CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5433 vulnerabilities reference this CWE, most recent first.
GHSA-XW65-87W9-V79C
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-07-13 00:01There is a local privilege escalation vulnerability in some versions of ManageOne. A local authenticated attacker could perform specific operations to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege and compromise the service.
{
"affected": [],
"aliases": [
"CVE-2021-22314"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-22T20:15:00Z",
"severity": "HIGH"
},
"details": "There is a local privilege escalation vulnerability in some versions of ManageOne. A local authenticated attacker could perform specific operations to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege and compromise the service.",
"id": "GHSA-xw65-87w9-v79c",
"modified": "2022-07-13T00:01:09Z",
"published": "2022-05-24T17:45:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22314"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210218-01-privilege-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XW77-45GV-P728
Vulnerability from github – Published: 2026-03-13 15:47 – Updated: 2026-04-06 22:49Summary
In affected versions of openclaw, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using auth: "plugin" could therefore trigger admin-only gateway actions without normal gateway authorization.
Impact
This is a critical authorization bypass. An external unauthenticated request to a plugin-owned route could reach privileged subagent runtime methods and perform admin-only gateway actions such as deleting sessions, reading session data, or triggering agent execution.
Affected Packages and Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.3.7, < 2026.3.11 - Fixed in:
2026.3.11
Technical Details
The new plugin subagent runtime preserved neither the original caller's auth context nor least-privilege scope. Instead, it executed gateway dispatches through a fabricated operator client with administrative scopes, which was reachable from plugin-owned routes that intentionally bypass normal gateway auth so plugins can perform their own webhook verification.
Fix
OpenClaw now preserves real authorization boundaries for plugin subagent calls instead of dispatching them through synthetic admin scopes. The fix shipped in openclaw@2026.3.11.
Workarounds
Upgrade to 2026.3.11 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "2026.3.7"
},
{
"fixed": "2026.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32916"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T15:47:23Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\nIn affected versions of `openclaw`, the plugin subagent runtime dispatched gateway methods through a synthetic operator client that always carried broad administrative scopes. Plugin-owned HTTP routes using `auth: \"plugin\"` could therefore trigger admin-only gateway actions without normal gateway authorization.\n\n## Impact\nThis is a critical authorization bypass. An external unauthenticated request to a plugin-owned route could reach privileged subagent runtime methods and perform admin-only gateway actions such as deleting sessions, reading session data, or triggering agent execution.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003e= 2026.3.7, \u003c 2026.3.11`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe new plugin subagent runtime preserved neither the original caller\u0027s auth context nor least-privilege scope. Instead, it executed gateway dispatches through a fabricated operator client with administrative scopes, which was reachable from plugin-owned routes that intentionally bypass normal gateway auth so plugins can perform their own webhook verification.\n\n## Fix\nOpenClaw now preserves real authorization boundaries for plugin subagent calls instead of dispatching them through synthetic admin scopes. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.",
"id": "GHSA-xw77-45gv-p728",
"modified": "2026-04-06T22:49:26Z",
"published": "2026-03-13T15:47:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xw77-45gv-p728"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32916"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-plugin-subagent-routes-via-synthetic-admin-scopes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes"
}
GHSA-XW9R-PWV2-2PXF
Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2022-06-22 00:00Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 allow any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges via the "abb_uninstall_template" (both) and "jupiterx_core_cp_uninstall_template" (JupiterX Core Only) AJAX actions
{
"affected": [],
"aliases": [
"CVE-2022-1654"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-13T14:15:00Z",
"severity": "HIGH"
},
"details": "Jupiter Theme \u003c= 6.10.1 and JupiterX Core Plugin \u003c= 2.0.7 allow any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges via the \"abb_uninstall_template\" (both) and \"jupiterx_core_cp_uninstall_template\" (JupiterX Core Only) AJAX actions",
"id": "GHSA-xw9r-pwv2-2pxf",
"modified": "2022-06-22T00:00:48Z",
"published": "2022-06-14T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1654"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2022/05/critical-privilege-escalation-vulnerability-in-jupiter-and-jupiterx-premium-themes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWGG-M7FX-83WX
Vulnerability from github – Published: 2025-05-19 19:12 – Updated: 2025-05-19 19:12A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster, including administrative privileges for a single namespace of the shoot cluster, to obtain control over the seed cluster where the shoot cluster is managed.
Am I Vulnerable?
This CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters.
Affected Components
gardener/external-dns-management
Affected Versions
- < 0.23.6
Fixed Versions
- >= 0.23.6
Important
The external-dns-management component may also be deployed on the seeds by the https://github.com/gardener/gardener-extension-shoot-dns-service extension when the extension is enabled. In this case, all versions of the shoot-dns-service extension <= v1.60.0 are affected by this vulnerability.
How do I mitigate this vulnerability?
