Common Weakness Enumeration

CWE-648

Allowed

Incorrect Use of Privileged APIs

Abstraction: Base · Status: Incomplete

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

113 vulnerabilities reference this CWE, most recent first.

GHSA-H4JX-HJR3-FHGC

Vulnerability from github – Published: 2026-03-29 15:49 – Updated: 2026-04-18 00:44
VLAI
Summary
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
Details

Summary

Gateway Plugin Subagent Fallback deleteSession Uses Synthetic operator.admin

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Gateway plugin subagent fallback deleteSession previously dispatched sessions.delete with a synthetic operator.admin runtime scope when no request-scoped client existed. Commit b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7 binds deletion to the caller scope instead of minting admin scope.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7.

Fix Commit(s)

  • b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-648",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:49:34Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nGateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `\u003c= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nGateway plugin subagent fallback `deleteSession` previously dispatched `sessions.delete` with a synthetic `operator.admin` runtime scope when no request-scoped client existed. Commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7` binds deletion to the caller scope instead of minting admin scope.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`.\n\n## Fix Commit(s)\n\n- `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`",
  "id": "GHSA-h4jx-hjr3-fhgc",
  "modified": "2026-04-18T00:44:19Z",
  "published": "2026-03-29T15:49:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35645"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`"
}

GHSA-H66F-8XVF-H765

Vulnerability from github – Published: 2024-02-13 09:30 – Updated: 2024-02-13 09:30
VLAI
Details

A vulnerability has been identified in Unicam FX (All versions). The windows installer agent used in affected product contains incorrect use of privileged APIs that trigger the Windows Console Host (conhost.exe) as a child process with SYSTEM privileges. This could be exploited by an attacker to perform a local privilege escalation attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-648"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-13T09:15:47Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Unicam FX (All versions). The windows installer agent used in affected product contains incorrect use of privileged APIs that trigger the Windows Console Host (conhost.exe) as a child process with SYSTEM privileges. This could be exploited by an attacker to perform a local privilege escalation attack.",
  "id": "GHSA-h66f-8xvf-h765",
  "modified": "2024-02-13T09:30:32Z",
  "published": "2024-02-13T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22042"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-543502.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H97Q-54JX-527J

Vulnerability from github – Published: 2022-06-21 00:00 – Updated: 2022-06-29 00:00
VLAI
Details

Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-648"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-20T04:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4.",
  "id": "GHSA-h97q-54jx-527j",
  "modified": "2022-06-29T00:00:25Z",
  "published": "2022-06-21T00:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2023"
    },
    {
      "type": "WEB",
      "url": "https://github.com/polonel/trudesk/commit/83fd5a89319ba2c2f5934722e39b08aba9b3a4ac"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/0f35b1d3-56e6-49e4-bc5a-830f52e094b3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HFVG-35RJ-H837

Vulnerability from github – Published: 2025-07-29 00:30 – Updated: 2025-11-03 21:34
VLAI
Details

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-648"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-29T00:15:24Z",
    "severity": "MODERATE"
  },
  "details": "An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information.",
  "id": "GHSA-hfvg-35rj-h837",
  "modified": "2025-11-03T21:34:11Z",
  "published": "2025-07-29T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54766"
    },
    {
      "type": "WEB",
      "url": "https://korelogic.com/Resources/Advisories/KL-001-2025-012.txt"
    },
    {
      "type": "WEB",
      "url": "https://xormon.com/note190.php"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jul/15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J98G-G34P-R4CH

Vulnerability from github – Published: 2023-06-28 15:30 – Updated: 2023-06-28 15:30
VLAI
Details

A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator privileges. The attacker would need valid user credentials. This vulnerability is due to improper role-based access control (RBAC) of certain OpenAPI operations. An attacker could exploit this vulnerability by issuing a crafted OpenAPI function call with valid credentials. A successful exploit could allow the attacker to execute OpenAPI operations that are reserved for the Administrator user, including the creation and deletion of user labels.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-648"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-28T15:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator privileges. The attacker would need valid user credentials. This vulnerability is due to improper role-based access control (RBAC) of certain OpenAPI operations. An attacker could exploit this vulnerability by issuing a crafted OpenAPI function call with valid credentials. A successful exploit could allow the attacker to execute OpenAPI operations that are reserved for the Administrator user, including the creation and deletion of user labels.",
  "id": "GHSA-j98g-g34p-r4ch",
  "modified": "2023-06-28T15:30:23Z",
  "published": "2023-06-28T15:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20136"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-auth-openapi-kTndjdNX"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JHXJ-W2J8-P3GF

