CWE-284: Improper Access Control
Also known as: Authorization
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Last updated
Overview
Access control involves the use of several protection mechanisms such as: Authentication (proving the identity of an actor) Authorization (ensuring that a given actor can access a resource), and Accountability (tracking of activities that were performed) When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator. Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies.
Real-world CVEs
3,865 recorded CVEs are caused by CWE-284 (Improper Access Control), including 33 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 936 new CWE-284 CVEs have been recorded so far in 2026 (905 in 2025).
- CVE-2026-48907CISA KEV
Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5
Critical · CVSS 10.0 · EPSS 100th2026-06-05 - CVE-2026-34908CISA KEVCritical · CVSS 10.0 · EPSS 83th2026-05-22
- CVE-2025-12480CISA KEVCritical · CVSS 10.0 · EPSS 100th2025-11-10
- CVE-2023-27350CISA KEVCritical · CVSS 10.0 · EPSS 100th2023-04-20
- CVE-2023-26360CISA KEV
Adobe ColdFusion Improper Access Control Arbitrary code execution
Critical · CVSS 10.0 · EPSS 100th2023-03-23 - CVE-2014-3120CISA KEVCritical · CVSS 10.0 · EPSS 100th2014-07-28
- CVE-2013-2423CISA KEVCritical · CVSS 10.0 · EPSS 100th2013-04-17
- CVE-2023-24489CISA KEVCritical · CVSS 9.8 · EPSS 100th2023-07-10
- CVE-2016-3427CISA KEVCritical · CVSS 9.8 · EPSS 100th2016-04-21
- CVE-2013-0422CISA KEVCritical · CVSS 9.4 · EPSS 100th2013-01-10
- CVE-2012-4681CISA KEVCritical · CVSS 9.4 · EPSS 100th2012-08-28
- CVE-2026-35616CISA KEVCritical · CVSS 9.3 · EPSS 100th2026-04-04
Showing 12 of 3,865 recorded CWE-284 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-284 vulnerabilitiesCommon consequences
What can happen when CWE-284 is exploited.
Varies by Context
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-284, grouped by where in the lifecycle they apply.
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code temporarily raises the program's privileges to allow creation of a new user folder.
Vulnerable example
def makeNewUserDir(username):While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur.
This function runs an arbitrary SQL query on a given database, returning the result of the query.
Vulnerable example
/.../
function runEmployeeQuery($dbName, $name){While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database.
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple vendors did not use any authentication or used client-side authentication for critical functionality in their OT products.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-21972CISA KEV— Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV.
- CVE-2021-37415CISA KEV— IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.
- CVE-2020-13927CISA KEV— Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.
- CVE-2023-26463 — Chain: IPSec VPN product uses the same variable for multiple purposes in the same function (CWE-1109), leading to incorrect access control (CWE-284) and expired pointer dereference (CWE-825)
- CVE-2022-24985 — A form hosting website only checks the session authentication status for a single form, making it possible to bypass authentication when there are multiple forms
- CVE-2022-29238 — Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.
- CVE-2022-23607 — Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect
- CVE-2021-35033 — Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port
- CVE-2020-10263 — Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access
- CVE-2010-4624 — Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.
Terminology & mappings
Alternate terms
- Authorization
- The terms "access control" and "authorization" are often used interchangeably, although many people have distinct definitions. The CWE usage of "access control" is intended as a general term for the various mechanisms that restrict which users can access which resources, and "authorization" is more narrowly defined. It is unlikely that there will be community consensus on the use of these terms.
Mapped taxonomies
- PLOVER: Access Control List (ACL) errors
- WASC: Insufficient Authorization (2)
- 7 Pernicious Kingdoms: Missing Access Control
Attack patterns
CAPEC attack patterns that exploit this weakness.
- CAPEC-19: Embedding Scripts within Scripts
- CAPEC-441: Malicious Logic Insertion
- CAPEC-478: Modification of Windows Service Configuration
- CAPEC-479: Malicious Root Certificate
- CAPEC-502: Intent Spoof
- CAPEC-503: WebView Exposure
- CAPEC-536: Data Injected During Configuration
- CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment
- CAPEC-550: Install New Service
- CAPEC-551: Modify Existing Service
- CAPEC-552: Install Rootkit
- CAPEC-556: Replace File Extension Handlers
- CAPEC-558: Replace Trusted Executable
- CAPEC-562: Modify Shared File
- CAPEC-563: Add Malicious File to Shared Webroot
- CAPEC-564: Run Software at Logon
- CAPEC-578: Disable Security Software
Frequently asked questions
Common questions about CWE-284.
- What is CWE-284?
- The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- What CVEs are caused by CWE-284?
- 3,865 recorded CVEs are attributed to CWE-284, including CVE-2026-48907, CVE-2026-34908, CVE-2025-12480. 33 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-284?
- Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- What are the consequences of CWE-284?
- Exploiting CWE-284 can lead to: Varies by Context.
- Is CWE-284 actively exploited?
- Yes. 33 CWE-284 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 3,865 recorded CVEs.
References
- MITRE CWE definition (CWE-284) (opens in a new tab)
- CWE-284 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-284
Get alerted the moment a new CWE-284 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.