CWE · MITRE source
CWE-862Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (57)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-1 | Policy and Procedures | AC | Requiring an access control policy ensures authorization checks are defined and applied for critical functions. |
AC-13 | Supervision and Review — Access Control | AC | Reviews of access controls detect missing authorization checks on critical functions or resources. |
AC-14 | Permitted Actions Without Identification or Authentication | AC | Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review. |
PM-10 | Authorization Process | PM | Requiring documented authorization for system operation and critical functions ensures missing authorization controls are identified and corrected during the approval process. |
PM-12 | Insider Threat Program | PM | Dedicated team detects missing authorization checks being bypassed by insiders through monitoring and response procedures. |
PM-18 | Privacy Program Plan | PM | Requiring a documented, approved set of privacy controls and role responsibilities makes omission of authorization checks for functions that handle personal information far less likely. |
SC-14 | Public Access Protections | SC | Forces explicit authorization enforcement before any public request can affect protected data or functions. |
SC-15 | Collaborative Computing Devices and Applications | SC | Eliminates missing authorization checks for activating devices that can capture sensitive information. |
SC-26 | Decoys | SC | Decoys expose and log missing authorization flaws by serving as monitored targets for unauthorized function access attempts. |
CA-2 | Control Assessments | CA | Control assessments determine if authorization is enforced for functions and resources, detecting missing authorization weaknesses. |
CA-4 | Security Certification | CA | Requires verification that authorization checks are present and operational for protected resources. |
CA-6 | Authorization | CA | Prevents systems from commencing operations without assigned authorizing official approval, addressing missing authorization for critical functions. |
PS-1 | Policy and Procedures | PS | The required procedures explicitly address authorization checks for personnel actions, lowering the incidence of missing authorization. |
PS-6 | Access Agreements | PS | Mandating a signed agreement as a prerequisite for access implements a concrete authorization step that would otherwise be missing. |
PS-7 | External Personnel Security | PS | Requires explicit authorization rules and termination notifications for external personnel, preventing missing authorization checks on retained credentials. |
Show 42 more broadly-applicable controls
AC-16 | Security and Privacy Attributes | AC | Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context. |
AC-17 | Remote Access | AC | Mandating authorization prior to allowing remote connections addresses missing authorization for remote access. |
AC-18 | Wireless Access | AC | Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access. |
AC-19 | Access Control for Mobile Devices | AC | The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access. |
AC-2 | Account Management | AC | Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access. |
AC-20 | Use of External Systems | AC | Mandates authorization checks before permitting access or data processing via external systems. |
AC-21 | Information Sharing | AC | The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification. |
AC-24 | Access Control Decisions | AC | Requiring a decision for every access request prevents missing authorization checks that would otherwise allow unauthorized access. |
AC-25 | Reference Monitor | AC | Always invoking the reference monitor prevents missing authorization checks for protected resources. |
AC-3 | Access Enforcement | AC | Requiring enforcement of authorizations ensures checks are performed rather than omitted for resources. |
AC-4 | Information Flow Enforcement | AC | Mandates authorization checks and enforcement for all information flows, addressing missing authorization. |
PM-21 | Accounting of Disclosures | PM | Organizations must be able to justify every disclosure, which makes missing authorization for data release both detectable and operationally costly. |
PM-23 | Data Governance Body | PM | Ensures missing authorization mechanisms for critical data functions are identified and remediated via policy. |
PM-24 | Data Integrity Board | PM | Proposal review forces explicit authorization checks for each matching program, preventing execution of matching without required approvals. |
PM-27 | Privacy Reporting | PM | Monitoring privacy program compliance forces identification of missing authorization checks on personal data resources. |
PM-29 | Risk Management Program Leadership Roles | PM | Leadership accountability for risk management makes missing authorization controls visible at the enterprise level and subject to remediation. |
PM-5 | System Inventory | PM | An authoritative inventory ensures no organizational system is omitted from authorization enforcement checks. |
SC-43 | Usage Restrictions | SC | The control mandates authorization prior to allowing use of designated components, eliminating missing authorization paths. |
SC-46 | Cross Domain Policy Enforcement | SC | Implementing the enforcement point directly addresses missing authorization checks for operations that cross security domains. |
SC-50 | Software-enforced Separation and Policy Enforcement | SC | Requires explicit authorization checks as part of the enforced policy between separated components. |
SC-51 | Hardware-based Protection | SC | Eliminates missing authorization for writes by requiring physical/hardware action under controlled procedures. |
SC-7 | Boundary Protection | SC | Missing authorization for internal functions is mitigated by requiring all external access to traverse managed boundaries. |
CA-9 | Internal System Connections | CA | Requiring explicit authorization for each internal connection prevents missing authorization. |
PS-8 | Personnel Sanctions | PS | Makes missing authorization checks or bypasses less likely by sanctioning responsible individuals for policy violations. |
PT-1 | Policy and Procedures | PT | Requiring designated ownership and periodic updates ensures authorization checks are defined and maintained for PII operations. |
PT-2 | Authority to Process Personally Identifiable Information | PT | Requires explicit determination and documentation of authority before any PII processing occurs, addressing missing authorization. |
PT-4 | Consent | PT | The control supplies the missing authorization check that would otherwise allow processing without user approval. |
PT-8 | Computer Matching Requirements | PT | Eliminates missing authorization by requiring documented approval and agreements prior to initiating any computer matching program. |
MA-2 | Controlled Maintenance | MA | Mandating explicit approval for removal of components for off-site maintenance addresses missing authorization for critical maintenance functions. |
MA-5 | Maintenance Personnel | MA | Maintains lists of authorized personnel and verifies required access authorizations before allowing maintenance. |
MA-7 | Field Maintenance | MA | Field maintenance is a critical function; the control supplies the missing authorization step by limiting it to specified entities. |
IA-13 | Identity Providers and Authorization Servers | IA | Requiring authorization servers ensures authorization is performed for protected functions. |
IA-4 | Identifier Management | IA | Requires explicit authorization before any identifier can be assigned, preventing missing authorization. |
PL-11 | Baseline Tailoring | PL | Tailoring ensures the authorization baseline is scoped and augmented so that missing authorization checks are identified and addressed for the target system. |
PL-4 | Rules of Behavior | PL | Users must acknowledge that access is granted only through proper authorization, directly addressing missing authorization. |
RA-7 | Risk Response | RA | Missing authorization is frequently identified by security assessments; organizational risk-response procedures drive remediation, directly limiting an attacker's ability to invoke protected functionality. |
RA-9 | Criticality Analysis | RA | Criticality analysis highlights functions that must be protected by authorization checks, mitigating missing authorization on those paths. |
SA-14 | Criticality Analysis | SA | Criticality analysis reveals functions that must be protected by authorization checks, making missing-authorization weaknesses far less likely to affect high-value operations. |
SA-3 | System Development Life Cycle | SA | Requiring security roles and risk processes throughout the SDLC ensures that authorization checks are identified as requirements and implemented for every sensitive operation. |
AU-14 | Session Audit | AU | Session auditing detects missing authorization by exposing unauthorized actions taken within sessions. |
CM-5 | Access Restrictions for Change | CM | Mandating authorization for changes prevents missing authorization checks on critical modification functions. |
SI-9 | Information Input Restrictions | SI | Prevents missing authorization checks for input operations by restricting the capability itself. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-0543 KEV | 9.7 | 10.0 | 0.9440 | 2022-02-18 |
CVE-2021-39226 KEV | 9.6 | 9.8 | 0.9435 | 2021-10-05 |
CVE-2025-6205 KEV | 8.5 | 9.1 | 0.7772 | 2025-08-04 |
CVE-2021-30657 KEV | 8.1 | 5.5 | 0.8308 | 2021-09-08 |
CVE-2023-52163 KEV | 7.9 | 8.8 | 0.6950 | 2025-02-03 |
CVE-2020-8772 | 7.6 | 9.8 | 0.9361 | 2020-02-06 |
CVE-2023-6875 | 7.6 | 9.8 | 0.9368 | 2024-01-11 |
CVE-2024-9234 | 7.6 | 9.8 | 0.9340 | 2024-10-11 |
CVE-2021-21978 | 7.4 | 9.8 | 0.9050 | 2021-03-03 |
CVE-2022-1329 | 7.4 | 8.8 | 0.9336 | 2022-04-19 |
CVE-2024-4898 | 7.4 | 9.8 | 0.9011 | 2024-06-12 |
CVE-2024-9707 | 7.4 | 9.8 | 0.9028 | 2024-10-11 |
CVE-2018-6000 | 7.3 | 9.8 | 0.8973 | 2018-01-22 |
CVE-2022-1020 | 7.3 | 9.8 | 0.8953 | 2022-04-18 |
CVE-2023-25573 | 7.3 | 8.6 | 0.9363 | 2023-03-09 |
CVE-2023-32117 | 7.3 | 9.8 | 0.8938 | 2024-12-09 |
CVE-2021-21307 | 7.2 | 8.6 | 0.9206 | 2021-02-11 |
CVE-2022-23944 | 7.2 | 9.1 | 0.8992 | 2022-01-25 |
CVE-2021-45467 | 7.2 | 9.8 | 0.8813 | 2022-12-26 |
CVE-2025-8943 | 7.2 | 9.8 | 0.8815 | 2025-08-14 |
CVE-2019-11248 | 7.1 | 8.2 | 0.9101 | 2019-08-29 |
CVE-2022-0952 | 7.1 | 8.8 | 0.8822 | 2022-05-02 |
CVE-2022-4223 | 7.0 | 8.8 | 0.8779 | 2022-12-13 |
CVE-2017-9232 | 6.9 | 9.8 | 0.8161 | 2017-05-28 |
CVE-2019-16097 | 6.9 | 6.5 | 0.9367 | 2019-09-08 |