ClassDraftTop 25 #15

CWE-269Improper Privilege Management

Category: authz

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Common consequences· 1

  • Access Control — Gain Privileges or Assume Identity

Potential mitigations· 3

  • [Architecture and Design, Operation]Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
  • [Architecture and Design]Follow the principle of least privilege when assigning access rights to entities in a software system.
  • [Architecture and Design]Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

Related CAPEC attack patterns· 3

CAPEC-122CAPEC-233CAPEC-58

References

  1. https://cwe.mitre.org/data/definitions/269.html

Exploits (incoming)2

TypeTargetConfidenceTier
AttackPatternRestful Privilege Elevationcapec-58100%live
AttackPatternPrivilege Escalationcapec-233100%live

Compliance frameworks addressing this (incoming)32

TypeTargetConfidenceTier
ComplianceControlpci_dss_v4-r11100%live
ComplianceControlai_act-art10100%live
ComplianceControlcis_v8-18100%live
ComplianceControlowasp_top10-a01100%live
ComplianceControliso27001-a.8.25100%live
ComplianceControlgdpr-art35100%live
ComplianceControldora-art10100%live
ComplianceControliso27001-a.5.23100%live
ComplianceControldora-art17100%live
ComplianceControlowasp_api_top10-api05100%live
ComplianceControldora-art9100%live
ComplianceControlpci_dss_v4-r2100%live
ComplianceControlgdpr-art25100%live
ComplianceControlnis2-art21f100%live
ComplianceControlnis2-art21i100%live
ComplianceControlgdpr-art34100%live
ComplianceControliso27001-a.8.2100%live
ComplianceControlowasp_llm_top10-llm06100%live
ComplianceControlcis_v8-2100%live
ComplianceControlgdpr-art32100%live
ComplianceControlpci_dss_v4-r7100%live
ComplianceControlpci_dss_v4-r5100%live
ComplianceControlcis_v8-6100%live
ComplianceControlcis_v8-5100%live
ComplianceControlnis2-art21a100%live
ComplianceControliso27701-a.7.3.6100%live
ComplianceControltiber_eu-closure100%live
ComplianceControlai_act-art15100%live
ComplianceControltiber_eu-testing100%live
ComplianceControlcis_v8-4100%live

Showing top 30 of 32 by confidence. Click any target to see the full neighbourhood.

(incoming)116

TypeTargetConfidenceTier
VulnerabilityCVE-2025-0177cve-2025-01770%live
VulnerabilityCVE-2025-0180cve-2025-01800%live
VulnerabilityCVE-2025-0358cve-2025-03580%live
VulnerabilityCVE-2025-0505cve-2025-05050%live
VulnerabilityCVE-2025-11086cve-2025-110860%live
VulnerabilityCVE-2025-11168cve-2025-111680%live
VulnerabilityCVE-2025-11457cve-2025-114570%live
VulnerabilityCVE-2025-11533cve-2025-115330%live
VulnerabilityCVE-2025-11561cve-2025-115610%live
VulnerabilityCVE-2025-11923cve-2025-119230%live
VulnerabilityCVE-2025-12424cve-2025-124240%live
VulnerabilityCVE-2025-12485cve-2025-124850%live
VulnerabilityCVE-2025-12882cve-2025-128820%live
VulnerabilityCVE-2025-1295cve-2025-12950%live
VulnerabilityCVE-2025-12981cve-2025-129810%live
VulnerabilityCVE-2025-13534cve-2025-135340%live
VulnerabilityCVE-2025-13538cve-2025-135380%live
VulnerabilityCVE-2025-13540cve-2025-135400%live
VulnerabilityCVE-2025-13542cve-2025-135420%live
VulnerabilityCVE-2025-13559cve-2025-135590%live
VulnerabilityCVE-2025-13563cve-2025-135630%live
VulnerabilityCVE-2025-13618cve-2025-136180%live
VulnerabilityCVE-2025-13619cve-2025-136190%live
VulnerabilityCVE-2025-13675cve-2025-136750%live
VulnerabilityCVE-2025-13680cve-2025-136800%live
VulnerabilityCVE-2025-13764cve-2025-137640%live
VulnerabilityCVE-2025-13787cve-2025-137870%live
VulnerabilityCVE-2025-13851cve-2025-138510%live
VulnerabilityCVE-2025-14533cve-2025-145330%live
VulnerabilityCVE-2025-14736cve-2025-147360%live

Showing top 30 of 116 by confidence. Click any target to see the full neighbourhood.

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Incorrect Privilege Assignment
CWE
Incorrect User Management
CWE
Improper Access Control
CWE
Improper Handling of Insufficient Privileges
CWE
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE
Improper Authorization
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.