CWE-271 (Privilege Dropping / Lowering Errors) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-44477 | 2026-05-28 | CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as th… |
| CVE-2026-35535 | 2026-04-03 | In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.… |
| CVE-2026-25704 | 2026-03-30 | A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in cosmic-greeter can allow an attacker to regain privileges that should have been dropped and a… |
| CVE-2025-53819 | 2025-07-14 | Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build users. The fix was applied to Nix 2.30.1.… |
| CVE-2025-23395 | 2025-05-26 | Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with `root… |
| CVE-2024-35179 | 2024-05-15 | Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, when using `RUN_AS_USER`, the specified user (and therefore, web interface admins) can read arbitrary files as root. This is… |
| CVE-2024-0985 | 2024-02-08 | Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions … |
| CVE-2023-38496 | 2023-07-25 | Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root… |
| CVE-2023-22648 | 2023-06-01 | A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to… |
| CVE-2022-3569 | 2022-10-17 | Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively c… |
| CVE-2020-35513 | 2021-01-26 | A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system) functionality was found in the way user create and delete object using NFSv4.2 or newer if bo… |
| CVE-2019-11243 | 2019-04-22 | In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certific… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description, Maintenance_Notes |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Potential_Mitigations |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Potential_Mitigations |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Relationships |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Potential_Mitigations |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |