NIST 800-53 r5 · Controls catalogue · Family AC
AC-24Access Control Decisions
{{ insert: param, ac-24_odp.01 }} to ensure {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requiring a decision for every access request prevents missing authorization checks that would otherwise allow unauthorized access. |
CWE-284 | Improper Access Control | 4,832 | Ensuring access control decisions are made and applied to every request before enforcement directly prevents improper access control by requiring policy-based checks. |
CWE-863 | Incorrect Authorization | 3,234 | Applying decisions to each request prior to enforcement mitigates incorrect authorization by enforcing consistent policy evaluation. |
CWE-639 | Authorization Bypass Through User-Controlled Key | 1,837 | Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process. |
CWE-285 | Improper Authorization | 1,230 | The control mandates authorization decisions for each access request, reducing the ability to exploit improper authorization weaknesses. |
CWE-425 | Direct Request ('Forced Browsing') | 255 | Forcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-41428 | 1.8 | 9.1 | 0.0007 | good |
CVE-2026-25811 | 1.8 | 9.1 | 0.0005 | good |
CVE-2026-35604 | 1.6 | 8.1 | 0.0006 | good |
CVE-2026-2370 | 1.6 | 8.1 | 0.0001 | good |
CVE-2025-20229 | 2.3 | 8.0 | 0.1125 | good |
CVE-2024-9617 | 2.2 | 6.5 | 0.1556 | good |
CVE-2025-66956 | 2.0 | 9.9 | 0.0012 | partial |
CVE-2025-26853 | 2.0 | 10.0 | 0.0040 | good |
CVE-2025-10611 | 2.0 | 9.8 | 0.0028 | good |
CVE-2025-0637 | 2.0 | 9.8 | 0.0025 | good |
CVE-2026-25809 | 2.0 | 9.8 | 0.0010 | good |
CVE-2026-32924 | 2.0 | 9.8 | 0.0006 | good |
CVE-2026-25875 | 2.0 | 9.8 | 0.0007 | partial |
CVE-2025-39477 | 2.0 | 9.8 | 0.0008 | good |
CVE-2025-45968 | 2.0 | 9.8 | 0.0034 | good |
CVE-2025-50870 | 2.0 | 9.8 | 0.0031 | good |
CVE-2025-49701 | 1.9 | 8.8 | 0.0182 | good |
CVE-2026-33068 | 1.8 | 8.8 | 0.0012 | good |
CVE-2025-1270 | 1.8 | 9.1 | 0.0009 | good |
CVE-2024-50687 | 1.8 | 9.1 | 0.0017 | good |
CVE-2026-27071 | 1.8 | 9.1 | 0.0006 | good |
CVE-2025-27507 | 1.8 | 9.0 | 0.0016 | good |
CVE-2026-5652 | 1.8 | 9.0 | 0.0010 | partial |
CVE-2023-7317 | 1.8 | 8.8 | 0.0029 | good |
CVE-2025-64523 | 1.8 | 8.8 | 0.0011 | good |