CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,712 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 91 of 95
- CVE-2026-48204CRITICALCVSS 9.8EG 9.82026-07-06
Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when t…
- CVE-2026-4830MEDIUMCVSS 5.6EG 5.62026-03-26
A vulnerability was identified in kalcaddle kodbox 1.64. This issue affects the function Add of the file app/controller/explorer/userShare.class.php of the component Public Share Handler. Such manipulation leads to unrestricted upload. The…
- CVE-2026-48529MEDIUMCVSS 6.0EG 6.02026-06-25
GitHub MCP Server is GitHub's official MCP Server. From 0.22.0 until 1.1.2, when running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated u…
- CVE-2026-48578HIGHCVSS 7.9EG 7.92026-06-09
Improper access control in Windows Secure Boot allows an authorized attacker to elevate privileges locally.
- CVE-2026-48610HIGHCVSS 8.1EG 8.12026-06-12
Under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.
- CVE-2026-48616CRITICALCVSS 9.3EG 9.32026-06-17
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l wi…
- CVE-2026-48617LOWCVSS 1.8EG 1.82026-06-18
A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vul…
- CVE-2026-4875MEDIUMCVSS 4.7EG 4.72026-03-26
A vulnerability was determined in itsourcecode Free Hotel Reservation System 1.0. The affected element is an unknown function of the file /admin/mod_amenities/index.php?view=add. This manipulation of the argument image causes unrestricted …
- CVE-2026-48898HIGHCVSS 8.2EG 9.82026-05-26
An improper access check allows privilege escalation through the com_users batch task.
- CVE-2026-48899MEDIUMCVSS 5.3EG 9.82026-05-26
An improper access check allows privilege escalation through the com_users batch task.
- CVE-2026-48900MEDIUMCVSS 6.4EG 4.32026-05-26
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
- CVE-2026-48904HIGHCVSS 8.2EG 9.82026-05-26
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
- CVE-2026-48906CRITICALCVSS 9.3EG 8.12026-05-27
The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
- CVE-2026-48907CRITICALCVSS 10.0EG 10.0⚠ KEV2026-06-05
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
- CVE-2026-48908CRITICALCVSS 10.0EG 10.0⚠ KEV2026-06-20
A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
- CVE-2026-48928MEDIUMCVSS 5.4EG 4.22026-06-26
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
- CVE-2026-48930CRITICALCVSS 9.8EG 5.62026-06-26
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **N…
- CVE-2026-48936LOWCVSS 3.3EG 3.32026-06-26
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.
- CVE-2026-48939CRITICALCVSS 10.0EG 10.0⚠ KEV2026-06-20
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
- CVE-2026-48947MEDIUMCVSS 4.9EG 4.92026-07-07
An improper access check allows privileged users to overwrite media files without editing permissions.
- CVE-2026-48948HIGHCVSS 8.8EG 8.82026-07-07
An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.
- CVE-2026-48955MEDIUMCVSS 6.5EG 6.52026-07-07
An improper access check allows unauthorized users to access workflow stage and transition information.
- CVE-2026-48956MEDIUMCVSS 5.0EG 5.02026-07-07
An improper access check allows users to display a list of modules in the frontend.
- CVE-2026-48957HIGHCVSS 8.8EG 8.82026-07-07
An improper access check allows unauthorized users to access com_privacy datasets.
- CVE-2026-48958HIGHCVSS 8.8EG 8.82026-07-07
An improper access check allows unauthorized users to create custom fields via webservices endpoints.
- CVE-2026-49002CRITICALCVSS 9.1EG 9.12026-05-27
Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.
- CVE-2026-49049HIGHCVSS 7.5EG 7.52026-06-29
The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.
- CVE-2026-49161HIGHCVSS 7.8EG 7.82026-06-09
Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally.
- CVE-2026-49198MEDIUMCVSS 4.9EG 4.92026-05-29
Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.
- CVE-2026-49411MEDIUMCVSS 6.5EG 6.52026-06-16
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A calle…
- CVE-2026-4947HIGHCVSS 7.1EG 7.12026-04-01
Addressed a potential insecure direct object reference (IDOR) vulnerability in the signing invitation acceptance process. Under certain conditions, this issue could have allowed an attacker to access or modify unauthorized resources by man…
- CVE-2026-49805HIGHCVSS 7.0EG 7.02026-07-14
Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally.
- CVE-2026-49822HIGHCVSS 7.7EG 7.72026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger (KWT…
- CVE-2026-49823HIGHCVSS 7.7EG 7.72026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a Fission Function spec carries three reference types — Secret, Config…
- CVE-2026-49824HIGHCVSS 8.5EG 8.52026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validat…
- CVE-2026-49938MEDIUMCVSS 6.2EG 6.52026-06-09
A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <insert attack vector here>
- CVE-2026-50006CRITICALCVSS 9.1EG 9.12026-07-14
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode ## Summary Anyquery's `server` mode does not disable or restrict native SQLite disk manipulation commands…
- CVE-2026-5001HIGHCVSS 7.3EG 7.32026-03-28
A flaw has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The affected element is the function do_POST of the file backend/server.py. This manipulation causes unrestricted upload. The attack is possibl…
- CVE-2026-50132HIGHCVSS 7.3EG 7.32026-06-22
Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (…
- CVE-2026-50280MEDIUMCVSS 6.0EG 6.02026-07-02
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring sa…
- CVE-2026-50297HIGHCVSS 7.0EG 7.02026-07-14
Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally.
- CVE-2026-50311HIGHCVSS 7.8EG 7.82026-07-14
Improper access control in Windows Server allows an authorized attacker to elevate privileges locally.
- CVE-2026-50325HIGHCVSS 7.0EG 7.02026-07-14
Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally.
- CVE-2026-50335HIGHCVSS 7.8EG 7.82026-07-14
Improper access control in Windows Operating Systems allows an authorized attacker to elevate privileges locally.
- CVE-2026-50342HIGHCVSS 8.8EG 8.82026-07-14
Improper access control in Windows MIDI Service Module allows an authorized attacker to elevate privileges locally.
- CVE-2026-50351HIGHCVSS 7.8EG 7.82026-07-14
Improper access control in Windows Audio Compression Manager (ACM) allows an authorized attacker to elevate privileges locally.
- CVE-2026-50373HIGHCVSS 7.8EG 7.82026-07-14
Improper access control in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally.
- CVE-2026-50418MEDIUMCVSS 5.1EG 5.12026-07-14
Improper access control in Windows System allows an unauthorized attacker to bypass a security feature locally.
- CVE-2026-50423HIGHCVSS 7.8EG 7.82026-07-14
Improper access control in Windows Kernel allows an authorized attacker to elevate privileges locally.
- CVE-2026-50465HIGHCVSS 7.1EG 7.12026-07-14
Improper access control in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →