CWE-842: Placement of User into Incorrect Group
The product or the administrator places a user into an incorrect group.
Last updated
Overview
If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.
Real-world CVEs
10 recorded CVEs are caused by CWE-842 (Placement of User into Incorrect Group). The highest-severity and most recent are shown first. 1 new CWE-842 CVE has been recorded so far in 2026.
- CVE-2024-10082Critical · CVSS 9.0 · EPSS 38th2024-11-06
- CVE-2024-25632High · CVSS 8.8 · EPSS 32th2024-10-01
- CVE-2022-45097High · CVSS 8.8 · EPSS 33th2023-02-01
- CVE-2024-9412High · CVSS 8.4 · EPSS 33th2024-10-08
- CVE-2022-3650High · CVSS 7.8 · EPSS 25th2023-01-17
- CVE-2023-25575
Secured properties in API Platform Core may be accessible within collections
High · CVSS 7.7 · EPSS 45th2023-02-28 - CVE-2026-6970
authd Denial of Service and Local Privilege Escalation
High · CVSS 7.3 · EPSS 2th2026-04-27 - CVE-2022-31007High · CVSS 7.2 · EPSS 98th2022-05-31
- CVE-2022-2990High · CVSS 7.1 · EPSS 25th2022-09-13
- CVE-2022-2989High · CVSS 7.1 · EPSS 23th2022-09-13
Common consequences
What can happen when CWE-842 is exploited.
Gain Privileges or Assume Identity
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-1999-1193 — Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
- CVE-2010-3716 — Chain: drafted web request allows the creation of users with arbitrary group membership.
- CVE-2008-5397 — Chain: improper processing of configuration options causes users to contain unintended group memberships.
- CVE-2007-6644 — CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.
- CVE-2007-3260 — Product assigns members to the root group, allowing escalation of privileges.
- CVE-2002-0080 — Chain: daemon does not properly clear groups before dropping privileges.
Frequently asked questions
Common questions about CWE-842.
- What is CWE-842?
- The product or the administrator places a user into an incorrect group.
- What CVEs are caused by CWE-842?
- 10 recorded CVEs are attributed to CWE-842, including CVE-2024-10082, CVE-2024-25632, CVE-2022-45097.
- What are the consequences of CWE-842?
- Exploiting CWE-842 can lead to: Gain Privileges or Assume Identity.
- Is CWE-842 actively exploited?
- 10 recorded CVEs are caused by CWE-842; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-842) (opens in a new tab)
- CWE-842 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-842
Get alerted the moment a new CWE-842 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.