Common Weakness Enumeration

CWE-276

Allowed

Incorrect Default Permissions

Abstraction: Base · Status: Draft

During installation, installed file permissions are set to allow anyone to modify those files.

2034 vulnerabilities reference this CWE, most recent first.

GHSA-VPQ4-PWC4-5J28

Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 18:30
VLAI
Details

Improper access control vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to install applications from Galaxy Store.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper access control vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to install applications from Galaxy Store.",
  "id": "GHSA-vpq4-pwc4-5j28",
  "modified": "2023-02-17T18:30:25Z",
  "published": "2023-02-09T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21433"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQFF-54HC-2XCH

Vulnerability from github – Published: 2025-03-26 21:31 – Updated: 2025-03-27 15:31
VLAI
Details

HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-26T19:15:27Z",
    "severity": "CRITICAL"
  },
  "details": "HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request.",
  "id": "GHSA-vqff-54hc-2xch",
  "modified": "2025-03-27T15:31:04Z",
  "published": "2025-03-26T21:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25535"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simalamuel/Research/tree/main/CVE-2025-25535"
    },
    {
      "type": "WEB",
      "url": "https://www.besafebrasil.com.br/script-case-cve-2025-xx-xxxx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VR2H-FPFM-62G7

Vulnerability from github – Published: 2025-11-12 15:31 – Updated: 2025-11-12 15:31
VLAI
Details

CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T14:15:46Z",
    "severity": "HIGH"
  },
  "details": "CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured.",
  "id": "GHSA-vr2h-fpfm-62g7",
  "modified": "2025-11-12T15:31:29Z",
  "published": "2025-11-12T15:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11567"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-315-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VR3V-24M7-V284

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-10-15 12:01
VLAI
Details

Insufficient policy enforcement in Omnibox in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6497"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-03T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient policy enforcement in Omnibox in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted URI.",
  "id": "GHSA-vr3v-24m7-v284",
  "modified": "2022-10-15T12:01:00Z",
  "published": "2022-05-24T17:19:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6497"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1069246"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4714"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VR7J-G7JV-H5MP

Vulnerability from github – Published: 2026-03-16 20:41 – Updated: 2026-04-06 22:46
VLAI
Summary
OpenClaw session transcript files were created without forced user-only permissions
Details

openclaw created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.15
  • First fixed version: 2026.2.17
  • Current latest npm release checked during verification: 2026.3.13 (not affected)

Impact

Session transcript JSONL files are created under the local OpenClaw session store. In affected releases, newly created transcript files did not force user-only permissions, so transcript contents could be readable by other local users depending on the host environment and umask behavior.

Fix

New transcript files are now created with 0o600 permissions. Existing transcript permission drift is also remediated by the security audit fix flow.

Verified in code:

  • src/config/sessions/transcript.ts:82 writes new transcript files with mode: 0o600
  • src/config/sessions/sessions.test.ts:303 includes regression coverage asserting 0o600

Fix Commit(s)

  • 095d522099653367e1b76fa5bb09d4ddf7c8a57c

Release Note

This fix first shipped in 2026.2.17 and is present in the current npm release 2026.3.13.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.15"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T20:41:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "`openclaw` created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (`npm`)\n- Affected versions: `\u003c= 2026.2.15`\n- First fixed version: `2026.2.17`\n- Current latest npm release checked during verification: `2026.3.13` (not affected)\n\n## Impact\n\nSession transcript JSONL files are created under the local OpenClaw session store. In affected releases, newly created transcript files did not force user-only permissions, so transcript contents could be readable by other local users depending on the host environment and umask behavior.\n\n## Fix\n\nNew transcript files are now created with `0o600` permissions. Existing transcript permission drift is also remediated by the security audit fix flow.\n\nVerified in code:\n\n- `src/config/sessions/transcript.ts:82` writes new transcript files with `mode: 0o600`\n- `src/config/sessions/sessions.test.ts:303` includes regression coverage asserting `0o600`\n\n## Fix Commit(s)\n\n- `095d522099653367e1b76fa5bb09d4ddf7c8a57c`\n\n## Release Note\n\nThis fix first shipped in `2026.2.17` and is present in the current npm release `2026.3.13`.",
  "id": "GHSA-vr7j-g7jv-h5mp",
  "modified": "2026-04-06T22:46:26Z",
  "published": "2026-03-16T20:41:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33572"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw session transcript files were created without forced user-only permissions"
}

GHSA-VRH9-R774-89RH

Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-29 21:32
VLAI
Details

PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\.\pipe\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows privilege escalation by placing a malicious shadow.exe in a controlled working directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T20:17:40Z",
    "severity": "HIGH"
  },
  "details": "PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\\\\.\\pipe\\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows privilege escalation by placing a malicious shadow.exe in a controlled working directory.",
  "id": "GHSA-vrh9-r774-89rh",
  "modified": "2026-06-29T21:32:15Z",
  "published": "2026-06-29T21:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57919"
    },
    {
      "type": "WEB",
      "url": "https://docs.matrix42.com/en_US/1041748_vulnerability-list/cve-2026-57919-privilege-escalation-in-empirum-personal-backup"
    },
    {
      "type": "WEB",
      "url": "https://matrix42.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VRHH-9QJG-RJ58

Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-05-13 00:00
VLAI
Details

ismsEx service is a vendor service in unisoc equipment?ismsEx service is an extension of sms system service?but it does not check the permissions of the caller?resulting in permission leaks?Third-party apps can use this service to arbitrarily modify and set system properties?Product: AndroidVersions: Android SoCAndroid ID: A-207479207

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-11T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "ismsEx service is a vendor service in unisoc equipment?ismsEx service is an extension of sms system service?but it does not check the permissions of the caller?resulting in permission leaks?Third-party apps can use this service to arbitrarily modify and set system properties?Product: AndroidVersions: Android SoCAndroid ID: A-207479207",
  "id": "GHSA-vrhh-9qjg-rj58",
  "modified": "2022-05-13T00:00:18Z",
  "published": "2022-02-12T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39658"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-02-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VV23-8MW3-7R7R

Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-20 21:30
VLAI
Details

A potential vulnerability has been identified in the system BIOS for certain HP PC products which may allow escalation of privileges and code execution. HP is releasing firmware updates to mitigate the potential vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-12T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "A potential vulnerability has been identified in the system BIOS for certain HP PC products which may allow escalation of privileges and code execution. HP is releasing firmware updates to mitigate the potential vulnerability.",
  "id": "GHSA-vv23-8mw3-7r7r",
  "modified": "2022-12-20T21:30:20Z",
  "published": "2022-12-12T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37018"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/ish_7191946-7191970-16/hpsbhf03820"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VV4G-G38C-RQ3Q

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

Incorrect default permissions in the Intel(R) RealSense(TM) D400 Series Dynamic Calibration Tool before version 2.11, may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-12T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect default permissions in the Intel(R) RealSense(TM) D400 Series Dynamic Calibration Tool before version 2.11, may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-vv4g-g38c-rq3q",
  "modified": "2022-05-24T17:33:32Z",
  "published": "2022-05-24T17:33:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12306"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00408"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VV65-FJFJ-4736

Vulnerability from github – Published: 2023-11-27 12:30 – Updated: 2025-02-13 19:25
VLAI
Summary
Apache Superset has Incorrect Default Permissions
Details

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run superset init to reconstruct the Gamma role or remove can_read permission from the mentioned resources.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-superset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-42501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T20:53:25Z",
    "nvd_published_at": "2023-11-27T11:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\nThis issue affects Apache Superset: before 2.1.2.\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.",
  "id": "GHSA-vv65-fjfj-4736",
  "modified": "2025-02-13T19:25:33Z",
  "published": "2023-11-27T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42501"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/superset"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/11/27/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Superset has Incorrect Default Permissions"
}

Mitigation MIT-1
Architecture and Design Operation

The architecture needs to access and modification attributes for files to only those users who actually require those actions.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.