CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 66 of 94
- CVE-2025-45157MEDIUMCVSS 6.5EG 6.52025-07-18
Insecure permissions in Splashin iOS v2.0 allow unauthorized attackers to access location data for specific users.
- CVE-2025-45237HIGHCVSS 7.5EG 7.52025-05-05
Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password.
- CVE-2025-45343CRITICALCVSS 9.8EG 9.82025-05-28
An issue in Tenda W18E v.2.0 v.16.01.0.11 allows an attacker to execute arbitrary code via the editing functionality of the account module in the goform/setmodules route.
- CVE-2025-4535MEDIUMCVSS 5.3EG 5.32025-05-11
A vulnerability, which was classified as problematic, was found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 4.0. Affected is an unknown function of the file /config/config.properties of the component Configurati…
- CVE-2025-4536MEDIUMCVSS 5.3EG 5.32025-05-11
A vulnerability has been found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sysmgr/user/listByPage. The mani…
- CVE-2025-4538MEDIUMCVSS 6.3EG 6.32025-05-11
A vulnerability was found in kkFileView 4.4.0. It has been classified as critical. This affects an unknown part of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the att…
- CVE-2025-45422HIGHCVSS 8.1EG 8.12026-07-09
Incorrect access control in Proximus b-box v8c.725A allows authenticated attackers to bypass normal restrictions and make arbitrary changes to port forwarding rules.
- CVE-2025-45424MEDIUMCVSS 5.3EG 5.32025-07-02
Incorrect access control in Xinference before v1.4.0 allows attackers to access the Web GUI without authentication.
- CVE-2025-45584HIGHCVSS 7.5EG 7.52025-09-12
Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication.
- CVE-2025-45608HIGHCVSS 7.5EG 7.52025-05-05
Incorrect access control in the /system/user/findUserList API of Xinguan v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload.
- CVE-2025-45609HIGHCVSS 7.5EG 7.52025-05-05
Incorrect access control in the doFilter function of kob latest v1.0.0-SNAPSHOT allows attackers to access sensitive information via a crafted payload.
- CVE-2025-45610HIGHCVSS 7.5EG 7.52025-05-05
Incorrect access control in the component /scheduleLog/info/1 of PassJava-Platform v3.0.0 allows attackers to access sensitive information via a crafted payload.
- CVE-2025-45611CRITICALCVSS 9.8EG 9.82025-05-05
Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request.
- CVE-2025-45612CRITICALCVSS 9.8EG 9.82025-05-05
Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
- CVE-2025-45613HIGHCVSS 7.5EG 7.52025-05-05
Incorrect access control in the component /user/list of Shiro-Action v0.6 allows attackers to access sensitive information via a crafted payload.
- CVE-2025-45614HIGHCVSS 7.5EG 7.52025-05-05
Incorrect access control in the component /api/user/manager of One v1.0 allows attackers to access sensitive information via a crafted payload.
- CVE-2025-45615CRITICALCVSS 9.8EG 9.82025-05-05
Incorrect access control in the /admin/ API of yaoqishan v0.0.1-SNAPSHOT allows attackers to gain access to Admin rights via a crafted request.
- CVE-2025-45616CRITICALCVSS 9.8EG 9.82025-05-05
Incorrect access control in the /admin/** API of brcc v1.2.0 allows attackers to gain access to Admin rights via a crafted request.
- CVE-2025-45617HIGHCVSS 7.5EG 7.52025-05-05
Incorrect access control in the component /user/list of production_ssm v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload.
- CVE-2025-45618MEDIUMCVSS 6.5EG 6.52025-05-05
Incorrect access control in the component /admin/sys/datasource/ajaxList of jeeweb-mybatis-springboot v0.0.1.RELEASE allows attackers to access sensitive information via a crafted payload.
- CVE-2025-45729MEDIUMCVSS 6.3EG 6.32025-06-27
D-Link DIR-823-Pro 1.02 has improper permission control, allowing unauthorized users to turn on and access Telnet services.
- CVE-2025-46014HIGHCVSS 8.8EG 8.82025-06-30
Several services in Honor Device Co., Ltd Honor PC Manager v16.0.0.118 was discovered to connect services to the named pipe iMateBookAssistant with default or overly permissive security attributes, leading to a privilege escalation.
- CVE-2025-46118MEDIUMCVSS 5.3EG 7.32025-07-21
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139 and in Ruckus ZoneDirector prior to 10.5.1.0.279, where hard-coded credentials for the ftpuser account provide FTP access to the controller, …
- CVE-2025-46174HIGHCVSS 7.5EG 7.52025-11-26
Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.
- CVE-2025-46175HIGHCVSS 7.5EG 7.52025-11-26
Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.
- CVE-2025-46282MEDIUMCVSS 5.5EG 5.52025-12-17
The issue was addressed with additional permissions checks. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. An app may be able to access sensitive user data.
- CVE-2025-46288MEDIUMCVSS 5.5EG 5.52025-12-17
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. An app may be able to access sensitive payment tokens.
- CVE-2025-46292MEDIUMCVSS 5.5EG 5.52025-12-17
This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2. An app may be able to access user-sensitive data.
- CVE-2025-46297MEDIUMCVSS 5.5EG 5.52026-01-09
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected files within an App Sandbox container.
- CVE-2025-46299MEDIUMCVSS 4.3EG 4.32026-01-09
A memory initialization issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content m…
- CVE-2025-46307MEDIUMCVSS 5.5EG 5.52026-05-26
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.
- CVE-2025-46308MEDIUMCVSS 5.3EG 5.32026-06-11
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information.
- CVE-2025-46315HIGHCVSS 7.5EG 7.52026-06-11
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data.
- CVE-2025-46331CRITICALCVSS 9.8EG 9.82025-04-30
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization b…
- CVE-2025-46362MEDIUMCVSS 6.6EG 6.62025-11-13
Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampe…
- CVE-2025-46391MEDIUMCVSS 6.5EG 6.52025-08-06
CWE-284: Improper Access Control
- CVE-2025-46552MEDIUMCVSS 6.3EG 6.32025-04-29
KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addres…
- CVE-2025-46566CRITICALCVSS 9.8EG 9.82025-05-01
DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.9, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.9.
- CVE-2025-46588MEDIUMCVSS 4.4EG 4.42025-05-06
Vulnerability of unauthorized access in the app lock module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
- CVE-2025-46589MEDIUMCVSS 4.4EG 4.42025-05-06
Vulnerability of unauthorized access in the app lock module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
- CVE-2025-46608CRITICALCVSS 9.1EG 9.12025-11-12
Dell Data Lakehouse, versions prior to 1.6.0.0, contain(s) an Improper Access Control vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. This vulne…
- CVE-2025-46619HIGHCVSS 7.6EG 7.62025-04-30
A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant …
- CVE-2025-46628HIGHCVSS 7.3EG 7.32025-05-01
Lack of input validation/sanitization in the 'ate' management service in the Tenda RX2 Pro 16.03.30.14 allows an unauthorized remote attacker to gain root shell access to the device by sending a crafted UDP packet to the 'ate' service when…
- CVE-2025-46629MEDIUMCVSS 6.5EG 6.52025-05-01
Lack of access controls in the 'ate' management binary of the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated remote attacker to perform unauthorized configuration changes for any router where 'ate' has been enabled by sending a crafte…
- CVE-2025-46635HIGHCVSS 7.1EG 7.12025-05-01
An issue was discovered on Tenda RX2 Pro 16.03.30.14 devices. Improper network isolation between the guest Wi-Fi network and other network interfaces on the router allows an attacker (who is authenticated to the guest Wi-Fi) to access reso…
- CVE-2025-46691HIGHCVSS 7.8EG 7.82026-01-28
Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.
- CVE-2025-46816CRITICALCVSS 9.4EG 9.42025-05-06
goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not check…
- CVE-2025-46889MEDIUMCVSS 5.4EG 5.42025-06-10
Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measure…
- CVE-2025-47161HIGHCVSS 7.8EG 7.82025-05-15
Improper access control in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
- CVE-2025-47179MEDIUMCVSS 6.7EG 6.72025-11-11
Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges locally.
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →