CWE · MITRE source
CWE-285Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (103)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-1 | Policy and Procedures | AC | Documented procedures facilitate correct implementation and ongoing management of authorization decisions. |
AC-13 | Supervision and Review — Access Control | AC | Periodic reviews identify and correct flaws in authorization decisions or enforcement. |
AC-14 | Permitted Actions Without Identification or Authentication | AC | The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication. |
PM-1 | Information Security Program Plan | PM | The control requires authorization mechanisms and senior approval to prevent unauthorized viewing or alteration of the plan. |
PM-10 | Authorization Process | PM | The control explicitly manages authorization decisions and integrates them into risk management, making incorrect or incomplete authorization decisions less likely to persist. |
PM-11 | Mission and Business Process Definition | PM | By determining authorization and protection needs arising from business processes, the control reduces improper authorization weaknesses in how operations are structured. |
SC-14 | Public Access Protections | SC | Mandates authorization checks so public access cannot perform disallowed operations or modifications. |
SC-15 | Collaborative Computing Devices and Applications | SC | Requires explicit authorization decisions before any remote activation of collaborative hardware or apps. |
SC-16 | Transmission of Security and Privacy Attributes | SC | Security attributes carried with data allow consistent authorization decisions between components and external systems. |
PS-1 | Policy and Procedures | PS | Procedures define authorization decisions tied to hiring, transfer, and termination, reducing the likelihood of improper authorization decisions. |
PS-3 | Personnel Screening | PS | Screening verifies trustworthiness prior to granting rights, making it harder for attackers to exploit improper authorization by placing malicious or unqualified personnel in authorized roles. |
PS-4 | Personnel Termination | PS | Terminating authorizations and privileges ensures that access rights no longer apply to the individual, reducing improper authorization risks. |
CM-12 | Information Location | CM | Documenting access to processing and storage locations helps ensure correct authorization for information resources. |
CM-13 | Data Action Mapping | CM | Documenting data actions helps ensure proper authorization is enforced for each action involving sensitive data. |
CM-3 | Configuration Change Control | CM | Mandates explicit authorization and approval for configuration-controlled changes with security considerations. |
Show 88 more broadly-applicable controls
AC-16 | Security and Privacy Attributes | AC | Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data. |
AC-17 | Remote Access | AC | Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization. |
AC-18 | Wireless Access | AC | The control explicitly requires authorization of each wireless access type prior to permitting connections. |
AC-19 | Access Control for Mobile Devices | AC | Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access. |
AC-2 | Account Management | AC | Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions. |
AC-20 | Use of External Systems | AC | Requires explicit authorization for individuals to use external systems to access or handle organization-controlled information. |
AC-21 | Information Sharing | AC | It mandates explicit checks to confirm the sharing partner's authorizations align with the information's access and use restrictions. |
AC-22 | Publicly Accessible Content | AC | Authorization checks via training and content reviews ensure only approved information is released to public systems. |
AC-23 | Data Mining Protection | AC | Detects and blocks data mining attempts that violate intended authorization boundaries for data access. |
AC-24 | Access Control Decisions | AC | The control mandates authorization decisions for each access request, reducing the ability to exploit improper authorization weaknesses. |
AC-25 | Reference Monitor | AC | Ensures authorization decisions are always performed by a complete and analyzable reference monitor. |
AC-3 | Access Enforcement | AC | The control requires checking and applying authorization decisions per policy, preventing improper authorization. |
AC-4 | Information Flow Enforcement | AC | Requires and applies authorization decisions specifically to control information flows based on policy. |
AC-5 | Separation of Duties | AC | The control requires authorizations to be structured around separated duties, mitigating improper authorization that would otherwise allow one user to perform conflicting operations. |
