CWE-277
AllowedInsecure Inherited Permissions
Abstraction: Variant · Status: Draft
A product defines a set of insecure permissions that are inherited by objects that are created by the program.
116 vulnerabilities reference this CWE, most recent first.
GHSA-J83C-HH5W-39VJ
Vulnerability from github – Published: 2024-05-16 21:32 – Updated: 2024-05-16 21:32Insecure inherited permissions in some Intel(R) XTU software before version 7.14.0.15 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2024-21835"
],
"database_specific": {
"cwe_ids": [
"CWE-277",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T21:16:04Z",
"severity": "MODERATE"
},
"details": "Insecure inherited permissions in some Intel(R) XTU software before version 7.14.0.15 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-j83c-hh5w-39vj",
"modified": "2024-05-16T21:32:02Z",
"published": "2024-05-16T21:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21835"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01066.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHHR-8858-58W9
Vulnerability from github – Published: 2024-07-19 18:31 – Updated: 2024-08-01 15:32Insecure Permissions vulnerability in lin-CMS v.0.2.0 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component.
{
"affected": [],
"aliases": [
"CVE-2024-41601"
],
"database_specific": {
"cwe_ids": [
"CWE-277",
"CWE-378"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-19T17:15:03Z",
"severity": "HIGH"
},
"details": "Insecure Permissions vulnerability in lin-CMS v.0.2.0 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component.",
"id": "GHSA-jhhr-8858-58w9",
"modified": "2024-08-01T15:32:06Z",
"published": "2024-07-19T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41601"
},
{
"type": "WEB",
"url": "https://github.com/topsky979/Security-Collections/tree/main/CVE-2024-41601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JQF7-WH3W-W6M5
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:59Insecure inherited permissions in the Intel(R) NUC Software Studio Service installer before version 1.17.38.0 may allow an authenticated user to potentially enable escalation of privilege via local access
{
"affected": [],
"aliases": [
"CVE-2022-38103"
],
"database_specific": {
"cwe_ids": [
"CWE-277",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:13Z",
"severity": "HIGH"
},
"details": "Insecure inherited permissions in the Intel(R) NUC Software Studio Service installer before version 1.17.38.0 may allow an authenticated user to potentially enable escalation of privilege via local access",
"id": "GHSA-jqf7-wh3w-w6m5",
"modified": "2024-04-04T03:59:28Z",
"published": "2023-05-10T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38103"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00854.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4JX-M5HG-QRXX
Vulnerability from github – Published: 2025-05-31 03:30 – Updated: 2025-06-04 01:30django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask(0) in models.py.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django-helpdesk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25111"
],
"database_specific": {
"cwe_ids": [
"CWE-277"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-04T01:30:23Z",
"nvd_published_at": "2025-05-31T01:15:19Z",
"severity": "MODERATE"
},
"details": "django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask(0) in models.py.",
"id": "GHSA-m4jx-m5hg-qrxx",
"modified": "2025-06-04T01:30:24Z",
"published": "2025-05-31T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25111"
},
{
"type": "WEB",
"url": "https://github.com/django-helpdesk/django-helpdesk/issues/591"
},
{
"type": "WEB",
"url": "https://github.com/django-helpdesk/django-helpdesk/pull/1120"
},
{
"type": "WEB",
"url": "https://github.com/django-helpdesk/django-helpdesk/commit/f872ec252769bee5a88b06d07d3634e580c67bcc"
},
{
"type": "PACKAGE",
"url": "https://github.com/django-helpdesk/django-helpdesk"
},
{
"type": "WEB",
"url": "https://github.com/django-helpdesk/django-helpdesk/releases/tag/v1.0.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-helpdesk/PYSEC-2025-44.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "django-helpdesk Allows Sensitive Data Exposure"
}
GHSA-MF7C-35MQ-75PJ
Vulnerability from github – Published: 2022-05-14 03:24 – Updated: 2022-07-06 19:45In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.hadoop:hadoop-common"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-alpha"
},
{
"fixed": "2.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-6811"
],
"database_specific": {
"cwe_ids": [
"CWE-277"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T19:45:49Z",
"nvd_published_at": "2017-04-11T14:59:00Z",
"severity": "HIGH"
},
"details": "In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.",
"id": "GHSA-mf7c-35mq-75pj",
"modified": "2022-07-06T19:45:49Z",
"published": "2022-05-14T03:24:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6811"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/9ba3c12bbdfd5b2cae60909e48f92608e00c8d99196390b8cfeca307@%3Cgeneral.hadoop.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insecure Inherited Permissions in Apache Hadoop"
}
GHSA-MX8P-8F7V-R77C
Vulnerability from github – Published: 2024-05-16 21:32 – Updated: 2024-05-16 21:32Insecure inherited permissions in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2023-45736"
],
"database_specific": {
"cwe_ids": [
"CWE-277"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T21:15:58Z",
"severity": "MODERATE"
},
"details": "Insecure inherited permissions in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-mx8p-8f7v-r77c",
"modified": "2024-05-16T21:32:00Z",
"published": "2024-05-16T21:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45736"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01037.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P59G-QJMC-6RF4
Vulnerability from github – Published: 2023-08-31 18:30 – Updated: 2024-04-04 07:20Insecure Inherited Permissions vulnerability in Schweitzer Engineering Laboratories SEL-5033 AcSELerator RTAC Software on Windows allows Leveraging/Manipulating Configuration File Search Paths.
