Home/CWE/Improper Access Control
Weakness

Improper Access Control

CWE-284 · Pillar · Incomplete

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Extended description

Access control involves the use of several protection mechanisms such as: Authentication (proving the identity of an actor) Authorization (ensuring that a given actor can access a resource), and Accountability (tracking of activities that were performed) When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator.

Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Children (more specific)
ParentOfCWE-1191 · On-Chip Debug and Test Interface With Improper Access Control
ParentOfCWE-1220 · Insufficient Granularity of Access Control
ParentOfCWE-1224 · Improper Restriction of Write-Once Bit Fields
ParentOfCWE-1231 · Improper Prevention of Lock Bit Modification
ParentOfCWE-1233 · Security-Sensitive Hardware Controls with Missing Lock Bit Protection
ParentOfCWE-1252 · CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
ParentOfCWE-1257 · Improper Access Control Applied to Mirrored or Aliased Memory Regions
ParentOfCWE-1259 · Improper Restriction of Security Token Assignment
ParentOfCWE-1260 · Improper Handling of Overlap Between Protected Memory Ranges
ParentOfCWE-1262 · Improper Access Control for Register Interface
ParentOfCWE-1263 · Improper Physical Access Control
ParentOfCWE-1267 · Policy Uses Obsolete Encoding
ParentOfCWE-1270 · Generation of Incorrect Security Tokens
ParentOfCWE-1274 · Improper Access Control for Volatile Memory Containing Boot Code
ParentOfCWE-1276 · Hardware Child Block Incorrectly Connected to Parent System
ParentOfCWE-1280 · Access Control Check Implemented After Asset is Accessed
ParentOfCWE-1283 · Mutable Attestation or Measurement Reporting Data
ParentOfCWE-1290 · Incorrect Decoding of Security Identifiers
ParentOfCWE-1292 · Incorrect Conversion of Security Identifiers
ParentOfCWE-1294 · Insecure Security Identifier Mechanism
ParentOfCWE-1296 · Incorrect Chaining or Granularity of Debug Components
ParentOfCWE-1304 · Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
ParentOfCWE-1311 · Improper Translation of Security Attributes by Fabric Bridge
ParentOfCWE-1312 · Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
ParentOfCWE-1313 · Hardware Allows Activation of Test or Debug Logic at Runtime
ParentOfCWE-1315 · Improper Setting of Bus Controlling Capability in Fabric End-point
ParentOfCWE-1316 · Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
ParentOfCWE-1317 · Improper Access Control in Fabric Bridge
ParentOfCWE-1320 · Improper Protection for Outbound Error Messages and Alert Signals
ParentOfCWE-1323 · Improper Management of Sensitive Trace Data
ParentOfCWE-1334 · Unauthorized Error Injection Can Degrade Hardware Redundancy
ParentOfCWE-269 · Improper Privilege Management
ParentOfCWE-282 · Improper Ownership Management
ParentOfCWE-285 · Improper Authorization
ParentOfCWE-286 · Incorrect User Management
ParentOfCWE-287 · Improper Authentication
ParentOfCWE-288 · Authentication Bypass Using an Alternate Path or Channel
ParentOfCWE-346 · Origin Validation Error
ParentOfCWE-639 · Authorization Bypass Through User-Controlled Key
ParentOfCWE-749 · Exposed Dangerous Method or Function
ParentOfCWE-862 · Missing Authorization
ParentOfCWE-863 · Incorrect Authorization
ParentOfCWE-923 · Improper Restriction of Communication Channel to Intended Endpoints

Attack Patterns (CAPEC)

17
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-19Embedding Scripts within Scripts
CAPEC-441Malicious Logic Insertion
CAPEC-478Modification of Windows Service Configuration
CAPEC-479Malicious Root Certificate
CAPEC-502Intent Spoof
CAPEC-503WebView Exposure
CAPEC-536Data Injected During Configuration
CAPEC-546Incomplete Data Deletion in a Multi-Tenant Environment
CAPEC-550Install New Service
CAPEC-551Modify Existing Service
CAPEC-552Install Rootkit
CAPEC-556Replace File Extension Handlers
CAPEC-558Replace Trusted Executable
CAPEC-562Modify Shared File
CAPEC-563Add Malicious File to Shared Webroot
CAPEC-564Run Software at Logon
CAPEC-578Disable Security Software

CVEs With This Weakness

4,904
A sample of the 4,904 CVEs tagged with this weakness.
CVECVE-2026-8766
CVECVE-2026-8758
CVECVE-2026-8752
CVECVE-2026-8750
CVECVE-2026-8586
CVECVE-2026-8566
CVECVE-2026-8556
CVECVE-2026-8545
CVECVE-2026-8233
CVECVE-2026-8127
CVECVE-2026-8069
CVECVE-2026-8033

Nuclei Scanner Templates

30
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
criticalZenphoto <1.5 Installer - Detect
criticalbaserCMS Installation - Exposure
criticalnopCommerce Installer - Detect
criticalCirCarLife - Installer
criticalmCloud Panel - Installer
criticalGetSimple CMS - Installer
criticalGogs (Go Git Service) - Installer
criticalWordPress Exposed Installation
criticalChurchCRM - API Authentication Bypass via URL Injection
criticalProgress ShareFile Storage Zones Controller - Authentication Bypass
criticalWordPress Image Hover Ultimate - Unauthenticated Settings Update
criticalControlled Admin Access WordPress Plugin <= 1.4.0 - Improper Access Control & Privilege Escalation
criticalPaperCut - Unauthenticated Remote Code Execution
criticalCitrix ShareFile StorageZones Controller - Unauthenticated Remote Code Execution
criticalDATAGERRY - REST API Auth Bypass
criticalSPIP Porte Plume Plugin - Remote Code Execution
criticalOracle WebLogic Server Administration Console - Remote Code Execution
criticalosTicket Installer Panel - Detect
criticalProFTPd - Remote Code Execution
highDEOS OPEN 500EMS Controller - Admin Exposure
highZhongQing Education Cloud Platform - Information Exposure
highSolar-Log 500 2.8.2 - Incorrect Access Control
highDEOS OPENview Admin Panel Unauthenticated Access
highHomebridge - Unfinished Installation
highCraft CMS Installation Wizard Exposure
highXiuno BBS CNVD-2019-01348
highJoplin 3.3.3 Server - Privilege Escalation
highXWiki - Information Disclosure
highWavlink - Improper Access Control
highWebmin <1.990 - Improper Access Control
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin