CWE-863: Incorrect Authorization
Also known as: AuthZ
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Last updated
Overview
CWE-863 (Incorrect Authorization) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.
Real-world CVEs
2,019 recorded CVEs are caused by CWE-863 (Incorrect Authorization), including 16 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 683 new CWE-863 CVEs have been recorded so far in 2026 (450 in 2025).
- CVE-2025-54253CISA KEV
Adobe Experience Manager | Incorrect Authorization (CWE-863)
Critical · CVSS 10.0 · EPSS 100th2025-08-05 - CVE-2019-7192CISA KEVCritical · CVSS 10.0 · EPSS 100th2019-12-05
- CVE-2025-21479CISA KEV
Incorrect Authorization in Graphics
Critical · CVSS 9.3 · EPSS 52th2025-06-03 - CVE-2024-38856CISA KEV
Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code
Critical · CVSS 9.3 · EPSS 100th2024-08-05 - CVE-2023-22518CISA KEVCritical · CVSS 9.3 · EPSS 100th2023-10-31
- CVE-2023-38035CISA KEVCritical · CVSS 9.3 · EPSS 100th2023-08-21
- CVE-2018-13382CISA KEVCritical · CVSS 9.3 · EPSS 100th2019-06-04
- CVE-2024-21287CISA KEVHigh · CVSS 8.7 · EPSS 71th2024-11-18
- CVE-2021-40655CISA KEVHigh · CVSS 8.7 · EPSS 100th2021-09-24
- CVE-2023-24880CISA KEV
Windows SmartScreen Security Feature Bypass Vulnerability
High · CVSS 8.6 · EPSS 100th2023-03-14 - CVE-2023-21715CISA KEV
Microsoft Publisher Security Feature Bypass Vulnerability
High · CVSS 8.4 · EPSS 96th2023-02-14 - CVE-2021-30533CISA KEVHigh · CVSS 7.1 · EPSS 97th2021-06-07
Showing 12 of 2,019 recorded CWE-863 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-863 vulnerabilitiesCommon consequences
What can happen when CWE-863 is exploited.
Read Application Data, Read Files or Directories
Affects: Confidentiality
An attacker could bypass intended access restrictions to read sensitive data, either by reading the data directly from a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
Modify Application Data, Modify Files or Directories
Affects: Integrity
An attacker could bypass intended access restrictions to modify sensitive data, either by writing the data directly to a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
Gain Privileges or Assume Identity, Bypass Protection Mechanism
Affects: Access Control
An attacker could bypass intended access restrictions to gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
Execute Unauthorized Code or Commands
Affects: Confidentiality, Integrity, Availability
An attacker could use elevated privileges to execute unauthorized commands or code.
DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
Affects: Availability
An attacker could gain unauthorized access to resources on the system and excessively consume those resources, leading to a denial of service.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-863, grouped by where in the lifecycle they apply.
Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
How to detect it
Automated Static Analysis
Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries.
Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.
Effectiveness: Limited
Automated Dynamic Analysis
Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.
Manual Analysis
This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.
Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.
Effectiveness: Moderate
Manual Static Analysis - Binary or Bytecode
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Dynamic Analysis with Automated Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Dynamic Analysis with Manual Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Manual Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Automated Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Architecture or Design Review
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie.
Vulnerable example
$role = $_COOKIES['role'];The programmer expects that the cookie will only be set when getRole() succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. However, the attacker can easily set the "role" cookie to the value "Reader". As a result, the $role variable is "Reader", and getRole() is never invoked. The attacker has bypassed the authorization system.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2025-24839 — collaboration platform allows attacker to access an AI bot by using a plugin to set a critical property
- CVE-2025-32796 — LLM application development platform allows non-admin users to enable or disable apps using certain API endpoints
- CVE-2021-39155 — Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations.
- CVE-2019-15900 — Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863).
- CVE-2009-2213 — Gateway uses default "Allow" configuration for its authorization settings.
- CVE-2009-0034 — Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.
- CVE-2008-6123 — Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.
- CVE-2008-7109 — Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.
- CVE-2008-3424 — Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.
- CVE-2008-4577 — ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.
- CVE-2006-6679 — Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.
- CVE-2005-2801 — Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.
- CVE-2001-1155 — Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
Terminology & mappings
Alternate terms
- AuthZ
- "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization.
Mapped taxonomies
- ISA/IEC 62443: Req SD-4 (Part 4-1)
- ISA/IEC 62443: Req CR 2.1 (Part 4-2)
- ISA/IEC 62443: Req CR 2.2 (Part 4-2)
- ISA/IEC 62443: Req SR 2.1 (Part 3-3)
- ISA/IEC 62443: Req SR 2.2 (Part 3-3)
- ISA/IEC 62443: Req SVV-1 (Part 4-1)
- ISA/IEC 62443: Req SVV-4 (Part 4-1)
- ISA/IEC 62443: Req SD-1 (Part 4-1)
Frequently asked questions
Common questions about CWE-863.
- What is CWE-863?
- The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- What CVEs are caused by CWE-863?
- 2,019 recorded CVEs are attributed to CWE-863, including CVE-2025-54253, CVE-2019-7192, CVE-2025-21479. 16 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-863?
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- How is CWE-863 detected?
- Automated Static Analysis: Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries.
- What are the consequences of CWE-863?
- Exploiting CWE-863 can lead to: Read Application Data, Read Files or Directories, Modify Application Data, Modify Files or Directories, Gain Privileges or Assume Identity, Bypass Protection Mechanism.
- Is CWE-863 actively exploited?
- Yes. 16 CWE-863 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 2,019 recorded CVEs.
References
- MITRE CWE definition (CWE-863) (opens in a new tab)
- CWE-863 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-863
Get alerted the moment a new CWE-863 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.