CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-GQMW-JRGV-446Q
Vulnerability from github – Published: 2025-06-10 12:30 – Updated: 2025-06-11 15:30Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for Salesforce objects. This impacts OmniStudio: before Spring 2025
{
"affected": [],
"aliases": [
"CVE-2025-43698"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T12:15:24Z",
"severity": "CRITICAL"
},
"details": "Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for Salesforce objects. \nThis impacts OmniStudio: before Spring 2025",
"id": "GHSA-gqmw-jrgv-446q",
"modified": "2025-06-11T15:30:26Z",
"published": "2025-06-10T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43698"
},
{
"type": "WEB",
"url": "https://help.salesforce.com/s/articleView?id=004980323\u0026type=1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GRJV-GJGR-66G2
Vulnerability from github – Published: 2024-06-20 16:24 – Updated: 2024-11-18 16:26Background
Use of an exclusion under an arrow that has multiple resources may resolve to NO_PERMISSION when permission is expected.
For example, given this schema:
definition user {}
definition folder {
relation member: user
relation banned: user
permission view = member - banned
}
definition resource {
relation folder: folder
permission view = folder->view
}
If the resource exists under multiple folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that all the folders in which the user is a member be returned
Impact
Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.
Workarounds
None
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/authzed/spicedb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.33.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-38361"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-20T16:24:01Z",
"nvd_published_at": "2024-06-20T23:15:52Z",
"severity": "MODERATE"
},
"details": "### Background\n\nUse of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected.\n\nFor example, given this schema:\n\n```zed\ndefinition user {}\n\ndefinition folder {\n relation member: user\n relation banned: user\n permission view = member - banned\n}\n\ndefinition resource {\n relation folder: folder\n permission view = folder-\u003eview\n}\n```\n\nIf the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user is a member be returned\n\n### Impact\n\nPermission is returned as `NO_PERMISSION` when `PERMISSION` is expected on the `CheckPermission` API.\n\n### Workarounds\n\nNone\n",
"id": "GHSA-grjv-gjgr-66g2",
"modified": "2024-11-18T16:26:46Z",
"published": "2024-06-20T16:24:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38361"
},
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb"
},
{
"type": "PACKAGE",
"url": "https://github.com/authzed/spicedb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SpiceDB exclusions can result in no permission returned when permission expected"
}
GHSA-GVJ8-4CJ4-H776
Vulnerability from github – Published: 2022-04-29 15:40 – Updated: 2022-04-29 15:40Object state limitation is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ibexa/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "ibexa/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-29T15:40:48Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Object state limitation is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.",
"id": "GHSA-gvj8-4cj4-h776",
"modified": "2022-04-29T15:40:48Z",
"published": "2022-04-29T15:40:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ibexa/core/security/advisories/GHSA-gvj8-4cj4-h776"
},
{
"type": "WEB",
"url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge"
},
{
"type": "PACKAGE",
"url": "https://github.com/ibexa/core"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Object state limitation has no effect"
}
GHSA-GW2V-WGMH-28V4
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Users are able to comment on locked project issues.
{
"affected": [],
"aliases": [
"CVE-2019-6995"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Users are able to comment on locked project issues.",
"id": "GHSA-gw2v-wgmh-28v4",
"modified": "2024-04-04T01:54:45Z",
"published": "2022-05-24T16:55:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6995"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/55537"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GXJ5-6FW2-663J
Vulnerability from github – Published: 2021-12-08 00:01 – Updated: 2021-12-10 00:01There is a Improper Preservation of Permissions vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to attackers which can isolate and read synchronization files of other applications across the UID sandbox.
{
"affected": [],
"aliases": [
"CVE-2021-37086"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-07T17:15:00Z",
"severity": "HIGH"
},
"details": "There is a Improper Preservation of Permissions vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to attackers which can isolate and read synchronization files of other applications across the UID sandbox.",
"id": "GHSA-gxj5-6fw2-663j",
"modified": "2021-12-10T00:01:23Z",
"published": "2021-12-08T00:01:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37086"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H574-6646-VFXX
Vulnerability from github – Published: 2024-03-14 09:31 – Updated: 2024-05-02 19:01Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.
Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.3rc1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28746"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-15T14:19:23Z",
"nvd_published_at": "2024-03-14T09:15:47Z",
"severity": "MODERATE"
},
"details": "Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.\u00a0\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability\n",
"id": "GHSA-h574-6646-vfxx",
"modified": "2024-05-02T19:01:54Z",
"published": "2024-03-14T09:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28746"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/37881"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/13/5"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Apache Airflow: Ignored Airflow Permission"
}
GHSA-H735-Q6RM-HJCJ
Vulnerability from github – Published: 2025-01-03 18:30 – Updated: 2025-01-03 21:30An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component.
{
"affected": [],
"aliases": [
"CVE-2024-55507"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-03T16:15:26Z",
"severity": "CRITICAL"
},
"details": "An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component.",
"id": "GHSA-h735-q6rm-hjcj",
"modified": "2025-01-03T21:30:40Z",
"published": "2025-01-03T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55507"
},
{
"type": "WEB",
"url": "https://github.com/CV1523/CVEs/blob/main/CVE-2024-55507.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H74R-XH5R-H54X
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28In Telephony, there are possible leaks of sensitive data due to missing permission checks. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150155839
{
"affected": [],
"aliases": [
"CVE-2020-0265"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-18T16:15:00Z",
"severity": "MODERATE"
},
"details": "In Telephony, there are possible leaks of sensitive data due to missing permission checks. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150155839",
"id": "GHSA-h74r-xh5r-h54x",
"modified": "2022-05-24T17:28:32Z",
"published": "2022-05-24T17:28:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0265"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-11"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H74V-56JH-P3H3
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Microsoft Graphics Component Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8574 and CVE-2017-8556.
{
"affected": [],
"aliases": [
"CVE-2017-8573"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T21:29:00Z",
"severity": "HIGH"
},
"details": "Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Microsoft Graphics Component Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8574 and CVE-2017-8556.",
"id": "GHSA-h74v-56jh-p3h3",
"modified": "2022-05-13T01:47:36Z",
"published": "2022-05-13T01:47:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8573"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8573"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99431"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038856"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H836-VCX3-FF7V
Vulnerability from github – Published: 2025-09-04 21:31 – Updated: 2025-09-04 21:31In multiple functions of GrantPermissionsActivity.java , there is a possible way to trick the user into granting the incorrect permission due to permission overload. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-26420"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T18:15:39Z",
"severity": "MODERATE"
},
"details": "In multiple functions of GrantPermissionsActivity.java , there is a possible way to trick the user into granting the incorrect permission due to permission overload. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-h836-vcx3-ff7v",
"modified": "2025-09-04T21:31:37Z",
"published": "2025-09-04T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26420"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/packages/modules/Permission/+/6bed47f63ec0600b3c57388449db37405c68dc58"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2025-05-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.