Skip to content

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Learn

All guides
What is a CVE?
What is CVSS?
The CISA KEV catalog
What is EPSS?

Company

About us
Blog
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

Home
Weaknesses (CWE)
CWE-280

CWE-280: Improper Handling of Insufficient Permissions or Privileges

Base weakness

Draft

CWE-280: Improper Handling of Insufficient Permissions or Privileges

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

Last updated May 1, 2026

137

Recorded CVEs

With this primary weakness

1

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-280 (Improper Handling of Insufficient Permissions or Privileges) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

137 recorded CVEs are caused by CWE-280 (Improper Handling of Insufficient Permissions or Privileges), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 21 new CWE-280 CVEs have been recorded so far in 2026 (40 in 2025).

CVE-2024-29748
CISA KEV
High · CVSS 8.5
2024-04-05
CVE-2025-46066
Critical · CVSS 9.9
2026-01-12
CVE-2024-25108
Critical · CVSS 9.9
2024-02-12
CVE-2025-6573
GPU DDK - RGXFW_CTL.pui8FWScratchBuf Leak/Overwrite
Critical · CVSS 9.8
2025-08-08
CVE-2024-24116
Critical · CVSS 9.8
2024-10-02
CVE-2024-46874
Critical · CVSS 9.2
2024-12-06
CVE-2024-1608
Critical · CVSS 9.1
2024-02-20
CVE-2025-8109
GPU DDK - GPU shader shared memory corrupted using ptrace to disrupt GPU operation
High · CVSS 8.8
2025-08-04
CVE-2025-27025
Improper File Access in Infinera G42
High · CVSS 8.8
2025-07-02
CVE-2025-31173
High · CVSS 8.8
2025-04-07
CVE-2024-6660
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Arbitrary File Upload
High · CVSS 8.8
2024-07-17
CVE-2024-36451
High · CVSS 8.8
2024-07-10

Showing 12 of 137 recorded CWE-280 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-280 vulnerabilities

Common consequences

What can happen when CWE-280 is exploited.

Other, Alter Execution Logic

Affects: Other

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to prevent it

Practical mitigations for CWE-280, grouped by where in the lifecycle they apply.

Architecture and Design

Separation of Privilege

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Implementation

Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2003-0501 — Special file system allows attackers to prevent ownership/permission change of certain entries by opening the entries before calling a setuid program.
CVE-2004-0148 — FTP server places a user in the root directory when the user's permissions prevent access to the their own home directory.

Related weaknesses

How this weakness relates to others in the CWE hierarchy.

Parent

CWE-755: Improper Handling of Exceptional Conditions

Peer

CWE-636: Not Failing Securely ('Failing Open')

Related

CWE-274: Improper Handling of Insufficient Privileges

Terminology & mappings

Mapped taxonomies

PLOVER: Fails poorly due to insufficient permissions
WASC: Improper Filesystem Permissions (17)
Software Fault Patterns: Unchecked Status Condition (SFP4)

Frequently asked questions

Common questions about CWE-280.

What is CWE-280?

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

What CVEs are caused by CWE-280?

137 recorded CVEs are attributed to CWE-280, including CVE-2024-29748, CVE-2025-46066, CVE-2024-25108. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How do you prevent CWE-280?

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

How is CWE-280 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-280?

Exploiting CWE-280 can lead to: Other, Alter Execution Logic.

Is CWE-280 actively exploited?

Yes. 1 CWE-280 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 137 recorded CVEs.

References

MITRE CWE definition (CWE-280) (opens in a new tab)
CWE-280 vulnerabilities on NVD (opens in a new tab)
Learn: What is a CWE?

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-280

Get alerted the moment a new CWE-280 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

On this page

Overview
Real-world CVEs
Common consequences
How it happens
How to prevent it
How to detect it
Illustrative examples
Related weaknesses
Terminology & mappings
FAQ
References