CWE-732— Incorrect Permission Assignment for Critical Resource
1,707 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-732page 34 of 35
- CVE-2025-8148MEDIUMCVSS 4.2EG 4.22025-12-05
An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their S…
- CVE-2025-8886MEDIUMCVSS 6.7EG 6.72025-10-10
Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privile…
- CVE-2025-9578HIGHCVSS 7.8EG 7.82025-08-28
Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 40734.
- CVE-2026-0541MEDIUMCVSS 6.7EG 6.72026-05-12
ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allo…
- CVE-2026-0775HIGHCVSS 7.0EG 7.02026-01-23
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute l…
- CVE-2026-10591HIGHCVSS 8.8EG 8.82026-06-02
Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitiv…
- CVE-2026-10840CRITICALCVSS 9.6EG 9.62026-06-04
A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRo…
- CVE-2026-1185MEDIUMCVSS 5.4EG 5.42026-05-12
A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if an attacker can log in to the Axis devi…
- CVE-2026-20092MEDIUMCVSS 6.0EG 6.02026-01-21
A vulnerability in the read-only maintenance shell of Cisco Intersight Virtual Appliance could allow an authenticated, local attacker with administrative privileges to elevate privileges to root on the virtual appliance. This vulnerabil…
- CVE-2026-21011MEDIUMCVSS 6.8EG 6.82026-04-13
Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock.
- CVE-2026-21727LOWCVSS 3.3EG 3.32026-04-15
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana sever…
- CVE-2026-21765HIGHCVSS 8.8EG 8.82026-04-02
HCL BigFix Platform is affected by insecure permissions on private cryptographic keys. The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions.
- CVE-2026-22280MEDIUMCVSS 5.0EG 5.02026-01-22
Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical …
- CVE-2026-2254MEDIUMCVSS 6.3EG 6.32026-05-27
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.
- CVE-2026-22676HIGHCVSS 7.8EG 7.82026-04-15
Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Atta…
- CVE-2026-22768HIGHCVSS 7.3EG 7.32026-04-01
Dell AppSync, version(s) 4.6.0, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
- CVE-2026-23648HIGHCVSS 7.8EG 7.82026-02-17
Glory RBG-100 recycler systems using the ISPK-08 software component contain multiple system binaries with overly permissive file permissions. Several binaries executed by the root user are writable and executable by unprivileged local user…
- CVE-2026-24049HIGHCVSS 7.1EG 7.12026-01-22
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after ext…
- CVE-2026-24131MEDIUMCVSS 5.5EG 5.52026-01-26
pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"director…
- CVE-2026-25112HIGHCVSS 7.8EG 7.82026-05-26
A high-severity vulnerability in the deployment of Genetec RabbitMQ that allows a privilege escalation attack.
- CVE-2026-27788HIGHCVSS 7.8EG 7.82026-06-01
Incorrect permission assignment for critical resource issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected p…
- CVE-2026-28264LOWCVSS 3.3EG 3.32026-04-08
Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading…
- CVE-2026-32684LOWCVSS 2.9EG 2.92026-05-12
The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information.
- CVE-2026-33271MEDIUMCVSS 6.7EG 6.72026-04-02
Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis True Image (Windows) before build 42902.
- CVE-2026-34352HIGHCVSS 8.5EG 8.52026-03-26
In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions.
- CVE-2026-35341HIGHCVSS 7.1EG 7.12026-04-22
A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation …
- CVE-2026-35367LOWCVSS 3.3EG 3.32026-04-22
The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (06…
- CVE-2026-40462MEDIUMCVSS 6.5EG 6.52026-05-13
Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information. Note: Software versions which have reached End of T…
- CVE-2026-41217HIGHCVSS 7.9EG 7.92026-05-13
A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance …
- CVE-2026-41288HIGHCVSS 7.8EG 7.82026-05-06
Incorrect permission assignment for a resource in the patch management component of the WatchGuard Agent on Windows allows an authenticated local user to elevate their privileges to NT AUTHORITY\\SYSTEM.
- CVE-2026-41366MEDIUMCVSS 5.5EG 5.52026-04-28
OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory validation to exfil…
- CVE-2026-41489HIGHCVSS 8.8EG 8.82026-05-11
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihol…
- CVE-2026-41686MEDIUMCVSS 4.4EG 4.42026-05-04
Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created mem…
- CVE-2026-41959MEDIUMCVSS 6.5EG 6.52026-05-13
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of …
- CVE-2026-42058MEDIUMCVSS 4.3EG 4.32026-05-13
An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CVE-2026-42497HIGHCVSS 7.5EG 7.52026-05-26
Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or ..…
- CVE-2026-42812CRITICALCVSS 9.9EG 9.92026-05-04
In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table property that tells Polaris where to wri…
- CVE-2026-42937MEDIUMCVSS 6.5EG 6.52026-05-13
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network informatio…
- CVE-2026-4482MEDIUMCVSS 6.8EG 0.02026-04-10
The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users have read and execute access). For the client.key file in particular, this could potentially lead t…
- CVE-2026-45222MEDIUMCVSS 6.1EG 6.12026-05-11
Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer to…
- CVE-2026-45246MEDIUMCVSS 5.5EG 5.52026-05-18
Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refres…
- CVE-2026-45353HIGHCVSS 7.8EG 7.82026-05-28
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0.
- CVE-2026-50209HIGHCVSS 7.8EG 7.82026-06-04
Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
- CVE-2026-50590MEDIUMCVSS 4.5EG 4.52026-06-05
In Mimecast Incydr before 2.6.0, arbitrary file access can occur.
- CVE-2026-6369MEDIUMCVSS 5.7EG 5.72026-04-20
An improper access control vulnerability in the canonical-livepatch snap client prior to version 10.15.0 allows a local unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the …
- CVE-2026-6386MEDIUMCVSS 6.2EG 6.22026-04-22
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created u…
- CVE-2026-6499LOWCVSS 2.4EG 2.42026-05-04
Incorrect Permission Assignment for Critical Resource vulnerability in ILM Informatique OpenConcerto allows Replace Binaries. This issue affects OpenConcerto: 1.7.5.
- CVE-2026-6842LOWCVSS 2.5EG 2.52026-04-22
A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.de…
- CVE-2026-7431MEDIUMCVSS 4.4EG 4.42026-05-12
An incorrect permission assignment for critical resource of Ivanti Secure Access Client before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.
- CVE-2026-7480HIGHCVSS 7.3EG 7.32026-05-29
An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RPC call that bypass the validation mechan…
Map vulnerabilities like CWE-732 to your infrastructure
EchelonGraph correlates every CVE — across CWE-732 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →