CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
GHSA-FCXP-R92V-X7H2
Vulnerability from github – Published: 2026-07-09 21:31 – Updated: 2026-07-09 21:31A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is an unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. Executing a manipulation can lead to least privilege violation. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks.
{
"affected": [],
"aliases": [
"CVE-2026-15270"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T20:16:28Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is an unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. Executing a manipulation can lead to least privilege violation. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks.",
"id": "GHSA-fcxp-r92v-x7h2",
"modified": "2026-07-09T21:31:21Z",
"published": "2026-07-09T21:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15270"
},
{
"type": "WEB",
"url": "https://app.notion.com/p/DIR823G-V1-0-2B05_20181207-37a1f5ba989080f2a043c60d2cfc7499?source=copy_link"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15270"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/852314"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377213"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377213/cti"
},
{
"type": "WEB",
"url": "https://www.dlink.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FF6R-J98M-43X2
Vulnerability from github – Published: 2025-09-27 06:30 – Updated: 2025-09-27 06:30A flaw has been found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /periodo-lancamento. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been published and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-11050"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-27T05:15:30Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /periodo-lancamento. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been published and may be used.",
"id": "GHSA-ff6r-j98m-43x2",
"modified": "2025-09-27T06:30:52Z",
"published": "2025-09-27T06:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11050"
},
{
"type": "WEB",
"url": "https://github.com/marcelomulder/CVE/blob/main/i-educar/Broken%20Access%20Control%20%20in%20%60.periodo-lancamento%60%20Endpoint.md"
},
{
"type": "WEB",
"url": "https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-11050.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.326087"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.326087"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.659214"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FFPR-483M-CPM5
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.
{
"affected": [],
"aliases": [
"CVE-2026-22267"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T10:16:11Z",
"severity": "HIGH"
},
"details": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.",
"id": "GHSA-ffpr-483m-cpm5",
"modified": "2026-02-19T18:31:54Z",
"published": "2026-02-19T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22267"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FFQC-R4J7-PVVM
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment.
{
"affected": [],
"aliases": [
"CVE-2022-1746"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T15:15:00Z",
"severity": "HIGH"
},
"details": "The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment.",
"id": "GHSA-ffqc-r4j7-pvvm",
"modified": "2022-07-07T00:00:29Z",
"published": "2022-06-25T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1746"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FFRR-JP4V-9V79
Vulnerability from github – Published: 2026-01-09 18:31 – Updated: 2026-01-09 18:31An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format
{
"affected": [],
"aliases": [
"CVE-2025-67279"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-09T16:16:07Z",
"severity": "MODERATE"
},
"details": "An issue in TIM Solution GmbH TIM BPM Suite \u0026 TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format",
"id": "GHSA-ffrr-jp4v-9v79",
"modified": "2026-01-09T18:31:36Z",
"published": "2026-01-09T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67279"
},
{
"type": "WEB",
"url": "https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes"
},
{
"type": "WEB",
"url": "https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FG8F-QMV2-X48Q
Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-09 15:30Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.6.
{
"affected": [],
"aliases": [
"CVE-2026-27541"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T06:16:29Z",
"severity": "HIGH"
},
"details": "Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through \u003c= 2.2.6.",
"id": "GHSA-fg8f-qmv2-x48q",
"modified": "2026-03-09T15:30:33Z",
"published": "2026-03-05T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27541"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-wholesale-prices/vulnerability/wordpress-wholesale-suite-plugin-2-2-1-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FGV8-397H-QGQF
Vulnerability from github – Published: 2026-06-29 09:30 – Updated: 2026-06-29 09:30A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-13544"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T07:16:24Z",
"severity": "LOW"
},
"details": "A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-fgv8-397h-qgqf",
"modified": "2026-06-29T09:30:28Z",
"published": "2026-06-29T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13544"
},
{
"type": "WEB",
"url": "https://github.com/liufee/cms/issues/88"
},
{
"type": "WEB",
"url": "https://github.com/liufee/cms/issues/89"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-13544"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/842582"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/842595"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/842602"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/374552"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/374552/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FH73-R4JX-8P6F
Vulnerability from github – Published: 2026-02-02 00:30 – Updated: 2026-02-02 00:30A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-1733"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-01T23:15:49Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-fh73-r4jx-8p6f",
"modified": "2026-02-02T00:30:23Z",
"published": "2026-02-02T00:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1733"
},
{
"type": "WEB",
"url": "https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md"
},
{
"type": "WEB",
"url": "https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md#%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.343632"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.343632"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.736558"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FHVM-9728-77CM
Vulnerability from github – Published: 2025-10-12 21:30 – Updated: 2025-10-12 21:30A vulnerability was detected in Tomofun Furbo 360 and Furbo Mini. This vulnerability affects unknown code of the component GATT Service. The manipulation results in improper access controls. The attack can only be performed from the local network. The exploit is now public and may be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-11646"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-12T21:15:33Z",
"severity": "MODERATE"
},
"details": "A vulnerability was detected in Tomofun Furbo 360 and Furbo Mini. This vulnerability affects unknown code of the component GATT Service. The manipulation results in improper access controls. The attack can only be performed from the local network. The exploit is now public and may be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-fhvm-9728-77cm",
"modified": "2025-10-12T21:30:16Z",
"published": "2025-10-12T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11646"
},
{
"type": "WEB",
"url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Information-Disclosure-P2PUUID.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.328057"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.328057"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.661900"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FJCF-3J3R-78RP
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 21:00An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application, including endpoints such as '/users/list' and '/users/get_users'. This vulnerability allows for privilege escalation within the application, enabling any account to become a PROXY ADMIN.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "litellm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.61.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-0628"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-20T21:00:46Z",
"nvd_published_at": "2025-03-20T10:15:53Z",
"severity": "HIGH"
},
"details": "An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role \u0027internal_user_viewer\u0027 logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application, including endpoints such as \u0027/users/list\u0027 and \u0027/users/get_users\u0027. This vulnerability allows for privilege escalation within the application, enabling any account to become a PROXY ADMIN.",
"id": "GHSA-fjcf-3j3r-78rp",
"modified": "2025-03-20T21:00:46Z",
"published": "2025-03-20T12:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0628"
},
{
"type": "WEB",
"url": "https://github.com/berriai/litellm/commit/566d9354aab4215091b2e51ad0333e948125fa1b"
},
{
"type": "PACKAGE",
"url": "https://github.com/BerriAI/litellm"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/6c0e2f75-2d03-42f9-9530-e16a973317fc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "LiteLLM Has an Improper Authorization Vulnerability"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.