CWE-269: Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Last updated
Overview
CWE-269 (Improper Privilege Management) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
1,711 recorded CVEs are caused by CWE-269 (Improper Privilege Management), including 19 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 327 new CWE-269 CVEs have been recorded so far in 2026 (331 in 2025).
- CVE-2013-0643CISA KEVCritical · CVSS 9.4 · EPSS 95th2013-02-27
- CVE-2024-49035CISA KEV
Partner.Microsoft.Com Elevation of Privilege Vulnerability
Critical · CVSS 9.3 · EPSS 68th2024-11-26 - CVE-2023-35674CISA KEVCritical · CVSS 9.3 · EPSS 81th2023-09-11
- CVE-2021-20021CISA KEVCritical · CVSS 9.3 · EPSS 100th2021-04-09
- CVE-2020-8655CISA KEVCritical · CVSS 9.3 · EPSS 99th2020-02-06
- CVE-2017-5689CISA KEVCritical · CVSS 9.3 · EPSS 100th2017-05-02
- CVE-2016-0151CISA KEVCritical · CVSS 9.3 · EPSS 99th2016-04-12
- CVE-2023-28434CISA KEV
MinIO is vulnerable to privilege escalation on Linux/MacOS
High · CVSS 8.7 · EPSS 93th2023-03-22 - CVE-2024-8068CISA KEV
Privilege escalation to NetworkService Account access
High · CVSS 8.6 · EPSS 69th2024-11-12 - CVE-2026-21533CISA KEV
Windows Remote Desktop Services Elevation of Privilege Vulnerability
High · CVSS 8.5 · EPSS 89th2026-02-10 - CVE-2024-38014CISA KEV
Windows Installer Elevation of Privilege Vulnerability
High · CVSS 8.5 · EPSS 93th2024-09-10 - CVE-2024-26169CISA KEV
Windows Error Reporting Service Elevation of Privilege Vulnerability
High · CVSS 8.5 · EPSS 89th2024-03-12
Showing 12 of 1,711 recorded CWE-269 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-269 vulnerabilitiesCommon consequences
What can happen when CWE-269 is exploited.
Gain Privileges or Assume Identity
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-269, grouped by where in the lifecycle they apply.
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Follow the principle of least privilege when assigning access rights to entities in a software system.
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code temporarily raises the program's privileges to allow creation of a new user folder.
Vulnerable example
def makeNewUserDir(username):While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur.
The following example demonstrates the weakness.
Vulnerable example
/* do some stuff */
seteuid(0);The following example demonstrates the weakness.
Vulnerable example
AccessController.doPrivileged(new PrivilegedAction() {This code intends to allow only Administrators to print debug information about a system.
Vulnerable example
public enum Roles {While the intention was to only allow Administrators to print the debug information, the code as written only excludes those with the role of "GUEST". Someone with the role of "ADMIN" or "USER" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system.
This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.
Vulnerable example
public enum Roles {This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2001-1555 — Terminal privileges are not reset when a user logs out.
- CVE-2001-1514 — Does not properly pass security context to child processes in certain cases, allows privilege escalation.
- CVE-2001-0128 — Does not properly compute roles.
- CVE-1999-1193 — untrusted user placed in unix "wheel" group
- CVE-2005-2741 — Product allows users to grant themselves certain rights that can be used to escalate privileges.
- CVE-2005-2496 — Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.
- CVE-2004-0274 — Product mistakenly assigns a particular status to an entity, leading to increased privileges.
- CVE-2007-4217 — FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients.
- CVE-2007-5159 — OS incorrectly installs a program with setuid privileges, allowing users to gain privileges.
- CVE-2008-4638 — Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
- CVE-2007-3931 — Installation script installs some programs as setuid when they shouldn't be.
- CVE-2002-1981 — Roles have access to dangerous procedures (Accessible entities).
- CVE-2002-1671 — Untrusted object/method gets access to clipboard (Accessible entities).
- CVE-2000-0315 — Traceroute program allows unprivileged users to modify source address of packet (Accessible entities).
- CVE-2000-0506 — User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions).
Terminology & mappings
Mapped taxonomies
- PLOVER: Privilege Management Error
- ISA/IEC 62443: Req SP.03.08 BR (Part 2-4)
- ISA/IEC 62443: Req CR 3.1 (Part 3-2)
- ISA/IEC 62443: Req SR 1.2 (Part 3-3)
- ISA/IEC 62443: Req SR 2.1 (Part 3-3)
- ISA/IEC 62443: Req SD-3 (Part 4-1)
- ISA/IEC 62443: Req SD-4 (Part 4-1)
- ISA/IEC 62443: Req SI-1 (Part 4-1)
- ISA/IEC 62443: Req CR 1.1 (Part 4-2)
- ISA/IEC 62443: Req CR 2.1 (Part 4-2)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-269.
- What is CWE-269?
- The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
- What CVEs are caused by CWE-269?
- 1,711 recorded CVEs are attributed to CWE-269, including CVE-2013-0643, CVE-2024-49035, CVE-2023-35674. 19 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-269?
- Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- How is CWE-269 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-269?
- Exploiting CWE-269 can lead to: Gain Privileges or Assume Identity.
- Is CWE-269 actively exploited?
- Yes. 19 CWE-269 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 1,711 recorded CVEs.
References
- MITRE CWE definition (CWE-269) (opens in a new tab)
- CWE-269 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-269
Get alerted the moment a new CWE-269 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.