CWE-732— Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.— MITRE CWE catalog
1,737 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-732page 35 of 35
- CVE-2026-42058MEDIUMCVSS 4.3EG 4.32026-05-13
An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CVE-2026-42497HIGHCVSS 7.5EG 7.52026-05-26
Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or ..…
- CVE-2026-42812CRITICALCVSS 9.9EG 9.92026-05-04
In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table property that tells Polaris where to wri…
- CVE-2026-42937MEDIUMCVSS 6.5EG 6.52026-05-13
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network informatio…
- CVE-2026-43721MEDIUMCVSS 6.5EG 7.52026-06-29
This issue was addressed through improved state management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to silently hijack clipboard data.
- CVE-2026-44268MEDIUMCVSS 4.4EG 4.42026-07-03
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an incorrect permi…
- CVE-2026-4482MEDIUMCVSS 5.5EG 5.52026-04-10
The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users have read and execute access). For the client.key file in particular, this could potentially lead t…
- CVE-2026-45222MEDIUMCVSS 6.1EG 6.12026-05-11
Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer to…
- CVE-2026-45246MEDIUMCVSS 5.5EG 5.52026-05-18
Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refres…
- CVE-2026-45353HIGHCVSS 7.8EG 7.82026-05-28
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0.
- CVE-2026-49340HIGHCVSS 8.1EG 8.12026-06-19
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (including non-admin) to write playlist M3…
- CVE-2026-50209HIGHCVSS 7.8EG 7.82026-06-04
Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
- CVE-2026-50267MEDIUMCVSS 4.7EG 4.72026-06-17
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from `VCAP_S…
- CVE-2026-50570HIGHCVSS 8.5EG 8.52026-06-10
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment an…
- CVE-2026-50590MEDIUMCVSS 4.5EG 4.52026-06-05
In Mimecast Incydr before 2.6.0, arbitrary file access can occur.
- CVE-2026-53856MEDIUMCVSS 5.5EG 5.52026-06-16
OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by …
- CVE-2026-54327LOWCVSS 2.2EG 2.22026-06-17
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the p…
- CVE-2026-55441HIGHCVSS 8.6EG 8.62026-06-23
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files (mise.toml, .tool-versions) through trust_check, but task-include files are loaded on a path that never reaches it. …
- CVE-2026-58174MEDIUMCVSS 6.5EG 6.52026-06-30
Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import handler, so the imported session is persist…
- CVE-2026-58424HIGHCVSS 8.9EG 8.92026-07-03
Permanent Fork PR Workflow Approval Gate Bypass
- CVE-2026-59148HIGHCVSS 8.8EG 8.82026-07-09
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtime…
- CVE-2026-59946MEDIUMCVSS 6.1EG 6.12026-07-08
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to …
- CVE-2026-6369MEDIUMCVSS 5.5EG 5.52026-04-20
An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the …
- CVE-2026-6386MEDIUMCVSS 6.2EG 6.22026-04-22
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created u…
- CVE-2026-6499LOWCVSS 2.4EG 2.42026-05-04
Incorrect Permission Assignment for Critical Resource vulnerability in ILM Informatique OpenConcerto allows Replace Binaries. This issue affects OpenConcerto: 1.7.5.
- CVE-2026-6842LOWCVSS 2.5EG 2.52026-04-22
A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.de…
- CVE-2026-7431MEDIUMCVSS 4.4EG 4.42026-05-12
An incorrect permission assignment for critical resource of Ivanti Secure Access Client before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.
- CVE-2026-7480HIGHCVSS 7.3EG 7.32026-05-29
An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RPC call that bypass the validation mechan…
- CVE-2026-8069HIGHCVSS 8.5EG 8.52026-05-08
PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigure…
- CVE-2026-8070HIGHCVSS 7.3EG 7.32026-05-29
Incorrect permission assignment for a critical resource in Armoury Crate allows a local user to bypass the driver’s validation mechanism, resulting in unauthorized read and write access to physical memory.Refer to the ' Security Update…
- CVE-2026-8110HIGHCVSS 7.8EG 7.82026-05-12
Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.
- CVE-2026-8612MEDIUMCVSS 5.3EG 5.32026-05-15
WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. With no explicit cache backend, WWW::Mechanize::Cached constru…
- CVE-2026-9085HIGHCVSS 8.8EG 8.82026-07-05
Incorrect Permission Assignment for Critical Resource, Improper Access Control vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus-Parental-Control allows DNS Spoofing. This issue affects Pardus-Parental-Contro…
- CVE-2026-9489HIGHCVSS 8.5EG 8.52026-05-25
NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing …
- CVE-2026-9508CRITICALCVSS 10.0EG 10.02026-05-29
Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerabil…
- CVE-2026-9651MEDIUMCVSS 6.7EG 6.72026-06-25
CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged local access reads improperly protect…
- CVE-2026-9789HIGHCVSS 8.5EG 8.52026-05-28
A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL). Thi…
Map vulnerabilities like CWE-732 to your infrastructure
EchelonGraph correlates every CVE — across CWE-732 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →