CWE-266 Base Draft

Incorrect Privilege Assignment

This vulnerability occurs when a system mistakenly grants a user, process, or entity a specific permission or privilege they should not have. This error creates an unintended level of access,…

Definition

What is CWE-266?

This vulnerability occurs when a system mistakenly grants a user, process, or entity a specific permission or privilege they should not have. This error creates an unintended level of access, allowing the actor to perform actions beyond their intended authority.

Incorrect privilege assignment is a core authorization flaw where the system's security model fails to properly enforce the principle of least privilege. Instead of granting the minimum access necessary for a function, the system erroneously provides elevated rights—such as administrative capabilities, write access to sensitive files, or the ability to modify other users' data. This mistake often stems from misconfigured access control lists (ACLs), flawed role-based access control (RBAC) logic, or errors during user/role provisioning. From a developer's perspective, this vulnerability is frequently introduced during code deployment or user management, rather than within the core application logic itself. Common scenarios include copying permission sets from high-privilege accounts, incorrectly mapping users to roles, or failing to validate inherited permissions. To prevent this, always implement explicit privilege assignment, audit permission changes, and use automated tools to verify that access controls match the intended security policy before deployment.

Real-world impact

Real-world CVEs caused by CWE-266

CVE-1999-1193

untrusted user placed in unix "wheel" group
CVE-2005-2741

Product allows users to grant themselves certain rights that can be used to escalate privileges.
CVE-2005-2496

Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.
CVE-2004-0274

Product mistakenly assigns a particular status to an entity, leading to increased privileges.

How attackers exploit it

Step-by-step attacker path

1
The following example demonstrates the weakness.
2
The following example demonstrates the weakness.
3
This application sends a special intent with a flag that allows the receiving application to read a data file for backup purposes.
4
Any malicious application can register to receive this intent. Because of the FLAG_GRANT_READ_URI_PERMISSION included with the intent, the malicious receiver code can read the user's data.

Vulnerable code example

Vulnerable C

The following example demonstrates the weakness.

Vulnerable C

seteuid(0);
```
/* do some stuff */* 
  
  seteuid(getuid());

Attacker payload

Attacker payload Java

public class CallReceiver extends BroadcastReceiver {
  	@Override
  	public void onReceive(Context context, Intent intent) {
  		Uri userData = intent.getData();
  		stealUserData(userData);
  	}
  }

Secure code example

Secure pseudo

// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-266

Architecture and Design / Operation Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and Design / Operation Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Detection signals

How to detect CWE-266

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-266 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-266?

How serious is CWE-266?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-266?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-266?

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need…

How does Plexicus detect and fix CWE-266?

Plexicus's SAST engine matches the data-flow signature for CWE-266 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-266?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/266.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-266

CWE-269 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Incorrect Privilege Assignment

What is CWE-266?

Real-world CVEs caused by CWE-266

Step-by-step attacker path

Vulnerable C

Secure pseudo

How to prevent CWE-266

How to detect CWE-266

Plexicus auto-detects CWE-266 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-266

Improper Privilege Management

Execution with Unnecessary Privileges

Privilege Defined With Unsafe Actions

Privilege Chaining

Privilege Context Switching Error

Privilege Dropping / Lowering Errors

Improper Handling of Insufficient Privileges

Incorrect Use of Privileged APIs

Incorrect User Management

Further reading

Don't Let Security
Weigh You Down.

Incorrect Privilege Assignment

What is CWE-266?

Real-world CVEs caused by CWE-266

Step-by-step attacker path

Vulnerable C

Secure pseudo

How to prevent CWE-266

How to detect CWE-266

Plexicus auto-detects CWE-266 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-266

Improper Privilege Management

Execution with Unnecessary Privileges

Privilege Defined With Unsafe Actions

Privilege Chaining

Privilege Context Switching Error

Privilege Dropping / Lowering Errors

Improper Handling of Insufficient Privileges

Incorrect Use of Privileged APIs

Incorrect User Management

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.