Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.
CWE-268 Base Draft
Privilege Chaining
Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should…
Definition
What is CWE-268?
Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should individually allow.
This vulnerability is like a security bypass puzzle. A system might correctly enforce that a user cannot directly delete a file or directly write to a system directory. However, if the user can first move a file into that protected directory (using one permission) and then delete any file they own there (using a second permission), they have effectively achieved an unauthorized deletion. The core failure is that the system's security checks evaluate each privilege in isolation, missing the dangerous sequence they enable when used together.
To prevent this, developers must design authorization checks that consider context and history, not just the immediate action. This involves analyzing how privileges can interact over a session or transaction. Implementing mandatory access control (MAC), logging and monitoring for unusual privilege sequences, and adhering to the principle of least privilege are key defenses. Always ask: 'Could these two allowed actions be combined to achieve something we explicitly forbid?'
Real-world impact
Real-world CVEs caused by CWE-268
-
Chaining of user rights.
-
Gain certain rights via privilege chaining in alternate channel.
-
Application is allowed to assign extra permissions to itself.
-
"operator" user can overwrite usernames and passwords to gain admin privileges.
How attackers exploit it
Step-by-step attacker path
- 1
Identify a code path that handles untrusted input without validation.
- 2
Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.
- 3
Deliver the payload through a normal request and observe the application's reaction.
- 4
Iterate until the response leaks data, executes attacker code, or escalates privileges.
Vulnerable code example
Vulnerable Java
This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.
public enum Roles {
ADMIN,OPERATOR,USER,GUEST
}
public void resetPassword(User requestingUser, User user, String password ){
if(isAuthenticated(requestingUser)){
switch(requestingUser.role){
case GUEST:
System.out.println("You are not authorized to perform this command");
break;
case USER:
System.out.println("You are not authorized to perform this command");
break;
default:
setPassword(user,password);
break;
}
}
else{
System.out.println("You must be logged in to perform this command");
}
} Secure code example
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-268
- Architecture and Design Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
- Architecture and Design / Operation Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- Architecture and Design / Operation Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Detection signals
How to detect CWE-268
Run dynamic application security testing against the live endpoint.
Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.
Code review: flag any new code that handles input from this surface without using the validated framework helpers.
Plexicus auto-detects CWE-268 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-268?
How serious is CWE-268?
What languages or platforms are affected by CWE-268?
How can I prevent CWE-268?
How does Plexicus detect and fix CWE-268?
Where can I learn more about CWE-268?
Frequently asked questions
What is CWE-268?
Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should individually allow.
How serious is CWE-268?
MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.
What languages or platforms are affected by CWE-268?
MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.
How can I prevent CWE-268?
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
How does Plexicus detect and fix CWE-268?
Plexicus's SAST engine matches the data-flow signature for CWE-268 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-268?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/268.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-268
CWE-269 Parent
Improper Privilege Management
This vulnerability occurs when an application fails to correctly manage user permissions, allowing someone to perform actions or access…
CWE-250 Sibling
Execution with Unnecessary Privileges
This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege…
CWE-266 Sibling
Incorrect Privilege Assignment
This vulnerability occurs when a system mistakenly grants a user, process, or entity a specific permission or privilege they should not…
CWE-267 Sibling
Privilege Defined With Unsafe Actions
This vulnerability occurs when a system grants a user, role, or process a specific permission that can be misused to perform dangerous,…
CWE-270 Sibling
Privilege Context Switching Error
This vulnerability occurs when an application fails to properly manage user permissions while moving between different security contexts,…
CWE-271 Sibling
Privilege Dropping / Lowering Errors
This vulnerability occurs when a system or process fails to reduce its elevated permissions before transferring control of a resource to a…
CWE-274 Sibling
Improper Handling of Insufficient Privileges
This vulnerability occurs when an application fails to properly manage situations where it lacks the necessary permissions to execute an…
CWE-648 Sibling
Incorrect Use of Privileged APIs
This vulnerability occurs when software incorrectly uses functions that require special permissions. Attackers can exploit these mistakes…
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.