NIST 800-53 r5 · Controls catalogue · Family AC
AC-24Access Control Decisions
{{ insert: param, ac-24_odp.01 }} to ensure {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 8 mapping(s) from 3 framework(s): ASVS 5.0 6 (partial) · CSF 2.0 1 (mostly) · OWASP-Web 1 (partial)
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 9,346 | Requiring a decision for every access request prevents missing authorization checks that would otherwise allow unauthorized access. |
CWE-284 | Improper Access Control | 5,367 | Ensuring access control decisions are made and applied to every request before enforcement directly prevents improper access control by requiring policy-based checks. |
CWE-863 | Incorrect Authorization | 3,515 | Applying decisions to each request prior to enforcement mitigates incorrect authorization by enforcing consistent policy evaluation. |
CWE-639 | Authorization Bypass Through User-Controlled Key | 2,141 | Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process. |
CWE-285 | Improper Authorization | 1,356 | The control mandates authorization decisions for each access request, reducing the ability to exploit improper authorization weaknesses. |
CWE-425 | Direct Request ('Forced Browsing') | 265 | Forcing a decision on every access request, including direct ones, reduces the exploitability of forced browsing by ensuring no unchecked access paths. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-41428 | 7.0 | 9.1 | 0.0044 | good |
CVE-2026-25811 | 7.0 | 9.1 | 0.0027 | good |
CVE-2026-35604 | 5.5 | 8.1 | 0.0033 | good |
CVE-2026-2370 UPD | 5.5 | 8.1 | 0.0043 | good |
CVE-2026-21862 | 5.5 | 7.5 | 0.0021 | good |
CVE-2022-43939 KEV | 10.0 | 8.6 | 0.9227 | good |
CVE-2025-66956 | 7.0 | 9.9 | 0.0058 | partial |
CVE-2025-26853 | 7.0 | 10.0 | 0.0039 | good |
CVE-2025-10611 | 7.0 | 9.8 | 0.0078 | good |
CVE-2025-0637 | 7.0 | 9.8 | 0.0044 | good |
CVE-2026-25809 | 7.0 | 9.8 | 0.0031 | good |
CVE-2026-32924 | 7.0 | 9.8 | 0.0031 | good |
CVE-2025-1270 | 7.0 | 9.1 | 0.0033 | good |
CVE-2024-50687 | 7.0 | 9.1 | 0.0041 | good |
CVE-2026-27071 | 7.0 | 9.1 | 0.0030 | good |
CVE-2025-27507 | 7.0 | 9.0 | 0.0058 | good |
CVE-2026-5652 | 7.0 | 9.0 | 0.0044 | partial |
CVE-2026-27471 | 7.0 | 9.1 | 0.0032 | good |
CVE-2026-25875 | 7.0 | 9.8 | 0.0029 | partial |
CVE-2026-25810 | 7.0 | 9.1 | 0.0025 | good |
CVE-2025-70985 | 7.0 | 9.1 | 0.0038 | good |
CVE-2026-20897 UPD | 7.0 | 9.1 | 0.0042 | good |
CVE-2025-39477 | 7.0 | 9.8 | 0.0030 | good |
CVE-2025-45968 UPD | 7.0 | 9.8 | 0.0058 | good |
CVE-2025-50870 UPD | 7.0 | 9.8 | 0.0036 | good |