CWE-732— Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.— MITRE CWE catalog
1,737 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-732page 34 of 35
- CVE-2025-69426CRITICALCVSS 10.0EG 10.02026-01-09
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions…
- CVE-2025-8042CRITICALCVSS 9.8EG 9.82025-08-19
Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.
- CVE-2025-8108MEDIUMCVSS 6.7EG 6.72025-11-11
An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of un…
- CVE-2025-8148MEDIUMCVSS 4.2EG 4.22025-12-05
An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their S…
- CVE-2025-8886MEDIUMCVSS 6.7EG 6.72025-10-10
Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privile…
- CVE-2025-9578HIGHCVSS 7.8EG 7.82025-08-28
Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 40734.
- CVE-2026-0271HIGHCVSS 7.8EG 7.82026-06-10
A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices enables a local user to execute code with elevated privileges. This does not impact Prisma Access Agent on Windows, macOS, iOS,…
- CVE-2026-0541MEDIUMCVSS 6.7EG 6.72026-05-12
ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allo…
- CVE-2026-0775HIGHCVSS 7.0EG 7.02026-01-23
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute l…
- CVE-2026-10591HIGHCVSS 8.8EG 8.82026-06-02
Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitiv…
- CVE-2026-10840HIGHCVSS 7.1EG 9.62026-06-04
A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRo…
- CVE-2026-10997MEDIUMCVSS 6.5EG 6.52026-06-04
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromiu…
- CVE-2026-1185MEDIUMCVSS 5.4EG 5.42026-05-12
A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if an attacker can log in to the Axis devi…
- CVE-2026-12957HIGHCVSS 7.8EG 7.82026-06-23
Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the proje…
- CVE-2026-13079HIGHCVSS 7.8EG 7.82026-07-03
A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client for Windows allows a local attacker to escalate their privileges to NT AUTHORITY\SYSTEM on the machine where the client is installed. This issue affec…
- CVE-2026-13769MEDIUMCVSS 5.5EG 5.52026-07-01
Overly permissive file permissions in AWS CLI before 1.44.78 (v1) and 2.34.29 (v2) on Unix-like systems where the umask has not been configured to restrict file permissions (the default on most systems) may allow other local users on the s…
- CVE-2026-20092MEDIUMCVSS 6.0EG 6.02026-01-21
A vulnerability in the read-only maintenance shell of Cisco Intersight Virtual Appliance could allow an authenticated, local attacker with administrative privileges to elevate privileges to root on the virtual appliance. This vulnerabil…
- CVE-2026-21011MEDIUMCVSS 6.8EG 6.82026-04-13
Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock.
- CVE-2026-21727LOWCVSS 3.3EG 3.32026-04-15
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana sever…
- CVE-2026-21765HIGHCVSS 8.8EG 8.82026-04-02
HCL BigFix Platform is affected by insecure permissions on private cryptographic keys. The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions.
- CVE-2026-22280MEDIUMCVSS 5.0EG 5.02026-01-22
Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical …
- CVE-2026-2254MEDIUMCVSS 6.3EG 6.32026-05-27
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.
- CVE-2026-22676HIGHCVSS 7.8EG 7.82026-04-15
Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Atta…
- CVE-2026-22768HIGHCVSS 7.3EG 7.32026-04-01
Dell AppSync, version(s) 4.6.0, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
- CVE-2026-23648HIGHCVSS 7.8EG 7.82026-02-17
Glory RBG-100 recycler systems using the ISPK-08 software component contain multiple system binaries with overly permissive file permissions. Several binaries executed by the root user are writable and executable by unprivileged local user…
- CVE-2026-24049HIGHCVSS 7.1EG 7.12026-01-22
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after ext…
- CVE-2026-24131MEDIUMCVSS 5.5EG 5.52026-01-26
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"director…
- CVE-2026-24291HIGHCVSS 7.8EG 7.82026-03-10
Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally.
- CVE-2026-24834HIGHCVSS 8.8EG 8.82026-02-19
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the co…
- CVE-2026-25112HIGHCVSS 7.8EG 7.82026-05-26
A high-severity vulnerability in the deployment of Genetec RabbitMQ that allows a privilege escalation attack.
- CVE-2026-2637HIGHCVSS 7.8EG 7.82026-03-03
iBoysoft NTFS for Mac contains a local privilege escalation vulnerability in its privileged helper daemon ntfshelperd. The daemon exposes an NSConnection service that runs as root without implementing any authentication or authorization c…
- CVE-2026-26422HIGHCVSS 8.4EG 8.42026-06-06
clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation.
- CVE-2026-27788HIGHCVSS 7.8EG 7.82026-06-01
Incorrect permission assignment for critical resource issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected p…
- CVE-2026-28264MEDIUMCVSS 5.5EG 3.32026-04-08
Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading…
- CVE-2026-29516MEDIUMCVSS 4.9EG 4.92026-03-16
Buffalo TeraStation NAS TS5400R firmware version 4.02-0.06 and prior contain an excessive file permissions vulnerability that allows authenticated attackers to read the /etc/shadow file by uploading and executing a PHP file through the web…
- CVE-2026-32048HIGHCVSS 7.5EG 7.52026-03-21
OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can …
- CVE-2026-32315MEDIUMCVSS 5.5EG 5.52026-06-22
motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions (-rw-r--r--), making it…
- CVE-2026-32684LOWCVSS 2.9EG 2.92026-05-12
The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information.
- CVE-2026-3315HIGHCVSS 7.8EG 7.82026-03-10
Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affe…
- CVE-2026-33271MEDIUMCVSS 6.7EG 6.72026-04-02
Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis True Image (Windows) before build 42902.
- CVE-2026-34352CRITICALCVSS 9.8EG 8.52026-03-26
In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions.
- CVE-2026-35341HIGHCVSS 7.1EG 7.12026-04-22
A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation …
- CVE-2026-35367LOWCVSS 3.3EG 3.32026-04-22
The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (06…
- CVE-2026-40462MEDIUMCVSS 6.5EG 6.52026-05-13
Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information. Note: Software versions which have reached End of T…
- CVE-2026-41217HIGHCVSS 7.9EG 7.92026-05-13
A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance …
- CVE-2026-41288HIGHCVSS 7.8EG 7.82026-05-06
Incorrect permission assignment for a resource in the patch management component of the WatchGuard Agent on Windows allows an authenticated local user to elevate their privileges to NT AUTHORITY\\SYSTEM.
- CVE-2026-41366MEDIUMCVSS 5.5EG 5.52026-04-28
OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory validation to exfil…
- CVE-2026-41489HIGHCVSS 8.8EG 8.82026-05-11
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihol…
- CVE-2026-41686MEDIUMCVSS 4.4EG 4.42026-05-04
Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created mem…
- CVE-2026-41959MEDIUMCVSS 6.5EG 6.52026-05-13
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of …
Map vulnerabilities like CWE-732 to your infrastructure
EchelonGraph correlates every CVE — across CWE-732 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →