Log inLog in

Base weakness

Incomplete

CWE-708: Incorrect Ownership Assignment

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

Last updated May 1, 2026

20

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

This may allow the resource to be manipulated by actors outside of the intended control sphere.

Real-world CVEs

20 recorded CVEs are caused by CWE-708 (Incorrect Ownership Assignment). The highest-severity and most recent are shown first. 2 new CWE-708 CVEs have been recorded so far in 2026 (6 in 2025).

CVE-2022-22189

High · CVSS 7.3 · EPSS 9th

2022-04-14

CVE-2021-32726

High · CVSS 7.1 · EPSS 69th

2021-07-12

CVE-2023-29122

Medium · CVSS 6.7 · EPSS 20th

2024-11-05

CVE-2023-20044

Medium · CVSS 6.7 · EPSS 10th

2023-01-19

CVE-2023-20043

Medium · CVSS 6.7 · EPSS 18th

2023-01-19

CVE-2024-41773

Medium · CVSS 6.5 · EPSS 22th

2024-08-20

CVE-2024-45417

Medium · CVSS 6.0 · EPSS 23th

2025-02-25

CVE-2021-26248

Philips MRI 1.5T and 3T Incorrect Ownership Assignment

Medium · CVSS 5.9 · EPSS 16th

2021-11-19

CVE-2026-32691

Timing ownership claim attack on new external back-end secrets

Medium · CVSS 5.3 · EPSS 4th

2026-03-18

Showing 12 of 20 recorded CWE-708 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-708 vulnerabilities

Common consequences

What can happen when CWE-708 is exploited.

Read Application Data, Modify Application Data

Affects: Confidentiality, Integrity

An attacker could read and modify data for which they do not have permissions to access directly.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

Operation

How to prevent it

Practical mitigations for CWE-708, grouped by where in the lifecycle they apply.

Policy

Periodically review the privileges and their owners.

How to detect it

Automated Analysis

Use automated tools to check for privilege settings.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2024-43199 — product installs binaries with potentially insecure user/group ownership
CVE-2007-5101 — File system sets wrong ownership and group when creating a new file.
CVE-2007-4238 — OS installs program with bin owner/group, allowing modification.
CVE-2007-1716 — Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.
CVE-2005-3148 — Backup software restores symbolic links with incorrect uid/gid.
CVE-2005-1064 — Product changes the ownership of files that a symlink points to, instead of the symlink itself.
CVE-2011-1551 — Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.

Frequently asked questions

Common questions about CWE-708.

What is CWE-708?

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

What CVEs are caused by CWE-708?

20 recorded CVEs are attributed to CWE-708, including CVE-2026-40196, CVE-2021-32689, CVE-2024-52561.

How do you prevent CWE-708?

Periodically review the privileges and their owners.

How is CWE-708 detected?

Automated Analysis: Use automated tools to check for privilege settings.

What are the consequences of CWE-708?

Exploiting CWE-708 can lead to: Read Application Data, Modify Application Data.

Is CWE-708 actively exploited?

20 recorded CVEs are caused by CWE-708; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-708

Get alerted the moment a new CWE-708 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing