CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 81 of 94
- CVE-2026-24290HIGHCVSS 7.8EG 7.82026-03-10
Improper access control in Windows Projected File System allows an authorized attacker to elevate privileges locally.
- CVE-2026-24300CRITICALCVSS 9.8EG 9.82026-02-05
Azure Front Door Elevation of Privilege Vulnerability
- CVE-2026-24302HIGHCVSS 8.6EG 8.62026-02-05
Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-24303CRITICALCVSS 9.6EG 9.62026-04-23
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
- CVE-2026-24304CRITICALCVSS 9.9EG 9.92026-01-23
Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.
- CVE-2026-24306CRITICALCVSS 9.8EG 9.82026-01-22
Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-24420MEDIUMCVSS 6.5EG 6.52026-01-24
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key i…
- CVE-2026-24451HIGHCVSS 7.5EG 7.52026-07-03
Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.
- CVE-2026-24473MEDIUMCVSS 5.3EG 5.32026-01-27
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attac…
- CVE-2026-24668MEDIUMCVSS 6.5EG 6.52026-02-03
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action …
- CVE-2026-24670MEDIUMCVSS 6.5EG 6.52026-02-03
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally rest…
- CVE-2026-24690HIGHCVSS 7.5EG 7.52026-07-03
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.
- CVE-2026-24711MEDIUMCVSS 5.3EG 5.32026-05-14
Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control.
- CVE-2026-24740CRITICALCVSS 9.9EG 9.92026-01-27
Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell i…
- CVE-2026-24904MEDIUMCVSS 5.3EG 5.32026-01-29
TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for ex…
- CVE-2026-25176HIGHCVSS 7.8EG 7.82026-03-10
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
- CVE-2026-25231HIGHCVSS 7.5EG 7.52026-02-09
FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 3.3.0, the application contains an unauthenticated file read vulnerability due to the lack of access control on the /uploads directory. Files uploaded to this di…
- CVE-2026-2549HIGHCVSS 7.3EG 7.32026-02-16
A vulnerability has been found in zhanghuanhao LibrarySystem 图书馆管理系统 up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to…
- CVE-2026-2550CRITICALCVSS 9.8EG 9.82026-02-16
A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit…
- CVE-2026-25519HIGHCVSS 8.1EG 8.12026-02-04
OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionall…
- CVE-2026-25712HIGHCVSS 7.5EG 7.52026-07-03
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.
- CVE-2026-25758HIGHCVSS 7.5EG 7.52026-02-06
Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating …
- CVE-2026-2592HIGHCVSS 7.7EG 7.72026-02-17
The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gatew…
- CVE-2026-25966MEDIUMCVSS 5.9EG 5.92026-02-24
ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also suppor…
- CVE-2026-26145MEDIUMCVSS 4.8EG 4.82026-07-02
Improper access control in Azure Synapse allows an authorized attacker to elevate privileges over a network.
- CVE-2026-26183HIGHCVSS 7.8EG 7.82026-04-14
Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally.
- CVE-2026-26247CRITICALCVSS 9.1EG 9.12026-07-03
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
- CVE-2026-26292CRITICALCVSS 9.8EG 9.82026-07-03
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.
- CVE-2026-2665MEDIUMCVSS 6.3EG 6.32026-02-18
A vulnerability was detected in huanzi-qch base-admin up to 57a8126bb3353a004f3c7722089e3b926ea83596. Impacted is the function Upload of the file SysFileController.java of the component JSP Parser. Performing a manipulation of the argument…
- CVE-2026-2666MEDIUMCVSS 4.7EG 4.72026-02-18
A flaw has been found in mingSoft MCMS 6.1.1. The affected element is an unknown function of the file /ms/file/uploadTemplate.do of the component Template Archive Handler. Executing a manipulation of the argument File can lead to unrestric…
- CVE-2026-2684HIGHCVSS 7.3EG 7.32026-02-19
A vulnerability was determined in Tsinghua Unigroup Electronic Archives System up to 3.2.210802(62532). The impacted element is an unknown function of the file /Archive/ErecordManage/uploadFile.html. Executing a manipulation of the argumen…
- CVE-2026-2699CRITICALCVSS 9.8EG 9.82026-04-02
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
- CVE-2026-2734MEDIUMCVSS 6.5EG 6.52026-05-21
In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authentic…
- CVE-2026-27660HIGHCVSS 7.5EG 7.52026-07-03
Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.
- CVE-2026-2768CRITICALCVSS 10.0EG 10.02026-02-24
Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
- CVE-2026-27708HIGHCVSS 7.1EG 7.12026-06-24
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authent…
- CVE-2026-27779HIGHCVSS 7.5EG 7.52026-07-03
Gitea versions before 1.25.5 accept malformed or injected forwarded-proto values when detecting public URLs, allowing spoofed canonical URL generation.
- CVE-2026-27914HIGHCVSS 7.8EG 7.82026-04-14
Improper access control in Microsoft Management Console allows an authorized attacker to elevate privileges locally.
- CVE-2026-28374MEDIUMCVSS 4.3EG 4.32026-05-13
Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.
- CVE-2026-28378LOWCVSS 3.1EG 3.12026-07-07
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers.
- CVE-2026-28381HIGHCVSS 8.1EG 9.62026-06-22
The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.
- CVE-2026-28699HIGHCVSS 8.1EG 8.12026-06-16
Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.
- CVE-2026-28833MEDIUMCVSS 6.2EG 6.22026-03-25
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user's installed apps.
- CVE-2026-28838MEDIUMCVSS 5.3EG 5.32026-03-25
A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox.
- CVE-2026-28863MEDIUMCVSS 6.5EG 6.52026-03-25
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to fingerprint the user.
- CVE-2026-28910LOWCVSS 3.3EG 3.32026-05-11
This issue was addressed with improved permissions checking. This issue is fixed in macOS Tahoe 26.4. A malicious app may be able to access arbitrary files.
- CVE-2026-28922MEDIUMCVSS 6.5EG 6.52026-05-11
This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to access private information.
- CVE-2026-28930HIGHCVSS 7.5EG 7.52026-05-11
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data.
- CVE-2026-28957LOWCVSS 3.3EG 3.32026-05-11
An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to capture a user's screen.
- CVE-2026-28965HIGHCVSS 7.5EG 7.52026-05-11
A privacy issue was addressed with improved checks. This issue is fixed in iOS 26.5 and iPadOS 26.5. A user may be able to view restricted content from the lock screen.
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →