases": [
"CVE-2020-8223"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-05T14:15:00Z",
"severity": "MODERATE"
},
"details": "A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.",
"id": "GHSA-wp2j-2549-fwhp",
"modified": "2022-05-24T17:30:06Z",
"published": "2022-05-24T17:30:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8223"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/889243"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7FX3O6SJE2S52I2HAA4DSTUIISP5BNA"
},
{
"type": "WEB",
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-029"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WP38-8HXJ-7V28
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-05-24 17:08An elevation of privilege vulnerability exists in the way that the Windows Client License Service (ClipSVC) handles objects in memory, aka 'Windows Client License Service Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-0701"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-11T22:15:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists in the way that the Windows Client License Service (ClipSVC) handles objects in memory, aka \u0027Windows Client License Service Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-wp38-8hxj-7v28",
"modified": "2022-05-24T17:08:28Z",
"published": "2022-05-24T17:08:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0701"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0701"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WP7F-392C-HJ4C
Vulnerability from github – Published: 2026-02-15 06:31 – Updated: 2026-02-15 06:31The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.
{
"affected": [],
"aliases": [
"CVE-2026-1750"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-15T04:15:54Z",
"severity": "HIGH"
},
"details": "The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the \u0027save_custom_user_profile_fields\u0027 function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the \u0027ec_store_admin_access\u0027 parameter during a profile update and gain store manager access to the site.",
"id": "GHSA-wp7f-392c-hj4c",
"modified": "2026-02-15T06:31:35Z",
"published": "2026-02-15T06:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1750"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/ecwid-shopping-cart/tags/7.0.7/includes/class-ec-store-admin-access.php#L28"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3460721/ecwid-shopping-cart#file2"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d29f77c-b86d-4058-b528-27631e8a1f2e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WP84-35M6-8R5H
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2024-09-11 21:30A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance.
{
"affected": [],
"aliases": [
"CVE-2023-43506"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-25T18:17:31Z",
"severity": "HIGH"
},
"details": "A vulnerability in the ClearPass OnGuard Linux agent could\u00a0allow malicious users on a Linux instance to elevate their\u00a0user privileges to those of a higher role. A successful\u00a0exploit allows malicious users to execute arbitrary code\u00a0with root level privileges on the Linux instance.",
"id": "GHSA-wp84-35m6-8r5h",
"modified": "2024-09-11T21:30:35Z",
"published": "2023-10-25T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43506"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPC2-299V-98F6
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:26CloudCTI HIP Integrator Recognition Configuration Tool allows privilege escalation via its EXQUISE integration. This tool communicates with a service (Recognition Update Client Service) via an insecure communication channel (Named Pipe). The data (JSON) sent via this channel is used to import data from CRM software using plugins (.dll files). The plugin to import data from the EXQUISE software (DatasourceExquiseExporter.dll) can be persuaded to start arbitrary programs (including batch files) that are executed using the same privileges as Recognition Update Client Service (NT AUTHORITY\SYSTEM), thus elevating privileges. This occurs because a higher-privileged process executes scripts from a directory writable by a lower-privileged user.
{
"affected": [],
"aliases": [
"CVE-2019-9745"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-14T15:15:00Z",
"severity": "HIGH"
},
"details": "CloudCTI HIP Integrator Recognition Configuration Tool allows privilege escalation via its EXQUISE integration. This tool communicates with a service (Recognition Update Client Service) via an insecure communication channel (Named Pipe). The data (JSON) sent via this channel is used to import data from CRM software using plugins (.dll files). The plugin to import data from the EXQUISE software (DatasourceExquiseExporter.dll) can be persuaded to start arbitrary programs (including batch files) that are executed using the same privileges as Recognition Update Client Service (NT AUTHORITY\\SYSTEM), thus elevating privileges. This occurs because a higher-privileged process executes scripts from a directory writable by a lower-privileged user.",
"id": "GHSA-wpc2-299v-98f6",
"modified": "2024-04-04T02:26:17Z",
"published": "2022-05-24T16:58:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9745"
},
{
"type": "WEB",
"url": "https://github.com/KPN-CISO/CVE-2019-9745/blob/master/README.md"
},
{
"type": "WEB",
"url": "https://www.cloudcti.nl/Site/Security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPG9-4G4V-F9RC
Vulnerability from github – Published: 2026-03-03 21:32 – Updated: 2026-04-24 20:58Summary
In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(...) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true.
