LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-269

CWE-269

Improper Privilege Management

Class EXPLOIT LIKELIHOOD: MEDIUM

What it is

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Impact

Access ControlGain Privileges or Assume Identity

Mitigations

  • [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
  • [Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system.
  • [Architecture and Design] Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

Real-world CVE examples

  • CVE-2001-1555 — Terminal privileges are not reset when a user logs out.
  • CVE-2001-1514 — Does not properly pass security context to child processes in certain cases, allows privilege escalation.
  • CVE-2001-0128 — Does not properly compute roles.
  • CVE-1999-1193 — untrusted user placed in unix "wheel" group
  • CVE-2005-2741 — Product allows users to grant themselves certain rights that can be used to escalate privileges.
  • CVE-2005-2496 — Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.
  • CVE-2004-0274 — Product mistakenly assigns a particular status to an entity, leading to increased privileges.
  • CVE-2007-4217 — FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vul
  • CVE-2007-5159 — OS incorrectly installs a program with setuid privileges, allowing users to gain privileges.
  • CVE-2008-4638 — Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks th
  • CVE-2007-3931 — Installation script installs some programs as setuid when they shouldn't be.
  • CVE-2002-1981 — Roles have access to dangerous procedures (Accessible entities).

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top