CWE-276
AllowedIncorrect Default Permissions
Abstraction: Base · Status: Draft
During installation, installed file permissions are set to allow anyone to modify those files.
2034 vulnerabilities reference this CWE, most recent first.
GHSA-VPQ4-PWC4-5J28
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 18:30Improper access control vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to install applications from Galaxy Store.
{
"affected": [],
"aliases": [
"CVE-2023-21433"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper access control vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to install applications from Galaxy Store.",
"id": "GHSA-vpq4-pwc4-5j28",
"modified": "2023-02-17T18:30:25Z",
"published": "2023-02-09T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21433"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQFF-54HC-2XCH
Vulnerability from github – Published: 2025-03-26 21:31 – Updated: 2025-03-27 15:31HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request.
{
"affected": [],
"aliases": [
"CVE-2025-25535"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-26T19:15:27Z",
"severity": "CRITICAL"
},
"details": "HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request.",
"id": "GHSA-vqff-54hc-2xch",
"modified": "2025-03-27T15:31:04Z",
"published": "2025-03-26T21:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25535"
},
{
"type": "WEB",
"url": "https://github.com/simalamuel/Research/tree/main/CVE-2025-25535"
},
{
"type": "WEB",
"url": "https://www.besafebrasil.com.br/script-case-cve-2025-xx-xxxx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VR2H-FPFM-62G7
Vulnerability from github – Published: 2025-11-12 15:31 – Updated: 2025-11-12 15:31CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured.
{
"affected": [],
"aliases": [
"CVE-2025-11567"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T14:15:46Z",
"severity": "HIGH"
},
"details": "CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured.",
"id": "GHSA-vr2h-fpfm-62g7",
"modified": "2025-11-12T15:31:29Z",
"published": "2025-11-12T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11567"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-315-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VR3V-24M7-V284
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-10-15 12:01Insufficient policy enforcement in Omnibox in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted URI.
{
"affected": [],
"aliases": [
"CVE-2020-6497"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-03T23:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in Omnibox in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted URI.",
"id": "GHSA-vr3v-24m7-v284",
"modified": "2022-10-15T12:01:00Z",
"published": "2022-05-24T17:19:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6497"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1069246"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VR7J-G7JV-H5MP
Vulnerability from github – Published: 2026-03-16 20:41 – Updated: 2026-04-06 22:46openclaw created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.15 - First fixed version:
2026.2.17 - Current latest npm release checked during verification:
2026.3.13(not affected)
Impact
Session transcript JSONL files are created under the local OpenClaw session store. In affected releases, newly created transcript files did not force user-only permissions, so transcript contents could be readable by other local users depending on the host environment and umask behavior.
Fix
New transcript files are now created with 0o600 permissions. Existing transcript permission drift is also remediated by the security audit fix flow.
Verified in code:
src/config/sessions/transcript.ts:82writes new transcript files withmode: 0o600src/config/sessions/sessions.test.ts:303includes regression coverage asserting0o600
Fix Commit(s)
095d522099653367e1b76fa5bb09d4ddf7c8a57c
Release Note
This fix first shipped in 2026.2.17 and is present in the current npm release 2026.3.13.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.15"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33572"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T20:41:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "`openclaw` created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (`npm`)\n- Affected versions: `\u003c= 2026.2.15`\n- First fixed version: `2026.2.17`\n- Current latest npm release checked during verification: `2026.3.13` (not affected)\n\n## Impact\n\nSession transcript JSONL files are created under the local OpenClaw session store. In affected releases, newly created transcript files did not force user-only permissions, so transcript contents could be readable by other local users depending on the host environment and umask behavior.\n\n## Fix\n\nNew transcript files are now created with `0o600` permissions. Existing transcript permission drift is also remediated by the security audit fix flow.\n\nVerified in code:\n\n- `src/config/sessions/transcript.ts:82` writes new transcript files with `mode: 0o600`\n- `src/config/sessions/sessions.test.ts:303` includes regression coverage asserting `0o600`\n\n## Fix Commit(s)\n\n- `095d522099653367e1b76fa5bb09d4ddf7c8a57c`\n\n## Release Note\n\nThis fix first shipped in `2026.2.17` and is present in the current npm release `2026.3.13`.",
"id": "GHSA-vr7j-g7jv-h5mp",
"modified": "2026-04-06T22:46:26Z",
"published": "2026-03-16T20:41:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33572"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw session transcript files were created without forced user-only permissions"
}
GHSA-VRH9-R774-89RH
Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-29 21:32PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\.\pipe\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows privilege escalation by placing a malicious shadow.exe in a controlled working directory.
