CWE · MITRE source
CWE-266Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (5)AI
Showing the 3 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-1 | Policy and Procedures | AC | Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles. |
AC-13 | Supervision and Review — Access Control | AC | Regular reviews catch incorrect privilege assignments to users, roles, or processes. |
AC-2 | Account Management | AC | Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments. |
Show 2 more broadly-applicable controls
AC-5 | Separation of Duties | AC | The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement. |
AC-6 | Least Privilege | AC | Ensures privileges are assigned only as necessary rather than incorrectly over-granted. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-28000 | 7.5 | 9.8 | 0.9206 | 2024-08-21 |
CVE-2025-27007 | 6.8 | 9.8 | 0.8147 | 2025-05-01 |
CVE-2024-24882 | 4.9 | 9.8 | 0.4828 | 2024-05-17 |
CVE-2024-22145 | 4.7 | 8.8 | 0.4886 | 2024-05-17 |
CVE-2024-54363 | 4.3 | 9.8 | 0.3820 | 2024-12-16 |
CVE-2025-47539 | 3.6 | 9.8 | 0.2790 | 2025-05-23 |
CVE-2024-50485 | 3.3 | 9.8 | 0.2191 | 2024-10-29 |
CVE-2025-34112 | 3.0 | 0.0 | 0.4968 | 2025-07-15 |
CVE-2022-20759 | 2.6 | 8.8 | 0.1339 | 2022-05-03 |
CVE-2018-1088 | 2.3 | 8.1 | 0.1078 | 2018-04-18 |
CVE-2024-54383 | 2.3 | 9.8 | 0.0534 | 2024-12-18 |
CVE-2026-23550 | 2.3 | 9.8 | 0.0485 | 2026-01-14 |
CVE-2019-10940 | 2.0 | 9.9 | 0.0017 | 2020-01-16 |
CVE-2023-1174 | 2.0 | 9.8 | 0.0009 | 2023-05-24 |
CVE-2024-2409 | 2.0 | 9.8 | 0.0025 | 2024-03-29 |
CVE-2024-35700 | 2.0 | 9.8 | 0.0063 | 2024-06-04 |
CVE-2024-37927 | 2.0 | 9.8 | 0.0054 | 2024-07-12 |
CVE-2024-43153 | 2.0 | 9.8 | 0.0073 | 2024-08-13 |
CVE-2024-9863 | 2.0 | 9.8 | 0.0068 | 2024-10-17 |
CVE-2024-49217 | 2.0 | 9.8 | 0.0030 | 2024-10-17 |
CVE-2024-49322 | 2.0 | 9.8 | 0.0034 | 2024-10-17 |
CVE-2024-52442 | 2.0 | 9.8 | 0.0020 | 2024-11-20 |
CVE-2024-54293 | 2.0 | 9.8 | 0.0043 | 2024-12-13 |
CVE-2024-54229 | 2.0 | 9.8 | 0.0024 | 2024-12-16 |
CVE-2024-56220 | 2.0 | 9.8 | 0.0014 | 2024-12-31 |