AC-6 | Least Privilege | AC | Requires authorization to grant only the minimal privileges needed for tasks. |
AC-8 | System Use Notification | AC | Mandating user acknowledgment of usage conditions prior to access strengthens authorization by ensuring consent is obtained as part of the decision to grant entry. |
PM-12 | Insider Threat Program | PM | Incident handling team identifies and mitigates authorization failures that allow insiders to perform unauthorized actions. |
PM-18 | Privacy Program Plan | PM | By requiring documented privacy program management controls, role assignments, and senior-official approval, the control ensures authorization decisions for personal information are planned, coordinated, and periodically updated rather than left ad-hoc. |
PM-19 | Privacy Program Leadership Role | PM | Leadership role coordinates development of authorization policies and mechanisms required to meet privacy requirements. |
PM-2 | Information Security Program Leadership Role | PM | Centralized security program leadership ensures authorization rules and checks are defined, implemented, and sustained. |
PM-23 | Data Governance Body | PM | Establishes accountability for authorization decisions and enforcement on data handling and access. |
PM-24 | Data Integrity Board | PM | Mandatory review of matching proposals catches and prevents authorization decisions that would allow data use beyond permitted purposes. |
PM-26 | Complaint Management | PM | Complaints about authorization failures are logged, acknowledged, and resolved within defined time bounds, making it harder for attackers to rely on long-lived authorization weaknesses. |
PM-27 | Privacy Reporting | PM | Regular privacy compliance dissemination and review detect authorization failures that allow unauthorized access to protected information. |
PM-29 | Risk Management Program Leadership Roles | PM | Organization-level risk governance improves authorization consistency and prevents authorization decisions made without enterprise risk context. |
PM-32 | Purposing | PM | Enforces that authorization rules remain consistent with the documented intended purpose of each resource. |
PM-4 | Plan of Action and Milestones Process | PM | Ensures authorization weaknesses discovered via assessments are captured with concrete remediation plans aligned to organizational risk strategy. |
PM-7 | Enterprise Architecture | PM | Architecture planning establishes authorization policies and enforcement points across systems, reducing improper authorization flaws. |
PM-8 | Critical Infrastructure Plan | PM | The plan mandates documented authorization rules and checks to govern who can perform actions on key infrastructure components. |
PM-9 | Risk Management Strategy | PM | Comprehensive risk strategy includes authorization requirements and reviews, making improper authorization harder to overlook or exploit. |
SC-26 | Decoys | SC | Decoys identify and block exploitation of improper authorization by providing monitored targets that mimic protected functions. |
SC-32 | System Partitioning | SC | Partitioning limits authorization scope by confining subjects and objects to distinct environments. |
SC-43 | Usage Restrictions | SC | Explicit authorization step before component use prevents actions that bypass intended authorization checks. |
SC-46 | Cross Domain Policy Enforcement | SC | The control enforces explicit authorization policies on all traffic and data flows between domains, mitigating improper or missing authorization decisions. |
SC-50 | Software-enforced Separation and Policy Enforcement | SC | Enforces policy-based authorization decisions between the separated subjects and objects. |
SC-51 | Hardware-based Protection | SC | Requires explicit authorization (via manual hardware procedures) before any write is possible, preventing unauthorized modifications. |
SC-7 | Boundary Protection | SC | Communications are authorized only through managed boundary devices and segmented subnetworks. |
PS-5 | Personnel Transfer | PS | Triggers modification of authorizations to reflect changed operational need, directly addressing improper authorization after role changes. |
PS-6 | Access Agreements | PS | The control enforces explicit authorization via signed agreements and periodic re-authorization, reducing the chance that access is granted or retained without proper approval. |
PS-7 | External Personnel Security | PS | Defines authorization boundaries and revocation procedures for external providers, limiting improper or lingering authorization decisions. |
PS-8 | Personnel Sanctions | PS | Deters improper authorization decisions by personnel via a formal sanctions and notification process. |
PS-9 | Position Descriptions | PS | Explicitly stated responsibilities per position improve the accuracy and consistency of authorization decisions tied to those roles. |
CM-4 | Impact Analyses | CM | Evaluating change impacts helps avoid deployment of incorrect or missing authorization logic. |
CM-5 | Access Restrictions for Change | CM | Requiring definition, approval, and enforcement of access rules for changes addresses improper authorization of modifications. |
CM-7 | Least Functionality | CM | By limiting enabled features to only those needed, the control strengthens authorization by removing opportunities for unauthorized use of excess functionality. |
CM-9 | Configuration Management Plan | CM | Establishes roles, responsibilities, and authorization processes for all configuration management activities. |
PT-1 | Policy and Procedures | PT | Documented procedures and management commitment directly support consistent authorization decisions during PII processing. |
PT-2 | Authority to Process Personally Identifiable Information | PT | Mandates determining authority and limiting processing to what is authorized, preventing improper authorization over personal data. |
PT-3 | Personally Identifiable Information Processing Purposes | PT | Requires authorization decisions for PII processing to be limited to explicitly documented compatible purposes. |
PT-4 | Consent | PT | Requiring affirmative consent implements an authorization decision for each instance of PII collection or use. |
PT-5 | Privacy Notice | PT | Mandating disclosure of the specific authority that authorizes PII processing and the exact purposes directly surfaces authorization decisions, reducing the viability of hidden or improper authorization. |
PT-8 | Computer Matching Requirements | PT | Mandates explicit authorization via agreements and board approval, preventing unauthorized or out-of-scope use of personal data in matching programs. |
CA-1 | Policy and Procedures | CA | Requiring documented authorization policy and procedures ensures authorization decisions follow defined, consistent processes instead of ad-hoc practices. |
CA-3 | Information Exchange | CA | Documenting authorization requirements and responsibilities for each exchange ensures authorization decisions are explicitly defined and managed. |
CA-4 | Security Certification | CA | The process verifies authorization mechanisms function as intended before system approval. |
CA-6 | Authorization | CA | Mandates explicit acceptance and authorization of controls by a senior official, directly reducing improper authorization configurations. |
CA-9 | Internal System Connections | CA | Documenting security requirements and authorizing connections ensures correct authorization decisions. |
MP-1 | Policy and Procedures | MP | Procedures enforce authorization rules for media handling, making unauthorized actions harder to perform without detection. |
MP-2 | Media Access | MP | Limiting media access to authorized parties addresses improper authorization for resource access. |
MP-3 | Media Marking | MP | Security markings on media enable correct authorization decisions by indicating required protections before media is accessed, transferred, or reused. |
MP-5 | Media Transport | MP | Requiring authorization for media transport activities prevents improper authorization of resource handling. |
PE-1 | Policy and Procedures | PE | Procedures establish authorization rules for physical and environmental access, limiting improper authorization. |
PE-10 | Emergency Shutoff | PE | Protecting the shutoff from unauthorized activation enforces proper authorization for this critical operation. |
PE-16 | Delivery and Removal | PE | Requires explicit authorization for items and components entering or leaving the facility. |
PE-7 | Visitor Control | PE | Requires explicit authorization (badges, escorts, logs) before visitors can reach sensitive areas or equipment. |
CP-10 | System Recovery and Reconstitution | CP | Reconstitution restores proper authorization policies and enforcement that may have been altered. |
CP-13 | Alternative Security Mechanisms | CP | Supplies backup authorization methods to block unauthorized actions when the primary authorization process is unavailable or compromised. |
CP-6 | Alternate Storage Site | CP | Ensuring equivalent authorization at the alternate site reduces the ability to exploit improper authorization for retrieving backup information. |
MA-2 | Controlled Maintenance | MA | Requiring explicit approval for maintenance activities and component removal enforces proper authorization for critical system operations. |
MA-5 | Maintenance Personnel | MA | Requires verification of access authorizations and designation of supervisors for maintenance personnel without proper authorizations. |
MA-7 | Field Maintenance | MA | The control requires explicit authorization for maintenance activities, preventing unauthorized parties from performing them. |
PL-2 | System Security and Privacy Plans | PL | Requires describing authorization-related controls, roles, and risk determinations to ensure proper enforcement of access decisions. |
PL-7 | Concept of Operations | PL | By requiring a clear statement of how authorization decisions are made and enforced during operations, the control reduces gaps that allow improper authorization to be exploited. |
PL-8 | Security and Privacy Architectures | PL | The control mandates describing authorization approaches integrated into the enterprise architecture, directly reducing improper authorization risks. |
SA-14 | Criticality Analysis | SA | Criticality analysis identifies functions whose authorization decisions must be correct, making improper authorization flaws less likely to remain exploitable in those areas. |
SA-16 | Developer-provided Training | SA | Training on authorization functions and controls reduces authorization bypasses stemming from incorrect setup or use. |
SA-3 | System Development Life Cycle | SA | Incorporating security considerations and risk management into every SDLC phase ensures authorization logic is properly specified, implemented, and tested rather than added ad hoc. |
AT-3 | Role-based Training | AT | Role-based training addresses authorization requirements and checks, lowering the risk of improper authorization. |
AT-4 | Training Records | AT | Monitoring training records supports enforcement of authorization rules by ensuring staff understand and follow authorization procedures before performing actions. |
AU-14 | Session Audit | AU | Auditing session actions allows identification of improper authorization decisions and enforcement failures. |
AU-6 | Audit Record Review, Analysis, and Reporting | AU | Audit analysis reports findings of improper authorization, reducing the impact of such weaknesses. |
IA-13 | Identity Providers and Authorization Servers | IA | Dedicated authorization servers support policy-based decisions, mitigating improper authorization. |
IA-4 | Identifier Management | IA | Mandates authorization for identifier assignment, reducing risks of improper authorization. |
RA-3 | Risk Assessment | RA | The control requires determining likelihood and impact of unauthorized actions, directly surfacing and mitigating authorization weaknesses. |
RA-8 | Privacy Impact Assessments | RA | Conducting PIAs before development forces review and improvement of authorization logic protecting personal data, reducing bypass opportunities. |
SI-1 | Policy and Procedures | SI | Documented authorization procedures ensure consistent checks before allowing changes to system state or data, limiting exploitation of missing or incorrect authorization. |
SI-9 | Information Input Restrictions | SI | Implements authorization checks on who may supply information to the system. |
SR-7 | Supply Chain Operations Security | SR | Authorization decisions required by OPSEC prevent unauthorized actors from obtaining supply-chain details. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-28799 KEV | 9.5 | 10.0 | 0.9084 | 2021-05-13 |
CVE-2024-34257 | 7.3 | 9.8 | 0.8962 | 2024-05-08 |
CVE-2025-29927 | 7.3 | 9.1 | 0.9206 | 2025-03-21 |
CVE-2023-2227 | 7.2 | 9.1 | 0.9045 | 2023-04-21 |
CVE-2023-32707 | 6.7 | 8.8 | 0.8268 | 2023-06-01 |
CVE-2022-3229 | 6.3 | 9.8 | 0.7219 | 2023-02-06 |
CVE-2016-5676 | 6.1 | 7.5 | 0.7623 | 2016-08-31 |
CVE-2023-22480 | 6.0 | 7.3 | 0.7559 | 2023-01-14 |
CVE-2019-1898 | 5.8 | 5.3 | 0.7868 | 2019-06-20 |
CVE-2024-51479 | 5.8 | 7.5 | 0.7155 | 2024-12-17 |
CVE-2023-48241 | 5.7 | 7.5 | 0.6919 | 2023-11-20 |
CVE-2024-45387 | 5.0 | 9.9 | 0.5055 | 2024-12-23 |
CVE-2021-39341 | 4.3 | 8.2 | 0.4432 | 2021-11-01 |
CVE-2016-3352 | 3.7 | 8.8 | 0.3289 | 2016-09-14 |
CVE-2025-66301 | 3.5 | 9.6 | 0.2622 | 2025-12-01 |
CVE-2019-7489 | 3.2 | 9.8 | 0.2107 | 2019-12-23 |
CVE-2016-4531 | 2.7 | 7.3 | 0.2096 | 2016-07-28 |
CVE-2019-1912 | 2.6 | 9.1 | 0.1221 | 2019-08-07 |
CVE-2017-6044 | 2.4 | 9.8 | 0.0769 | 2017-06-30 |
CVE-2023-21549 | 2.3 | 8.8 | 0.0906 | 2023-01-10 |
CVE-2021-25374 | 2.2 | 8.6 | 0.0764 | 2021-04-09 |
CVE-2025-29659 | 2.2 | 9.8 | 0.0422 | 2025-04-21 |
CVE-2016-5063 | 2.1 | 5.3 | 0.1686 | 2017-05-02 |
CVE-2017-11398 | 2.1 | 8.8 | 0.0535 | 2018-01-19 |
CVE-2021-42126 | 2.1 | 8.8 | 0.0574 | 2021-12-07 |