CWE-862: Missing Authorization
Also known as: AuthZ
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Last updated
Overview
CWE-862 (Missing Authorization) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.
Real-world CVEs
6,792 recorded CVEs are caused by CWE-862 (Missing Authorization), including 8 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 1,966 new CWE-862 CVEs have been recorded so far in 2026 (2,231 in 2025).
- CVE-2022-0543CISA KEVCritical · CVSS 10.0 · EPSS 100th2022-02-18
- CVE-2025-6205CISA KEV
Missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025
Critical · CVSS 9.3 · EPSS 99th2025-08-04 - CVE-2025-20362CISA KEVHigh · CVSS 8.8 · EPSS 100th2025-09-25
- CVE-2023-52163CISA KEVHigh · CVSS 8.7 · EPSS 100th2025-02-03
- CVE-2024-57726CISA KEVHigh · CVSS 8.7 · EPSS 95th2025-01-15
- CVE-2021-30713CISA KEVHigh · CVSS 8.5 · EPSS 93th2021-09-08
- CVE-2021-37976CISA KEVMedium · CVSS 6.9 · EPSS 97th2021-10-08
- CVE-2021-30657CISA KEVMedium · CVSS 6.7 · EPSS 99th2021-09-08
- CVE-2026-28573Critical · CVSS 10.0 · EPSS 4th2026-06-18
- CVE-2026-28587Critical · CVSS 10.0 · EPSS 2th2026-06-17
- CVE-2026-28615Critical · CVSS 10.0 · EPSS 2th2026-06-17
- CVE-2026-0081Critical · CVSS 10.0 · EPSS 4th2026-06-17
Showing 12 of 6,792 recorded CWE-862 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-862 vulnerabilitiesCommon consequences
What can happen when CWE-862 is exploited.
Read Application Data, Read Files or Directories
Affects: Confidentiality
An attacker could read sensitive data, either by reading the data directly from a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
Modify Application Data, Modify Files or Directories
Affects: Integrity
An attacker could modify sensitive data, either by writing the data directly to a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
Gain Privileges or Assume Identity, Bypass Protection Mechanism
Affects: Access Control
An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
Affects: Availability
An attacker could gain unauthorized access to resources on the system and excessively consume those resources, leading to a denial of service.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-862, grouped by where in the lifecycle they apply.
Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
How to detect it
Automated Static Analysis
Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries.
Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.
Effectiveness: Limited
Automated Dynamic Analysis
Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.
Manual Analysis
This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.
Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.
Effectiveness: Moderate
Manual Static Analysis - Binary or Bytecode
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Dynamic Analysis with Automated Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Dynamic Analysis with Manual Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Manual Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Automated Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Architecture or Design Review
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This function runs an arbitrary SQL query on a given database, returning the result of the query.
Vulnerable example
/.../
function runEmployeeQuery($dbName, $name){While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database.
The following program could be part of a bulletin board system that allows users to send private messages to each other. This program intends to authenticate the user before deciding whether a private message should be displayed. Assume that LookupMessageObject() ensures that the $id argument is numeric, constructs a filename based on that id, and reads the message details from that file. Also assume that the program stores all private messages for all users in the same directory.
Vulnerable example
sub DisplayPrivateMessage {Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2026-32228 — workflow management product does not check authorization for running a workflow, allowing UI and API users to trigger workflow objects for which they have no access
- CVE-2024-6845 — chatbot Wordpress plugin does not perform authorization on a REST endpoint, allowing retrieval of an API key
- CVE-2025-2224 — AI-enabled WordPress plugin has a missing capability check for a particular function, allowing changing public status of posts
- CVE-2022-24730 — Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information
- CVE-2009-3168 — Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.
- CVE-2009-3597 — Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.
- CVE-2009-2282 — Terminal server does not check authorization for guest access.
- CVE-2008-5027 — System monitoring software allows users to bypass authorization by creating custom forms.
- CVE-2009-3781 — Content management system does not check access permissions for private files, allowing others to view those files.
- CVE-2008-6548 — Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files.
- CVE-2009-2960 — Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.
- CVE-2009-3230 — Database server does not use appropriate privileges for certain sensitive operations.
- CVE-2009-2213 — Gateway uses default "Allow" configuration for its authorization settings.
- CVE-2009-0034 — Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.
- CVE-2008-6123 — Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.
- CVE-2008-7109 — Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.
- CVE-2008-3424 — Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.
- CVE-2005-1036 — Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
- CVE-2008-4577 — ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.
- CVE-2007-2925 — Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.
- CVE-2006-6679 — Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.
- CVE-2005-3623 — OS kernel does not check for a certain privilege before setting ACLs for files.
- CVE-2005-2801 — Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.
- CVE-2001-1155 — Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
- CVE-2020-17533 — Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862)
Terminology & mappings
Alternate terms
- AuthZ
- "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization.
Mapped taxonomies
- ISA/IEC 62443: Req 4.3.3.7 (Part 2-1)
- ISA/IEC 62443: Req SR 2.1 (Part 3-3)
- ISA/IEC 62443: Req CR 2.1 (Part 4-2)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-862.
- What is CWE-862?
- The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
- What CVEs are caused by CWE-862?
- 6,792 recorded CVEs are attributed to CWE-862, including CVE-2022-0543, CVE-2025-6205, CVE-2025-20362. 8 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-862?
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- How is CWE-862 detected?
- Automated Static Analysis: Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries.
- What are the consequences of CWE-862?
- Exploiting CWE-862 can lead to: Read Application Data, Read Files or Directories, Modify Application Data, Modify Files or Directories, Gain Privileges or Assume Identity, Bypass Protection Mechanism.
- Is CWE-862 actively exploited?
- Yes. 8 CWE-862 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 6,792 recorded CVEs.
References
- MITRE CWE definition (CWE-862) (opens in a new tab)
- CWE-862 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-862
Get alerted the moment a new CWE-862 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.