CWE-862 8145 CVEs MITRE definition ↗

CWE-862: Missing Authorization

Overview

CWE-862 (Missing Authorization) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.

Security impact
Security impact: Depends on product and context; use CVE records, severity scores, and MITRE guidance to prioritize.

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Background details

Extended context from the CWE catalog (rendered from MITRE XHTML).

An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.

Applicable platforms

Kind Name Class Prevalence OS / CPE
language Not Language-Specific Undetermined
technology AI/ML Often
technology Web Server Often
technology Database Server Often
technology Not Technology-Specific Undetermined

Related CVEs in this database

These CVEs are mapped to this weakness in this database and kept for traceability and search.

CVE Published Summary
CVE-2026-12105 2026-06-16 Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.
CVE-2026-53866 2026-06-16 OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell i…
CVE-2026-53851 2026-06-16 OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger uninten…
CVE-2026-53850 2026-06-16 OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. A…
CVE-2026-53844 2026-06-16 OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Atta…
CVE-2026-10831 2026-06-16 A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a…
CVE-2025-14272 2026-06-16 A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including u…
CVE-2026-54190 2026-06-16 Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions.
CVE-2026-52714 2026-06-16 Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions.
CVE-2026-52711 2026-06-16 Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.
CVE-2026-40809 2026-06-16 Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1.
CVE-2026-39490 2026-06-16 Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.
CVE-2026-2381 2026-06-16 The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions …
CVE-2025-68045 2026-06-16 Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.
CVE-2026-9187 2026-06-16 The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing non…
CVE-2026-6964 2026-06-16 The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is…
CVE-2026-49775 2026-06-15 Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions.
CVE-2026-49070 2026-06-15 Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.
CVE-2026-49065 2026-06-15 Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions.
CVE-2026-48887 2026-06-15 Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions.

Content submission

Name
CWE Content Team
Organization
MITRE
Date
2011-05-24
Version
1.13

Content modifications

Date Name Version Importance Comment
2011-06-27 CWE Content Team 2.0 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, References, Relationships
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, Observed_Examples, References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-02-18 CWE Content Team 2.6 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Detection_Factors
2017-01-19 CWE Content Team 2.10 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships
2018-03-27 CWE Content Team 3.1 updated References
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-03-15 CWE Content Team 4.4 updated Alternate_Terms, Observed_Examples
2021-07-20 CWE Content Team 4.5 updated Observed_Examples, Related_Attack_Patterns, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-06-28 CWE Content Team 4.8 updated Relationships
2022-10-13 CWE Content Team 4.9 updated Observed_Examples
2023-01-31 CWE Content Team 4.10 updated Description, Potential_Mitigations
2023-04-27 CWE Content Team 4.11 updated References, Relationships, Taxonomy_Mappings
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships, Taxonomy_Mappings
2024-11-19 CWE Content Team 4.16 updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes
2025-09-09 CWE Content Team 4.18 updated Applicable_Platforms, Detection_Factors, Observed_Examples, References
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
2026-04-30 CWE Content Team 4.20 updated Applicable_Platforms, Observed_Examples, Relationships

Contributions

Type Name Date Comment
Content "Mapping CWE to 62443" Sub-Working Group 2023-04-25 Suggested mappings to ISA/IEC 62443.
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
cvelogic Threat Intelligence