Common Weakness Enumeration

CWE-1220

Allowed

Insufficient Granularity of Access Control

Abstraction: Base · Status: Incomplete

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

176 vulnerabilities reference this CWE, most recent first.

GHSA-59XF-77X2-PV8F

Vulnerability from github – Published: 2026-07-14 18:31 – Updated: 2026-07-14 18:31
VLAI
Details

Insufficient granularity of access control in Microsoft Surface allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T17:16:50Z",
    "severity": "HIGH"
  },
  "details": "Insufficient granularity of access control in Microsoft Surface allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-59xf-77x2-pv8f",
  "modified": "2026-07-14T18:31:59Z",
  "published": "2026-07-14T18:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48581"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48581"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GR5-VWJ6-RQ22

Vulnerability from github – Published: 2025-04-03 18:30 – Updated: 2025-04-03 18:30
VLAI
Details

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this vulnerability to execute arbitrary commands with root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-03T16:15:36Z",
    "severity": "HIGH"
  },
  "details": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this vulnerability to execute arbitrary commands with root privileges.",
  "id": "GHSA-5gr5-vwj6-rq22",
  "modified": "2025-04-03T18:30:58Z",
  "published": "2025-04-03T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29987"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000300899/dsa-2025-139-dell-technologies-powerprotect-data-domain-security-update-for-a-security-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QQ8-H7QH-PHFJ

Vulnerability from github – Published: 2026-07-03 18:31 – Updated: 2026-07-03 18:31
VLAI
Details

A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T16:16:55Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak\u0027s administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller\u0027s specific permissions when requested through a parent group. This allows a delegated administrator to view details of child groups they are not authorized to access directly, including group names, paths, and custom attributes.",
  "id": "GHSA-5qq8-h7qh-phfj",
  "modified": "2026-07-03T18:31:06Z",
  "published": "2026-07-03T18:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14615"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-14615"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496891"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R39-9H33-Q5XR

Vulnerability from github – Published: 2025-02-20 00:32 – Updated: 2025-02-20 00:32
VLAI
Details

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220) 

Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly perform an authorization check in the user console trash content

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T00:15:19Z",
    "severity": "MODERATE"
  },
  "details": "The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220)\u00a0\n\n\n\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly perform an authorization check in the user console trash content\n\n\n\n\n\n\n\u00a0An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.",
  "id": "GHSA-5r39-9h33-q5xr",
  "modified": "2025-02-20T00:32:05Z",
  "published": "2025-02-20T00:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6696"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/34296877157517--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Insufficient-Granularity-of-Access-Control-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6696"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-648G-6726-528F

Vulnerability from github – Published: 2026-05-15 03:30 – Updated: 2026-05-15 03:30
VLAI
Details

Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-15T03:16:20Z",
    "severity": "HIGH"
  },
  "details": "Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.",
  "id": "GHSA-648g-6726-528f",
  "modified": "2026-05-15T03:30:36Z",
  "published": "2026-05-15T03:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21962"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4016.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-69W4-P3C2-PWC7

Vulnerability from github – Published: 2024-05-16 21:31 – Updated: 2024-05-16 21:31
VLAI
Details

Improper access control in some Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T21:15:53Z",
    "severity": "HIGH"
  },
  "details": "Improper access control in some Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-69w4-p3c2-pwc7",
  "modified": "2024-05-16T21:31:59Z",
  "published": "2024-05-16T21:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40070"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01037.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6G26-7CX5-MRRG

Vulnerability from github – Published: 2026-06-05 09:33 – Updated: 2026-06-26 09:30
VLAI
Details

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T08:16:30Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.",
  "id": "GHSA-6g26-7cx5-mrrg",
  "modified": "2026-06-26T09:30:46Z",
  "published": "2026-06-05T09:33:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25097"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25098"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30049"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30050"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-9088"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6H98-C266-Q7CR

Vulnerability from github – Published: 2025-02-12 00:32 – Updated: 2025-09-24 00:30
VLAI
Details

Improper input validation in AMD Crash Defender could allow an attacker to provide the Windows® system process ID to a kernel-mode driver, resulting in an operating system crash, potentially leading to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T00:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Improper input validation in AMD Crash Defender could allow an attacker to provide the Windows\u00ae system process ID to a kernel-mode driver, resulting in an operating system crash, potentially leading to denial of service.",
  "id": "GHSA-6h98-c266-q7cr",
  "modified": "2025-09-24T00:30:40Z",
  "published": "2025-02-12T00:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21971"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6JJP-3PP9-H253

Vulnerability from github – Published: 2024-03-19 18:31 – Updated: 2024-03-19 18:31
VLAI
Details

Insufficient Granularity of Access Control vulnerability in OpenText™ Service Management Automation X (SMAX), OpenText™ Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Service Management Automation X (SMAX) versions 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11; and Asset Management X (AMX) versions 2021.08, 2021.11, 2022.05, 2022.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-19T16:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient Granularity of Access Control vulnerability in OpenText\u2122 Service Management Automation X (SMAX), OpenText\u2122 Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Service Management Automation X (SMAX) versions 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11; and Asset Management X (AMX) versions 2021.08, 2021.11, 2022.05, 2022.11.\n\n",
  "id": "GHSA-6jjp-3pp9-h253",
  "modified": "2024-03-19T18:31:59Z",
  "published": "2024-03-19T18:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32259"
    },
    {
      "type": "WEB",
      "url": "https://portal.microfocus.com/s/article/KM000018803?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JM2-G593-4QRC

Vulnerability from github – Published: 2026-04-25 23:51 – Updated: 2026-04-25 23:51
VLAI
Summary
OpenClaw: Agent gateway config mutations could change protected operator settings
Details

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: < 2026.4.20
  • Patched version: 2026.4.20

Impact

The agent-facing gateway config.patch / config.apply guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings.

This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium.

Fix

OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching.

Fix commit:

  • fe30b31a97a917ecc6e92f6c85378b6b20352422

Release

Fixed in OpenClaw 2026.4.20.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:51:11Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nThe agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings.\n\nThis is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium.\n\n## Fix\n\nOpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching.\n\nFix commit:\n\n- `fe30b31a97a917ecc6e92f6c85378b6b20352422`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
  "id": "GHSA-7jm2-g593-4qrc",
  "modified": "2026-04-25T23:51:11Z",
  "published": "2026-04-25T23:51:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/fe30b31a97a917ecc6e92f6c85378b6b20352422"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Agent gateway config mutations could change protected operator settings"
}

Mitigation
Architecture and Design Implementation Testing
  • Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
  • Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.