{
"affected": [],
"aliases": [
"CVE-2026-57919"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T20:17:40Z",
"severity": "HIGH"
},
"details": "PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\\\\.\\pipe\\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows privilege escalation by placing a malicious shadow.exe in a controlled working directory.",
"id": "GHSA-vrh9-r774-89rh",
"modified": "2026-06-29T21:32:15Z",
"published": "2026-06-29T21:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57919"
},
{
"type": "WEB",
"url": "https://docs.matrix42.com/en_US/1041748_vulnerability-list/cve-2026-57919-privilege-escalation-in-empirum-personal-backup"
},
{
"type": "WEB",
"url": "https://matrix42.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VRHH-9QJG-RJ58
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-05-13 00:00ismsEx service is a vendor service in unisoc equipment?ismsEx service is an extension of sms system service?but it does not check the permissions of the caller?resulting in permission leaks?Third-party apps can use this service to arbitrarily modify and set system properties?Product: AndroidVersions: Android SoCAndroid ID: A-207479207
{
"affected": [],
"aliases": [
"CVE-2021-39658"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-11T18:15:00Z",
"severity": "CRITICAL"
},
"details": "ismsEx service is a vendor service in unisoc equipment?ismsEx service is an extension of sms system service?but it does not check the permissions of the caller?resulting in permission leaks?Third-party apps can use this service to arbitrarily modify and set system properties?Product: AndroidVersions: Android SoCAndroid ID: A-207479207",
"id": "GHSA-vrhh-9qjg-rj58",
"modified": "2022-05-13T00:00:18Z",
"published": "2022-02-12T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39658"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-02-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VV23-8MW3-7R7R
Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-20 21:30A potential vulnerability has been identified in the system BIOS for certain HP PC products which may allow escalation of privileges and code execution. HP is releasing firmware updates to mitigate the potential vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-37018"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T13:15:00Z",
"severity": "HIGH"
},
"details": "A potential vulnerability has been identified in the system BIOS for certain HP PC products which may allow escalation of privileges and code execution. HP is releasing firmware updates to mitigate the potential vulnerability.",
"id": "GHSA-vv23-8mw3-7r7r",
"modified": "2022-12-20T21:30:20Z",
"published": "2022-12-12T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37018"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_7191946-7191970-16/hpsbhf03820"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VV4G-G38C-RQ3Q
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Incorrect default permissions in the Intel(R) RealSense(TM) D400 Series Dynamic Calibration Tool before version 2.11, may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-12306"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T18:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect default permissions in the Intel(R) RealSense(TM) D400 Series Dynamic Calibration Tool before version 2.11, may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-vv4g-g38c-rq3q",
"modified": "2022-05-24T17:33:32Z",
"published": "2022-05-24T17:33:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12306"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00408"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VV65-FJFJ-4736
Vulnerability from github – Published: 2023-11-27 12:30 – Updated: 2025-02-13 19:25Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.
This issue affects Apache Superset: before 2.1.2.
Users should upgrade to version or above 2.1.2 and run superset init to reconstruct the Gamma role or remove can_read permission from the mentioned resources.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42501"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-28T20:53:25Z",
"nvd_published_at": "2023-11-27T11:15:07Z",
"severity": "MODERATE"
},
"details": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\nThis issue affects Apache Superset: before 2.1.2.\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.",
"id": "GHSA-vv65-fjfj-4736",
"modified": "2025-02-13T19:25:33Z",
"published": "2023-11-27T12:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42501"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/superset"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/11/27/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Superset has Incorrect Default Permissions"
}
Mitigation MIT-1
The architecture needs to access and modification attributes for files to only those users who actually require those actions.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.