CWE-1220: Insufficient Granularity of Access Control
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
Last updated
Overview
Integrated circuits and hardware engines can expose accesses to assets (device configuration, keys, etc.) to trusted firmware or a software module (commonly set by BIOS/bootloader). This access is typically access-controlled. Upon a power reset, the hardware or system usually starts with default values in registers, and the trusted firmware (Boot firmware) configures the necessary access-control protection. A common weakness that can exist in such protection schemes is that access controls or policies are not granular enough. This condition allows agents beyond trusted agents to access assets and could lead to a loss of functionality or the ability to set up the device securely. This further results in security risks from leaked, sensitive, key material to modification of device configuration.
Real-world CVEs
88 recorded CVEs are caused by CWE-1220 (Insufficient Granularity of Access Control), including 3 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 25 new CWE-1220 CVEs have been recorded so far in 2026 (33 in 2025).
- CVE-2026-33825CISA KEV
Microsoft Defender Elevation of Privilege Vulnerability
Critical · CVSS 9.3 · EPSS 93th2026-04-14 - CVE-2025-31201CISA KEVCritical · CVSS 9.3 · EPSS 96th2025-04-16
- CVE-2026-56155CISA KEV
Active Directory Federation Services Elevation of Privilege Vulnerability
High · CVSS 7.8 · EPSS 30th2026-07-14 - CVE-2021-31384Critical · CVSS 10.0 · EPSS 63th2021-10-19
- CVE-2023-43040
IBM Spectrum Fusion HCI improper access control
Critical · CVSS 9.8 · EPSS 83th2024-05-13 - CVE-2022-2475Critical · CVSS 9.8 · EPSS 45th2022-10-28
- CVE-2026-6356
CVE-2026-6356
Critical · CVSS 9.6 · EPSS 21th2026-04-22 - CVE-2026-6388
Argocd-image-updater: argocd image updater: cross-namespace privilege escalation via insufficient namespace validation
Critical · CVSS 9.1 · EPSS 28th2026-04-15 - CVE-2025-7493
Freeipa: idm: privilege escalation from host to domain admin in freeipa
Critical · CVSS 9.1 · EPSS 41th2025-09-30 - CVE-2025-4404
Freeipa: idm: privilege escalation from host to domain admin in freeipa
Critical · CVSS 9.1 · EPSS 76th2025-06-17 - CVE-2026-35436
Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
High · CVSS 8.8 · EPSS 12th2026-05-12 - CVE-2026-40365
Microsoft SharePoint Server Remote Code Execution Vulnerability
High · CVSS 8.8 · EPSS 58th2026-05-12
Showing 12 of 88 recorded CWE-1220 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1220 vulnerabilitiesCommon consequences
What can happen when CWE-1220 is exploited.
Modify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Other
Affects: Confidentiality, Integrity, Availability, Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1220, grouped by where in the lifecycle they apply.
- Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
- Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Consider a system with a register for storing AES key for encryption or decryption. The key is 128 bits, implemented as a set of four 32-bit registers. The key registers are assets and registers, AES_KEY_READ_POLICY and AES_KEY_WRITE_POLICY, and are defined to provide necessary access controls.
The read-policy register defines which agents can read the AES-key registers, and write-policy register defines which agents can program or write to those registers. Each register is a 32-bit register, and it can support access control for a maximum of 32 agents. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent.
Within the AXI node interface wrapper module in the RISC-V AXI module of the HACK@DAC'19 CVA6 SoC [REF-1346], an access control mechanism is employed to regulate the access of different privileged users to peripherals.
Consider the following SoC design. The sram in HRoT has an address range that is readable and writable by unprivileged software and it has an area that is only readable by unprivileged software. The tbus interconnect enforces access control for subordinates on the bus but uses only one bit to control both read and write access. Address 0xA0000000 - 0xA000FFFF is readable and writable by the untrusted cores core{0-N} and address 0xA0010000 - 0xA001FFFF is only readable by the untrusted cores core{0-N}.
The security policy access control is not granular enough, as it uses one bit to enable both read and write access. This gives write access to an area that should only be readable by unprivileged agents.
Access control logic should differentiate between read and write access and to have sufficient address granularity.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-36934CISA KEV— An operating system has an overly permission Access Control List onsome system files, including those related to user passwords
- CVE-2022-24985 — A form hosting website only checks the session authentication status for a single form, making it possible to bypass authentication when there are multiple forms
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1220.
- What is CWE-1220?
- The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
- What CVEs are caused by CWE-1220?
- 88 recorded CVEs are attributed to CWE-1220, including CVE-2026-33825, CVE-2025-31201, CVE-2026-56155. 3 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- What are the consequences of CWE-1220?
- Exploiting CWE-1220 can lead to: Modify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Other.
- Is CWE-1220 actively exploited?
- Yes. 3 CWE-1220 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 88 recorded CVEs.
References
- MITRE CWE definition (CWE-1220) (opens in a new tab)
- CWE-1220 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1220
Get alerted the moment a new CWE-1220 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.