This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.
Security model note
OpenClaw’s documented trust model is a personal assistant model (one trusted operator), not an adversarial multi-user boundary.
- OpenClaw does not treat one shared gateway/chat surface as a hardened per-user auth boundary.
- Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries.
This report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress.
Details
Relevant path:
1. Voice transcript run omitted senderIsOwner in Discord voice manager.
2. Missing senderIsOwner defaulted to true in agentCommand.
3. Owner-only tool policy is keyed on senderIsOwner.
4. gateway and cron are owner-only tools.
Impact
- Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants.
- No gateway-auth boundary bypass was required.
- Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended).
Severity rationale
Downgraded from high to medium to align with OpenClaw’s trust model and deployment assumptions: - Requires participation in the same voice environment as the trusted operator workflow. - Requires Discord voice path conditions (joined voice channel + transcript flow). - Does not introduce a new cross-gateway or unauthenticated boundary bypass.
Remediation
- Always pass explicit
senderIsOwnerfrom Discord voice transcript ingress. - Fail closed (
false) when owner status is unknown for non-local/chat ingress paths. - Keep regression tests that verify owner/non-owner voice speaker handling.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.1 - Patched versions:
>= 2026.3.2(released)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32035"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:32:25Z",
"nvd_published_at": "2026-03-19T22:16:39Z",
"severity": "MODERATE"
},
"details": "### Summary\nIn `openclaw@2026.3.1`, the Discord voice transcript path called `agentCommand(...)` without `senderIsOwner`, and `agentCommand` defaults missing `senderIsOwner` to `true`.\n\nThis could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (`gateway`, `cron`) during voice transcript turns.\n\n### Security model note\nOpenClaw\u2019s documented trust model is a **personal assistant** model (one trusted operator), not an adversarial multi-user boundary.\n\n- OpenClaw does **not** treat one shared gateway/chat surface as a hardened per-user auth boundary.\n- Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries.\n\nThis report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress.\n\n### Details\nRelevant path:\n1. Voice transcript run omitted `senderIsOwner` in Discord voice manager.\n2. Missing `senderIsOwner` defaulted to `true` in `agentCommand`.\n3. Owner-only tool policy is keyed on `senderIsOwner`.\n4. `gateway` and `cron` are owner-only tools.\n\n### Impact\n- Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants.\n- No gateway-auth boundary bypass was required.\n- Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended).\n\n### Severity rationale\nDowngraded from high to **medium** to align with OpenClaw\u2019s trust model and deployment assumptions:\n- Requires participation in the same voice environment as the trusted operator workflow.\n- Requires Discord voice path conditions (joined voice channel + transcript flow).\n- Does not introduce a new cross-gateway or unauthenticated boundary bypass.\n\n### Remediation\n- Always pass explicit `senderIsOwner` from Discord voice transcript ingress.\n- Fail closed (`false`) when owner status is unknown for non-local/chat ingress paths.\n- Keep regression tests that verify owner/non-owner voice speaker handling.\n\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.1`\n- Patched versions: `\u003e= 2026.3.2` (released)",
"id": "GHSA-wpg9-4g4v-f9rc",
"modified": "2026-04-24T20:58:59Z",
"published": "2026-03-03T21:32:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32035"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-missing-owner-flag-validation-in-discord-voice-transcript-handler"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels"
}
GHSA-WPGR-JVP4-G62H
Vulnerability from github – Published: 2024-08-12 21:31 – Updated: 2024-08-13 21:31An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component.
{
"affected": [],
"aliases": [
"CVE-2023-48171"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T20:15:08Z",
"severity": "HIGH"
},
"details": "An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component.",
"id": "GHSA-wpgr-jvp4-g62h",
"modified": "2024-08-13T21:31:55Z",
"published": "2024-08-12T21:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48171"
},
{
"type": "WEB",
"url": "https://gccybermonks.com/posts/defectdojo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.