BaseIncomplete

CWE-1220Insufficient Granularity of Access Control

Category: other

Description

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

Common consequences· 1

  • Confidentiality / Integrity / Availability / Access Control — Modify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Other

Potential mitigations· 1

  • [Architecture and Design, Implementation, Testing]

Related CAPEC attack patterns· 2

CAPEC-1CAPEC-180

References

  1. https://cwe.mitre.org/data/definitions/1220.html

Exploits (incoming)2

TypeTargetConfidenceTier
AttackPatternAccessing Functionality Not Properly Constrained by ACLscapec-1100%live
AttackPatternExploiting Incorrectly Configured Access Control Security Levelscapec-180100%live

(incoming)13

TypeTargetConfidenceTier
VulnerabilityCVE-2025-29987cve-2025-299870%live
VulnerabilityApple Multiple Products Arbitrary Read and Write Vulnerabilitycve-2025-312010%live
VulnerabilityCVE-2025-4404cve-2025-44040%live
VulnerabilityCVE-2025-7493cve-2025-74930%live
VulnerabilityCVE-2025-8049cve-2025-80490%live
VulnerabilityCVE-2025-8053cve-2025-80530%live
VulnerabilityMicrosoft Defender Insufficient Granularity of Access Control Vulnerabilitycve-2026-338250%live
VulnerabilityCVE-2026-35436cve-2026-354360%live
VulnerabilityCVE-2026-40365cve-2026-403650%live
VulnerabilityCVE-2026-6356cve-2026-63560%live
VulnerabilityCVE-2026-6388cve-2026-63880%live
KEVEntryMicrosoft Windows SAM Local Privilege Escalation Vulnerabilitykev-cve-2021-369340%live
KEVEntryMicrosoft Defender Insufficient Granularity of Access Control Vulnerabilitykev-cve-2026-338250%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE
Improper Access Control
CWE
Improper Privilege Management
CWE
Incorrect User Management
CWE
Exposure of Sensitive Information Through Metadata
CWE
Improper Isolation or Compartmentalization
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.