Compound weakness
Composite
Log in
The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.
Last updated
CWE-689 (Permission Race Condition During Resource Copy) is a compound-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
3 recorded CVEs are caused by CWE-689 (Permission Race Condition During Resource Copy). The highest-severity and most recent are shown first. 0 new CWE-689 CVEs have been recorded so far in 2026 (2 in 2025).
What can happen when CWE-689 is exploited.
Read Application Data, Modify Application Data
Affects: Confidentiality, Integrity
Typically introduced during these phases of the software lifecycle.
Languages
Real CVEs that MITRE cites as examples of this weakness.
CAPEC attack patterns that exploit this weakness.
Common questions about CWE-689.
The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.
3 recorded CVEs are attributed to CWE-689, including CVE-2022-28768, CVE-2025-40909, CVE-2025-0087.
Exploiting CWE-689 can lead to: Read Application Data, Modify Application Data.
3 recorded CVEs are caused by CWE-689; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-689 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.