CWE-284 Pillar Incomplete

Improper Access Control

The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it.

Definition

What is CWE-284?

The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it.

Access control is a security cornerstone built on three pillars: verifying identity (authentication), checking permissions (authorization), and logging actions (accountability). When any of these fails, attackers can steal data, escalate privileges, run commands, or hide their activity. Weaknesses typically arise in two ways: first, through faulty specification, where resources are misconfigured (like world-writable files) or users are given incorrect privileges. Second, through faulty enforcement, where errors in the code allow users to bypass the intended security rules, even if the policy was correctly defined.

Real-world impact

Real-world CVEs caused by CWE-284

CVE-2022-24985

A form hosting website only checks the session authentication status for a single form, making it possible to bypass authentication when there are multiple forms
CVE-2022-29238

Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.
CVE-2022-23607

Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect
CVE-2021-21972

Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV.
CVE-2021-37415

IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.
CVE-2021-35033

Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port
CVE-2020-10263

Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access
CVE-2020-13927

Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.

How attackers exploit it

Step-by-step attacker path

1
Identify a code path that handles untrusted input without validation.
2
Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.
3
Deliver the payload through a normal request and observe the application's reaction.
4
Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable pseudo

MITRE has not published a code example for this CWE. The pattern below is illustrative — see Resources for canonical references.

Vulnerable pseudo

// Example pattern — see MITRE for the canonical references.
function handleRequest(input) {
  // Untrusted input flows directly into the sensitive sink.
  return executeUnsafe(input);
}

Secure code example

Secure pseudo

// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-284

Architecture and Design / Operation Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and Design Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Detection signals

How to detect CWE-284

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-284 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-284?

The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it.

How serious is CWE-284?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-284?

MITRE lists the following affected platforms: Not Technology-Specific, ICS/OT.

How can I prevent CWE-284?

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and…

How does Plexicus detect and fix CWE-284?

Plexicus's SAST engine matches the data-flow signature for CWE-284 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-284?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/284.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-284

CWE-1191 Child

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Improper Access Control

What is CWE-284?

Real-world CVEs caused by CWE-284

Step-by-step attacker path

Vulnerable pseudo

Secure pseudo

How to prevent CWE-284

How to detect CWE-284

Plexicus auto-detects CWE-284 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-284

On-Chip Debug and Test Interface With Improper Access Control

Insufficient Granularity of Access Control

Improper Restriction of Write-Once Bit Fields

Improper Prevention of Lock Bit Modification

Security-Sensitive Hardware Controls with Missing Lock Bit Protection

CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations