CWE · MITRE source
CWE-272Least Privilege Violation
The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (12)AI
Showing the 10 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-1 | Policy and Procedures | AC | Review and update requirements help detect and correct least privilege violations in practice. |
AC-13 | Supervision and Review — Access Control | AC | Access reviews verify and enforce adherence to least privilege by identifying excess permissions. |
AC-2 | Account Management | AC | Requiring specification of intended system usage and access authorizations, plus periodic reviews, supports enforcement of least privilege. |
PS-7 | External Personnel Security | PS | Enforces least-privilege principles for externals via role/responsibility definitions, transfer/termination notifications, and ongoing compliance checks. |
PS-8 | Personnel Sanctions | PS | Directly addresses least-privilege violations by providing a deterrent and notification mechanism when policies are not followed. |
PS-9 | Position Descriptions | PS | Incorporating least-privilege expectations into every position description makes violations of the principle harder to occur by default. |
CM-7 | Least Functionality | CM | Enforcing only the minimal set of functionality implements least privilege by eliminating unneeded capabilities that could be abused. |
PL-4 | Rules of Behavior | PL | The control mandates acknowledgment of least-privilege expectations, making violations by authorized users less likely. |
PM-29 | Risk Management Program Leadership Roles | PM | Risk Executive role ensures least privilege is applied uniformly rather than left to individual system owners or projects. |
SA-14 | Criticality Analysis | SA | Criticality analysis supplies the information needed to enforce least privilege on the most important system elements, making violations of that principle less likely to exist in high-value targets. |
Show 2 more broadly-applicable controls
AC-5 | Separation of Duties | AC | Separation of duties is a direct mechanism to enforce least privilege by ensuring no individual receives more access than required for their isolated responsibilities. |
AC-6 | Least Privilege | AC | Enforces the least privilege principle to avoid violations of minimal necessary access. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-24830 | 2.0 | 9.9 | 0.0012 | 2024-02-08 |
CVE-2021-26726 | 1.8 | 8.8 | 0.0108 | 2022-02-16 |
CVE-2024-25106 | 1.8 | 9.1 | 0.0008 | 2024-02-08 |
CVE-2024-28824 | 1.8 | 8.8 | 0.0009 | 2024-03-22 |
CVE-2025-7722 | 1.8 | 8.8 | 0.0008 | 2025-07-23 |
CVE-2025-59106 | 1.8 | 8.8 | 0.0009 | 2026-01-26 |
CVE-2024-35204 | 1.7 | 8.4 | 0.0002 | 2024-05-14 |
CVE-2024-55954 | 1.7 | 8.7 | 0.0012 | 2025-01-16 |
CVE-2024-0638 | 1.6 | 8.2 | 0.0006 | 2024-03-22 |
CVE-2024-27165 | 1.6 | 7.8 | 0.0007 | 2024-06-14 |
CVE-2024-28829 | 1.6 | 7.8 | 0.0008 | 2024-08-20 |
CVE-2025-47809 | 1.6 | 8.2 | 0.0007 | 2025-05-16 |
CVE-2025-9711 | 1.6 | 7.8 | 0.0001 | 2026-02-03 |
CVE-2023-28047 | 1.5 | 7.3 | 0.0009 | 2023-04-20 |
CVE-2023-32451 | 1.5 | 7.3 | 0.0003 | 2024-02-06 |
CVE-2025-49144 | 1.5 | 7.3 | 0.0010 | 2025-06-23 |
CVE-2025-8181 | 1.5 | 7.2 | 0.0047 | 2025-07-26 |
CVE-2025-1384 | 1.4 | 7.0 | 0.0007 | 2025-07-14 |
CVE-2025-8757 | 1.4 | 7.0 | 0.0002 | 2025-08-09 |
CVE-2025-8758 | 1.4 | 7.0 | 0.0002 | 2025-08-09 |
CVE-2023-28046 | 1.3 | 6.6 | 0.0010 | 2023-04-06 |
CVE-2024-0798 | 1.3 | 6.5 | 0.0013 | 2024-02-26 |
CVE-2025-68267 | 1.3 | 6.5 | 0.0002 | 2025-12-16 |
CVE-2026-32655 | 1.1 | 5.3 | 0.0001 | 2026-04-27 |
CVE-2026-23634 | 0.0 | 0.0 | 0.0001 | 2026-01-16 |