See Instruction Manual Appendix A [Cybersecurity] tag dated 20230522 for more details.
This issue affects SEL-5033 AcSELerator RTAC Software: before 1.35.151.21000.
{
"affected": [],
"aliases": [
"CVE-2023-34391"
],
"database_specific": {
"cwe_ids": [
"CWE-277",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T16:15:10Z",
"severity": "MODERATE"
},
"details": "Insecure Inherited Permissions vulnerability in Schweitzer Engineering Laboratories SEL-5033 AcSELerator RTAC Software on Windows allows Leveraging/Manipulating Configuration File Search Paths.\n\nSee Instruction Manual Appendix A [Cybersecurity] tag dated 20230522 for more details.\n \nThis issue affects SEL-5033 AcSELerator RTAC Software: before 1.35.151.21000.\n\n",
"id": "GHSA-p59g-qjmc-6rf4",
"modified": "2024-04-04T07:20:52Z",
"published": "2023-08-31T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34391"
},
{
"type": "WEB",
"url": "https://dragos.com"
},
{
"type": "WEB",
"url": "https://selinc.com/support/security-notifications/external-reports"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PR3W-9H6R-G7J3
Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-14 21:31Insecure inherited permissions in the installer for some Intel Server Configuration Utility software before version 16.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2023-34997"
],
"database_specific": {
"cwe_ids": [
"CWE-277",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T19:15:28Z",
"severity": "MODERATE"
},
"details": "Insecure inherited permissions in the installer for some Intel Server Configuration Utility software before version 16.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-pr3w-9h6r-g7j3",
"modified": "2023-11-14T21:31:02Z",
"published": "2023-11-14T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34997"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00925.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX98-39WC-6WWQ
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 04:00Insecure inherited permissions for the Intel(R) NUC Pro Software Suite before version 2.0.0.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-46656"
],
"database_specific": {
"cwe_ids": [
"CWE-277",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:26Z",
"severity": "HIGH"
},
"details": "Insecure inherited permissions for the Intel(R) NUC Pro Software Suite before version 2.0.0.3 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-px98-39wc-6wwq",
"modified": "2024-04-04T04:00:17Z",
"published": "2023-05-10T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46656"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00834.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q3JJ-46PQ-826R
Vulnerability from github – Published: 2026-05-04 20:21 – Updated: 2026-05-19 15:56Summary
ACP child sessions inherit subagent security envelope constraints.
Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22
Impact
A restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions.
Fix
ACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions.
Fix Commit(s)
- 31160dc069b7cc5d833b39c53736a41ad3befda2
Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.
OpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.4.21"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44997"
],
"database_specific": {
"cwe_ids": [
"CWE-277"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T20:21:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nACP child sessions inherit subagent security envelope constraints.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: \u003c= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nA restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions.\n\n## Fix\nACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions.\n\n## Fix Commit(s)\n- 31160dc069b7cc5d833b39c53736a41ad3befda2\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting.",
"id": "GHSA-q3jj-46pq-826r",
"modified": "2026-05-19T15:56:24Z",
"published": "2026-05-04T20:21:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44997"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-security-envelope-constraint-bypass-in-acp-child-sessions"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw\u0027s ACP child sessions inherit subagent security envelope constraints"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
No CAPEC attack patterns related to this CWE.