- What is CWE-285?
- The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
- What CVEs are caused by CWE-285?
- 1,143 recorded CVEs are attributed to CWE-285, including CVE-2021-28799, CVE-2026-57983, CVE-2026-0072. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Is CWE-285 part of the OWASP Top 10?
- CWE-285 maps to OWASP Top Ten 2007: Failure to Restrict URL Access (A10) in the OWASP security taxonomy.
- How do you prevent CWE-285?
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries.
- How is CWE-285 detected?
- Automated Static Analysis: Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries.
- What are the consequences of CWE-285?
- Exploiting CWE-285 can lead to: Read Application Data, Read Files or Directories, Modify Application Data, Modify Files or Directories, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands.
- Is CWE-285 actively exploited?
- Yes. 1 CWE-285 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 1,143 recorded CVEs.