CWE-269: Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control.
Yearly Trend
Top Affected Vendors
All Improper Privilege Management CVEs (831)
An improper privilege management vulnerability in ZTE GoldenDB allows authenticated users to escalate their privileges beyond intended levels. This af...
Mar 11, 2025An improper privilege management vulnerability in Tenable Security Center allows authenticated attackers to view unauthorized objects and launch scans...
Jun 12, 2024This vulnerability in Marvin Test HW.exe allows unprivileged user-mode processes to map physical memory through a specific IOCTL in the Hw64.sys drive...
May 26, 2024The Flux Operator Web UI authentication vulnerability allows attackers to bypass Kubernetes RBAC impersonation when OIDC tokens lack expected claims o...
Jan 21, 2026This vulnerability in KubeVirt allows attackers with access to the virt-handler service account to force VM migrations to compromised nodes or mark al...
Nov 7, 2025This vulnerability allows local attackers to escalate privileges via the COM interface in Malwarebytes For Teams service (mbamservice.exe). It affects...
Oct 24, 2025This vulnerability allows attackers to gain SYSTEM privileges on Windows systems by exploiting insecure file deletion during Samsung Magician updates....
Sep 2, 2025This vulnerability allows authenticated attackers to create accounts with elevated privileges on Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with C...
Aug 22, 2025FrostWire 6.14.0-build-326 for macOS contains permissive entitlements that allow local attackers to inject code via DYLD_INSERT_LIBRARIES environment ...
Oct 2, 2025This vulnerability in Directus allows users with typical permissions to specify arbitrary roles when sharing items, potentially granting access to fie...
Jan 23, 2025Dell ECS versions before 3.8.1 contain a privilege elevation vulnerability in user management. A remote attacker with high privileges could exploit th...
Jul 18, 2024This vulnerability in Oracle WebLogic Server allows authenticated high-privileged attackers to modify or read limited data through HTTP requests requi...
Jul 15, 2025Argo CD's web terminal feature has a privilege persistence vulnerability where users retain container access even after their exec permissions are rev...
Jul 24, 2024This vulnerability in Oracle VM VirtualBox allows a high-privileged attacker with local access to the host system to read some VirtualBox data and cau...
Jan 20, 2026A broken access control vulnerability in Trend Vision One allowed administrators to create users who could then modify account roles and escalate priv...
Apr 2, 2025A broken access control vulnerability in Trend Vision One User Roles allowed administrators to create users who could then change their own role assig...
Apr 2, 2025This vulnerability in Wazuh allows attackers with no privilege access to view the agent list on the Wazuh dashboard, potentially enabling privilege es...
Feb 3, 2025This vulnerability in Cisco Catalyst Center allows authenticated users with read-only (Observer) privileges to perform administrative operations due t...
Nov 13, 2025This vulnerability in ESPEC North America Web Controller 3 allows user session privileges to persist after logout, potentially enabling unauthorized a...
Aug 14, 2025This CVE describes a privilege bypass vulnerability in Android Debug Bridge (ADB) that could allow unauthorized access to ADB functionality. It affect...
Dec 24, 2025This vulnerability in Intel CIP software allows authenticated users to potentially manipulate data through a complex attack chain. It affects systems ...
Nov 11, 2025This CVE describes an improper privilege management vulnerability in multiple Fortinet products that allows authenticated administrators to bypass tru...
Nov 18, 2025Chef InSpec versions up to 5.23 create Windows named pipes with overly permissive access controls, allowing local attackers to hijack pipe connections...
Jan 30, 2026This vulnerability allows local attackers to plant a custom configuration file in ESET Inspect Connector for Windows, which can then load a malicious ...
Jan 30, 2026This CVE describes a local privilege escalation vulnerability in the Kaba exos 9300 System management application (d9sysdef.exe). Attackers with local...
Jan 26, 2026This CVE describes a privilege escalation vulnerability in sudoers configuration that allows unrestricted privilege escalation. Any user with access t...
Jan 7, 2026A privilege escalation vulnerability in Google Cloud's Dialogflow CX allowed agent developers with Webhook editor permission to gain unauthorized proj...
Dec 10, 2025This vulnerability in Apigee-X allows attackers to access and modify analytics data and access logs belonging to other customer organizations. All Api...
Dec 6, 2025CVE-2025-66266 is a local privilege escalation vulnerability in UPSilon 2000's RupsMon.exe service. The service executable has insecure permissions gr...
Nov 26, 2025CMService.exe creates the C:\usr directory with insecure permissions, granting write access to all authenticated users. This allows attackers to repla...
Nov 26, 2025Everything service running as SYSTEM uses a named pipe with NULL DACL, granting all users full permissions. This allows local low-privileged users to ...
Nov 4, 2025About Improper Privilege Management (CWE-269)
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control.
Our database tracks 831 CVEs classified as CWE-269, with 177 rated critical and 564 rated high severity. The average CVSS score for Improper Privilege Management vulnerabilities is 8.1.
External reference: View CWE-269 on MITRE CWE →
Monitor Improper Privilege Management Vulnerabilities
Get alerted when new Improper Privilege Management CVEs affect your infrastructure.
Start Monitoring Free