CWE-266: Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Last updated
Overview
CWE-266 (Incorrect Privilege Assignment) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
629 recorded CVEs are caused by CWE-266 (Incorrect Privilege Assignment), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 207 new CWE-266 CVEs have been recorded so far in 2026 (217 in 2025).