Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

What CVEs are caused by CWE-268?

21 recorded CVEs are attributed to CWE-268, including CVE-2024-4877, CVE-2023-5839, CVE-2026-32325.

How do you prevent CWE-268?

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

What are the consequences of CWE-268?

Exploiting CWE-268 can lead to: Gain Privileges or Assume Identity.

Is CWE-268 actively exploited?

21 recorded CVEs are caused by CWE-268; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-268: Privilege Chaining

CVE-2025-64701

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.

Vulnerable example

java

public enum Roles {

This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account.

CWE-268: Privilege Chaining

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-268?

What CVEs are caused by CWE-268?

How do you prevent CWE-268?

What are the consequences of CWE-268?

Is CWE-268 actively exploited?

References

Stay ahead of CWE-268

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-268?

What CVEs are caused by CWE-268?

How do you prevent CWE-268?

What are the consequences of CWE-268?

Is CWE-268 actively exploited?

References

Stay ahead of CWE-268