Update to a fixed version.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gardener/external-dns-management"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.23.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/gardener/gardener-extension-shoot-dns-service"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47282"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-19T19:12:48Z",
"nvd_published_at": "2025-05-19T18:15:30Z",
"severity": "CRITICAL"
},
"details": "A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster, including administrative privileges for a single namespace of the shoot cluster, to obtain control over the seed cluster where the shoot cluster is managed.\n\n### Am I Vulnerable?\n\nThis CVE affects all Gardener installations no matter of the public cloud provider(s) used for the seed clusters/shoot clusters.\n\n### Affected Components\n\n- `gardener/external-dns-management`\n\n### Affected Versions\n\n- \u003c 0.23.6\n\n### Fixed Versions\n\n- \u0026gt;= 0.23.6\n\n### Important\n\nThe `external-dns-management` component may also be deployed on the seeds by the https://github.com/gardener/gardener-extension-shoot-dns-service extension when the extension is enabled. In this case, all versions of the `shoot-dns-service` extension `\u003c= v1.60.0` are affected by this vulnerability.\n\n### How do I mitigate this vulnerability?\n\nUpdate to a fixed version.",
"id": "GHSA-xwgg-m7fx-83wx",
"modified": "2025-05-19T19:12:48Z",
"published": "2025-05-19T19:12:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gardener/external-dns-management/security/advisories/GHSA-xwgg-m7fx-83wx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47282"
},
{
"type": "PACKAGE",
"url": "https://github.com/gardener/external-dns-management"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Gardener External DNS Management allows malicious google credential in DNS secret to lead to privilege escalation"
}
GHSA-XWJC-4JXH-J5P8
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2024-10-08 18:32Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693.
{
"affected": [],
"aliases": [
"CVE-2021-1652"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-12T20:15:00Z",
"severity": "HIGH"
},
"details": "Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688, CVE-2021-1693.",
"id": "GHSA-xwjc-4jxh-j5p8",
"modified": "2024-10-08T18:32:56Z",
"published": "2022-05-24T17:38:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1652"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1652"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1652"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWRR-GVQM-J58V
Vulnerability from github – Published: 2024-04-05 21:32 – Updated: 2025-02-27 21:31In pblS2mpuResume of s2mpu.c, there is a possible mitigation bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-29741"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-05T20:15:08Z",
"severity": "HIGH"
},
"details": "In pblS2mpuResume of s2mpu.c, there is a possible mitigation bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-xwrr-gvqm-j58v",
"modified": "2025-02-27T21:31:56Z",
"published": "2024-04-05T21:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29741"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2024-04-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWVV-WRQP-XGJ5
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Protection mechanism failure in Intel(R) Ethernet 700 Series Controllers before version 7.3 may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2020-8690"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "Protection mechanism failure in Intel(R) Ethernet 700 Series Controllers before version 7.3 may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access.",
"id": "GHSA-xwvv-wrqp-xgj5",
"modified": "2022-05-24T17:34:10Z",
"published": "2022-05-24T17:34:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8690"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00380"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XWW4-W6FF-5Q3G
Vulnerability from github – Published: 2023-03-31 03:30 – Updated: 2023-04-07 15:15thorsten/phpmyfaq prior to 3.1.12 is vulnerable to privilege escalation from improper privilege management. Any user with the ability to add a new user can create a user with super admin rights. This has been fixed in 3.1.12.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1762"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-07T15:15:02Z",
"nvd_published_at": "2023-03-31T02:15:00Z",
"severity": "HIGH"
},
"details": "thorsten/phpmyfaq prior to 3.1.12 is vulnerable to privilege escalation from improper privilege management. Any user with the ability to add a new user can create a user with super admin rights. This has been fixed in 3.1.12.\n\n",
"id": "GHSA-xww4-w6ff-5q3g",
"modified": "2023-04-07T15:15:02Z",
"published": "2023-03-31T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1762"
},
{
"type": "WEB",
"url": "https://github.com/thorsten/phpmyfaq/commit/ae6c1d8c3eab05d6e2227c7a9998707f4f891514"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpmyfaq"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3c2374cc-7082-44b7-a6a6-ccff7a650a3a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "thorsten/phpmyfaq vulnerable privilege escalation from improper privilege management "
}
GHSA-XWWF-377R-5Q8M
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44Windows App-V Overlay Filter Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-26860"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-11T16:15:00Z",
"severity": "HIGH"
},
"details": "Windows App-V Overlay Filter Elevation of Privilege Vulnerability",
"id": "GHSA-xwwf-377r-5q8m",
"modified": "2022-05-24T17:44:18Z",
"published": "2022-05-24T17:44:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26860"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26860"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWX4-2R3M-GWVQ
Vulnerability from github – Published: 2022-06-22 00:01 – Updated: 2022-06-29 00:00A vulnerability was found in Hindu Matrimonial Script. It has been declared as critical. This vulnerability affects unknown code of the file /admin/searchview.php. The manipulation leads to improper privilege management. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2017-20076"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-21T06:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Hindu Matrimonial Script. It has been declared as critical. This vulnerability affects unknown code of the file /admin/searchview.php. The manipulation leads to improper privilege management. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-xwx4-2r3m-gwvq",
"modified": "2022-06-29T00:00:26Z",
"published": "2022-06-22T00:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20076"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.95416"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/41044"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.