Vulnerability from github – Published: 2024-02-15 18:30 – Updated: 2026-05-20 12:30
VLAI
Details

Improper Privilege Management vulnerability in Utarit Information Technologies SoliPay Mobile App allows Collect Data as Provided by Users.This issue affects SoliPay Mobile App: before 5.0.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-648"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-15T16:15:45Z",
    "severity": "HIGH"
  },
  "details": "Improper Privilege Management vulnerability in Utarit Information Technologies SoliPay Mobile App allows Collect Data as Provided by Users.This issue affects SoliPay Mobile App: before 5.0.8.",
  "id": "GHSA-jhxj-w2j8-p3gf",
  "modified": "2026-05-20T12:30:35Z",
  "published": "2024-02-15T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4993"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0104"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-0104"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M3GR-G6G8-FXJW

Vulnerability from github – Published: 2025-07-29 00:30 – Updated: 2025-11-03 21:34
VLAI
Details

An authenticated, read-only user can kill any processes running on the Xormon Original virtual appliance as the lpar2rrd user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-648"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-29T00:15:24Z",
    "severity": "MODERATE"
  },
  "details": "An authenticated, read-only user can kill any processes running on the Xormon Original virtual appliance as the lpar2rrd user.",
  "id": "GHSA-m3gr-g6g8-fxjw",
  "modified": "2025-11-03T21:34:11Z",
  "published": "2025-07-29T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54767"
    },
    {
      "type": "WEB",
      "url": "https://korelogic.com/Resources/Advisories/KL-001-2025-014.txt"
    },
    {
      "type": "WEB",
      "url": "https://lpar2rrd.com/note800.php"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jul/17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M5JP-P3R5-MFQP

Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-18 00:43
VLAI
Summary
Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-h4jx-hjr3-fhgc. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2026.3.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-648",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-18T00:43:39Z",
    "nvd_published_at": "2026-04-09T22:16:34Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-h4jx-hjr3-fhgc. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope.",
  "id": "GHSA-m5jp-p3r5-mfqp",
  "modified": "2026-04-18T00:43:39Z",
  "published": "2026-04-10T00:30:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35645"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`",
  "withdrawn": "2026-04-18T00:43:39Z"
}

GHSA-MJW4-RP5Q-2H7W

Vulnerability from github – Published: 2026-02-25 18:31 – Updated: 2026-02-25 18:31
VLAI
Details

A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges on the underlying operating system.

This vulnerability is due to an insufficient user authentication mechanism in the REST API. An attacker could exploit this vulnerability by sending a request to the REST API of the affected system. A successful exploit could allow the attacker to gain root privileges on the underlying operating system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-648"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-25T17:25:28Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges on the underlying operating system.\n\nThis vulnerability is due to an insufficient user authentication mechanism in the REST API. An attacker could exploit this vulnerability by sending a request to the REST API of the affected system. A successful exploit could allow the attacker to\u0026nbsp;gain root privileges on the underlying operating system.",
  "id": "GHSA-mjw4-rp5q-2h7w",
  "modified": "2026-02-25T18:31:38Z",
  "published": "2026-02-25T18:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20126"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPCV-VXV9-9H8X

Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI
Details

A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-648"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T16:16:44Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-mpcv-vxv9-9h8x",
  "modified": "2026-05-13T18:30:55Z",
  "published": "2026-05-13T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41225"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000160916"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Before calling privileged APIs, always ensure that the assumptions made by the privileged code hold true prior to making the call.

Mitigation
Architecture and Design

Know architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses before calling the privileged APIs to ensure that they can be called safely.

Mitigation
Implementation

If privileged APIs make certain assumptions about data, context or state validity that are passed by the caller, the calling code must ensure that these assumptions have been validated prior to making the call.

Mitigation
Implementation

If privileged APIs do not shed their privilege prior to returning to the calling code, then calling code needs to shed these privileges immediately and safely right after the call to the privileged APIs. In particular, the calling code needs to ensure that a privileged thread of execution will never be returned to the user or made available to user-controlled processes.

Mitigation
Implementation

Only call privileged APIs from safe, consistent and expected state.

Mitigation
Implementation

Ensure that a failure or an error will not leave a system in a state where privileges are not properly shed and privilege escalation is possible (i.e. fail securely with regards to handling of privileges).

CAPEC-107: Cross Site Tracing

Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.

CAPEC-234: Hijacking a privileged process

An adversary gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code.