CWE-863 Class Incomplete High likelihood

Incorrect Authorization

This vulnerability occurs when an application checks if a user is allowed to perform an action or access data, but the check is flawed or incomplete, allowing unauthorized access.

Definition

What is CWE-863?

This vulnerability occurs when an application checks if a user is allowed to perform an action or access data, but the check is flawed or incomplete, allowing unauthorized access.

Incorrect authorization happens when the logic that verifies user permissions contains mistakes. For example, the app might check a user's role but forget to verify if they own the specific data they're trying to modify, leading to horizontal privilege escalation. It can also stem from missing checks entirely for certain application paths, or from relying on client-side controls that attackers can easily bypass. These flaws are often subtle and context-dependent, making them hard to catch in code reviews. While SAST tools can identify missing authorization patterns, Plexicus uses AI to analyze the specific business logic and suggest precise code fixes, helping developers close these security gaps efficiently and prevent data breaches.

Vulnerability Diagram CWE-863

Real-world impact

Real-world CVEs caused by CWE-863

CVE-2025-24839

collaboration platform allows attacker to access an AI bot by using a plugin to set a critical property
CVE-2025-32796

LLM application development platform allows non-admin users to enable or disable apps using certain API endpoints
CVE-2021-39155

Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations.
CVE-2019-15900

Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863).
CVE-2009-2213

Gateway uses default "Allow" configuration for its authorization settings.
CVE-2009-0034

Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.
CVE-2008-6123

Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.
CVE-2008-7109

Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.

How attackers exploit it

Step-by-step attacker path

1
Identify a code path that handles untrusted input without validation.
2
Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.
3
Deliver the payload through a normal request and observe the application's reaction.
4
Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable PHP

The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie.

Vulnerable PHP

$role = $_COOKIES['role'];
  if (!$role) {
  	$role = getRole('user');
  	if ($role) {
  		// save the cookie to send out in future responses
  		setcookie("role", $role, time()+60*60*2);
  	}
  	else{
  		ShowLoginScreen();
  		die("\n");
  	}
  }
  if ($role == 'Reader') {
  	DisplayMedicalHistory($_POST['patient_ID']);
  }
  else{
  	die("You are not Authorized to view this record\n");
  }

Secure code example

Secure pseudo

// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-863

Architecture and Design Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Architecture and Design Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Architecture and Design For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page. One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
System Configuration / Installation Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

Detection signals

How to detect CWE-863

Automated Static Analysis Limited

Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. Even if they can be customized to recognize these schemes, they might not be able to tell whether the scheme correctly performs the authorization in a way that cannot be bypassed or subverted by an attacker.

Automated Dynamic Analysis

Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.

Manual Analysis Moderate

This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.

Manual Static Analysis - Binary or Bytecode SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Web Application Scanner Web Services Scanner Database Scanners

Dynamic Analysis with Manual Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer Forced Path Execution Monitored Virtual Environment - run potentially malicious code in sandbox / wrapper / virtual machine, see if it does anything suspicious

Plexicus auto-fix

Plexicus auto-detects CWE-863 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-863?

This vulnerability occurs when an application checks if a user is allowed to perform an action or access data, but the check is flawed or incomplete, allowing unauthorized access.

How serious is CWE-863?

MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.

What languages or platforms are affected by CWE-863?

MITRE lists the following affected platforms: Web Server, Database Server.

How can I prevent CWE-863?

Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role. Ensure that access control checks are performed related to the business logic. These…

How does Plexicus detect and fix CWE-863?

Plexicus's SAST engine matches the data-flow signature for CWE-863 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-863?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/863.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-863

CWE-285 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Incorrect Authorization

What is CWE-863?

Real-world CVEs caused by CWE-863

Step-by-step attacker path

Vulnerable PHP

Secure pseudo

How to prevent CWE-863

How to detect CWE-863

Plexicus auto-detects CWE-863 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-863

Improper Authorization

Exposure of Sensitive Information Through Metadata

Improper Restriction of Software Interfaces to Hardware Features

Unprotected Confidential Information on Device is Accessible by OSAT Vendors

Security Version Number Mutable to Older Versions

Files or Directories Accessible to External Parties

Incorrect Permission Assignment for Critical Resource

Missing Authorization

Improper Export of Android Application Components

Further reading

Don't Let Security
Weigh You Down.

Incorrect Authorization

What is CWE-863?

Real-world CVEs caused by CWE-863

Step-by-step attacker path

Vulnerable PHP

Secure pseudo

How to prevent CWE-863

How to detect CWE-863

Plexicus auto-detects CWE-863 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-863

Improper Authorization

Exposure of Sensitive Information Through Metadata

Improper Restriction of Software Interfaces to Hardware Features

Unprotected Confidential Information on Device is Accessible by OSAT Vendors

Security Version Number Mutable to Older Versions

Files or Directories Accessible to External Parties

Incorrect Permission Assignment for Critical Resource

Missing Authorization

Improper Export of Android Application Components

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.