CWE-1220— Insufficient Granularity of Access Control
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.— MITRE CWE catalog
93 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1220page 2 of 2
- CVE-2025-1278MEDIUMCVSS 5.3EG 5.32025-05-09
An issue has been discovered in GitLab CE/EE affecting all versions from 12.0 before 17.9.8, 17.10 before 17.10.6, and 17.11 before 17.11.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
- CVE-2025-20111HIGHCVSS 7.4EG 7.42025-02-26
A vulnerability in the health monitoring diagnostics of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, adjacent attacker to cause the device to reload unexpect…
- CVE-2025-20305MEDIUMCVSS 4.3EG 4.32025-11-05
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device. This vulnerability exists because certain files lack proper data p…
- CVE-2025-20628MEDIUMCVSS 6.9EG 6.92026-04-07
An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. T…
- CVE-2025-22839HIGHCVSS 7.5EG 7.52025-08-12
Insufficient granularity of access control in the OOB-MSM for some Intel(R) Xeon(R) 6 Scalable processors may allow a privileged user to potentially enable escalation of privilege via adjacent access.
- CVE-2025-2408MEDIUMCVSS 5.3EG 5.32025-04-10
An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information.
- CVE-2025-2498LOWCVSS 3.1EG 3.12025-08-13
An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups …
- CVE-2025-27026MEDIUMCVSS 4.9EG 4.92025-07-02
A missing double-check feature in the WebGUI for CLI deactivation in Infinera G42 version R6.1.3 allows an authenticated administrator to make other management interfaces unavailable via local and network interfaces. The CLI deactivation…
- CVE-2025-29987HIGHCVSS 8.8EG 8.82025-04-03
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this v…
- CVE-2025-31201CRITICALCVSS 9.8EG 9.8⚠ KEV2025-04-16
This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, visionOS 2.4.1. An attacker with arbitrary read and write capability may be able to bypass Po…
- CVE-2025-31961LOWCVSS 3.7EG 3.72025-08-15
HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.
- CVE-2025-32703MEDIUMCVSS 5.5EG 5.52025-05-13
Insufficient granularity of access control in Visual Studio allows an authorized attacker to disclose information locally.
- CVE-2025-35998HIGHCVSS 7.9EG 7.92026-02-10
Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow an escalation of privilege. System software adversary with a privileged user …
- CVE-2025-3648HIGHCVSS 8.2EG 8.22025-07-08
A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and…
- CVE-2025-4404CRITICALCVSS 9.1EG 9.12025-06-17
A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services w…
- CVE-2025-48514MEDIUMCVSS 4.0EG 4.02026-02-10
Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.
- CVE-2025-48517MEDIUMCVSS 4.6EG 4.62026-02-10
Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an ASID in the range meant for SEV-SNP guests potentially resulting in a partial loss of con…
- CVE-2025-4979MEDIUMCVSS 4.9EG 4.92025-05-22
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by s…
- CVE-2025-54461MEDIUMCVSS 5.3EG 5.32025-10-16
ChatLuck contains an insufficient granularity of access control vulnerability in Invitation of Guest Users. If exploited, an uninvited guest user may register itself as a guest user.
- CVE-2025-54518HIGHCVSS 7.0EG 7.32026-05-15
Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation.
- CVE-2025-5982LOWCVSS 3.7EG 3.72025-06-12
An issue has been discovered in GitLab EE affecting all versions from 12.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
- CVE-2025-69196MEDIUMCVSS 6.5EG 6.52026-03-16
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the to…
- CVE-2025-7001LOWCVSS 2.7EG 4.32025-07-24
An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resource_group information through the API …
- CVE-2025-7493CRITICALCVSS 9.1EG 9.12025-09-30
A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version ad…
- CVE-2025-8049HIGHCVSS 8.8EG 8.82025-10-20
Insufficient Granularity of Access Control vulnerability in opentext Flipper allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow a low-privilege user to elevate privileges within the appl…
- CVE-2025-8053CRITICALCVSS 9.1EG 9.12025-10-20
Insufficient Granularity of Access Control vulnerability in opentext Flipper allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow a low privilege user to interact with the backend API with…
- CVE-2025-8306MEDIUMCVSS 5.1EG 5.12026-01-08
Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due…
- CVE-2026-0873MEDIUMCVSS 4.8EG 4.82026-02-04
On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global …
- CVE-2026-14615MEDIUMCVSS 4.3EG 4.32026-07-03
A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions…
- CVE-2026-20107MEDIUMCVSS 5.5EG 5.52026-02-25
A vulnerability in the Object Model CLI component of Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of servic…
- CVE-2026-2651CRITICALCVSS 9.0EG 9.02026-05-25
A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/m…
- CVE-2026-33825HIGHCVSS 7.8EG 9.0⚠ KEV2026-04-14
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.
- CVE-2026-35436HIGHCVSS 8.8EG 8.82026-05-12
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
- CVE-2026-37981MEDIUMCVSS 4.3EG 4.32026-05-19
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest person…
- CVE-2026-38743MEDIUMCVSS 4.3EG 4.32026-04-24
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts (including…
- CVE-2026-39363HIGHCVSS 7.5EG 7.52026-04-07
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custo…
- CVE-2026-40365HIGHCVSS 8.8EG 8.82026-05-12
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CVE-2026-40690MEDIUMCVSS 4.3EG 4.32026-04-24
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAG…
- CVE-2026-40981HIGHCVSS 7.5EG 7.52026-05-07
When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 t…
- CVE-2026-41326HIGHCVSS 8.2EG 8.22026-04-24
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFile policy (and perhaps the CopyFile handl…
- CVE-2026-6356CRITICALCVSS 9.6EG 9.62026-04-22
A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information.
- CVE-2026-6388CRITICALCVSS 9.1EG 9.12026-04-15
A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace boundaries. By exploiting insufficient valida…
- CVE-2026-9088LOWCVSS 2.7EG 2.72026-06-05
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user a…
Map vulnerabilities like CWE-1220 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1220 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →