A01:2025 Broken Access Control

OWASP Top 10:2025 · Back to the list

Authorization decisions fail or are bypassed, letting users do or see things they shouldn't. Includes path traversal, IDOR, missing function-level access checks, and CSRF.

Related on the LLM side: OWASP Top 10 for LLMs LLM02:2025.

Member CWEs (40)

• CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CWE-23 Relative Path Traversal
• CWE-36 Absolute Path Traversal
• CWE-59 Improper Link Resolution Before File Access ('Link Following')
• CWE-61 UNIX Symbolic Link (Symlink) Following
• CWE-65 Windows Hard Link
• CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
• CWE-201 Insertion of Sensitive Information Into Sent Data
• CWE-219 Storage of File with Sensitive Data Under Web Root
• CWE-276 Incorrect Default Permissions
• CWE-281 Improper Preservation of Permissions
• CWE-282 Improper Ownership Management
• CWE-283 Unverified Ownership
• CWE-284 Improper Access Control
• CWE-285 Improper Authorization
• CWE-352 Cross-Site Request Forgery (CSRF)
• CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
• CWE-377 Insecure Temporary File
• CWE-379 Creation of Temporary File in Directory with Insecure Permissions
• CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')
• CWE-424 Improper Protection of Alternate Path
• CWE-425 Direct Request ('Forced Browsing')
• CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')
• CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
• CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory
• CWE-540 Inclusion of Sensitive Information in Source Code
• CWE-548 Exposure of Information Through Directory Listing
• CWE-552 Files or Directories Accessible to External Parties
• CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key
• CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
• CWE-615 Inclusion of Sensitive Information in Source Code Comments
• CWE-639 Authorization Bypass Through User-Controlled Key
• CWE-668 Exposure of Resource to Wrong Sphere
• CWE-732 Incorrect Permission Assignment for Critical Resource
• CWE-749 Exposed Dangerous Method or Function
• CWE-862 Missing Authorization
• CWE-863 Incorrect Authorization
• CWE-918 Server-Side Request Forgery (SSRF)
• CWE-922 Insecure Storage of Sensitive Information
• CWE-1275 Sensitive Cookie with Improper SameSite Attribute

Tagged CVEs (showing 50 most recent of 57,092)

• CVE-2026-9152
• CVE-2026-9136
• CVE-2026-9129
• CVE-2026-9102
• CVE-2026-9087
• CVE-2026-8967
• CVE-2026-8966
• CVE-2026-8965
• CVE-2026-8958
• CVE-2026-8802
• CVE-2026-8786
• CVE-2026-8784
• CVE-2026-8770
• CVE-2026-8768
• CVE-2026-8766
• CVE-2026-8765
• CVE-2026-8758
• CVE-2026-8757
• CVE-2026-8756
• CVE-2026-8755
• CVE-2026-8754
• CVE-2026-8752
• CVE-2026-8750
• CVE-2026-8747
• CVE-2026-8743
• CVE-2026-8736
• CVE-2026-8725
• CVE-2026-8706
• CVE-2026-8704
• CVE-2026-8681
• CVE-2026-8629
• CVE-2026-8612
• CVE-2026-8610
• CVE-2026-8604
• CVE-2026-8586
• CVE-2026-8566
• CVE-2026-8556
• CVE-2026-8547
• CVE-2026-8545
• CVE-2026-8495
• CVE-2026-8487
• CVE-2026-8425
• CVE-2026-8424
• CVE-2026-8423
• CVE-2026-8420
• CVE-2026-8419
• CVE-2026-8418
• CVE-2026-8407
• CVE-2026-8328
• CVE-2026-8320

Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1436).