What is privilege escalation?
Last reviewed June 2, 2026
Privilege escalation is when an attacker gains permissions beyond those they were assigned, such as a normal user becoming an administrator. Vertical escalation gains higher privileges; horizontal escalation accesses other users' data at the same level. It stems from improper privilege management (CWE-269) and is prevented with least privilege and robust access-control checks.
What privilege escalation is
Privilege escalation is the act of obtaining capabilities or access rights beyond what an identity is supposed to have. The underlying weakness is often CWE-269 (Improper Privilege Management), where an application assigns, modifies, or checks privileges incorrectly.
Privilege escalation is usually a stage in an attack rather than the entry point: an attacker first gains some foothold, then escalates to gain the control needed to reach their objective.
Vertical and horizontal escalation
Both undermine the authorization model. Vertical escalation typically grants broad control, while horizontal escalation breaches the boundary between peer accounts.
- Vertical privilege escalation: gaining higher privileges than your account holds, such as a standard user obtaining administrator or root rights.
- Horizontal privilege escalation: accessing the resources of another user at the same privilege level, such as reading another customer's account.
How the attack works
Consider an application that determines who is an administrator from a client-controlled value, such as a role field in a cookie or a hidden form input like isAdmin=false. If the server trusts that value instead of verifying the user's role server-side, an attacker simply changes it to isAdmin=true and gains administrative access. This is vertical escalation through a broken authorization check.
Escalation also arises from setuid binaries with flaws, misconfigured permissions, kernel vulnerabilities that grant root, and excessive default privileges. The common thread is that a control meant to bound an identity's power can be bypassed or was never enforced.
How to prevent it
- Apply the principle of least privilege: grant each account and process only the rights it needs.
- Enforce authorization checks on the server for every sensitive action; never trust client-supplied role or identity data.
- Separate duties and avoid running services as root or administrator where possible.
- Patch operating systems and software promptly, since many privesc bugs have vendor fixes.
- Audit and monitor privileged actions to detect misuse early.
Keep exploring
- CWE-269: Improper Privilege ManagementThe MITRE weakness entry privilege escalation maps to.
- What is an IDOR?A common path to horizontal privilege escalation.
- What is remote code execution?Often paired with escalation to fully compromise a host.
- Browse the CWE directoryExplore the full catalog of weakness types.
- What is broken access control?OWASP A01: acting outside your permissions.
Frequently asked questions
- What is privilege escalation in simple terms?
- It is when someone gets more access than they are supposed to have, like a regular user gaining admin powers or one customer reading another customer's data.
- What is the difference between vertical and horizontal privilege escalation?
- Vertical escalation gains higher privileges than your account holds, such as becoming an administrator. Horizontal escalation accesses another user's resources at the same privilege level.
- How do you prevent privilege escalation?
- Apply least privilege, enforce server-side authorization on every sensitive action, avoid trusting client-supplied role data, separate duties, and patch software promptly.
- Which CWE covers privilege escalation?
- It commonly maps to CWE-269, Improper Privilege Management, though specific cases may involve related access-control weaknesses.
