Class weakness

Draft

CWE-285: Improper Authorization

Also known as: AuthZ

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Last updated May 1, 2026

1,060

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

High

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

CWE-285 (Improper Authorization) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This function runs an arbitrary SQL query on a given database, returning the result of the query.

Vulnerable example

php

/.../
function runEmployeeQuery($dbName, $name){

While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database.

The following program could be part of a bulletin board system that allows users to send private messages to each other. This program intends to authenticate the user before deciding whether a private message should be displayed. Assume that LookupMessageObject() ensures that the $id argument is numeric, constructs a filename based on that id, and reads the message details from that file. Also assume that the program stores all private messages for all users in the same directory.

Vulnerable example

perl

sub DisplayPrivateMessage {

CWE-285: Improper Authorization (AuthZ)

CWE-285: Improper Authorization

Overview

CWE-285: Improper Authorization

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Automated Dynamic Analysis

Manual Analysis

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-285?

What CVEs are caused by CWE-285?

Is CWE-285 part of the OWASP Top 10?

How do you prevent CWE-285?

How is CWE-285 detected?

What are the consequences of CWE-285?

Is CWE-285 actively exploited?

References

Stay ahead of CWE-285

Dynamic Analysis with Manual Results Interpretation

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Architecture or Design Review

Overview

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Automated Dynamic Analysis

Manual Analysis

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Automated Results Interpretation

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-285?

What CVEs are caused by CWE-285?

Is CWE-285 part of the OWASP Top 10?

How do you prevent CWE-285?

How is CWE-285 detected?

What are the consequences of CWE-285?

Is CWE-285 actively exploited?

References

Stay ahead of CWE-285

Dynamic Analysis with Manual Results Interpretation

Manual Static Analysis - Source Code

Automated Static Analysis - Source Code

Architecture or Design Review