CVE-2026-33430
Published: 26 March 2026
Summary
CVE-2026-33430 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Beeware Briefcase. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Executable Installer File Permissions Weakness (T1574.005); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-33430 is a vulnerability in Briefcase, a tool for converting Python projects into standalone native applications. It affects versions starting from 0.3.0 up to but not including 0.3.26, specifically when developers use Briefcase to generate Windows MSI installers for projects installed in per-machine scope (All Users). The issue stems from the template used to generate the WiX Source (WXS) file, which causes the installation process to create a directory that inherits all permissions from its parent directory. This misconfiguration, tied to CWE-732 (Incorrect Permission Assignment for Critical Resource), has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
A low-privilege authenticated user on the target Windows system can exploit this vulnerability by replacing or modifying the binaries installed in the affected directory, depending on the parent directory's location chosen during installation. Exploitation requires local access and user interaction, such as an administrator subsequently running the altered binary. Successful exploitation allows the modified binary to execute with elevated privileges, potentially leading to high confidentiality, integrity, and availability impacts.
The vulnerability was fixed in Briefcase versions 0.3.26, 0.4.0, and 0.4.1 through updates to the Windows template files, as detailed in the project's GitHub security advisory (GHSA-r3r2-35v9-v238) and related pull requests. Developers should re-run `briefcase create` on their projects to apply the updated templates. As a workaround, the provided patch can be manually added to any existing Briefcase-generated .wxs file from version 0.3.24 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16260
Vulnerability details
Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project…
more
is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes weak directory permissions (CWE-732) created by Briefcase-generated MSI installers, directly enabling an attacker to replace installed binaries that are later executed by a higher-privileged user. This maps exactly to T1574.005 (Executable Installer File Permissions Weakness) under Hijack Execution Flow and secondarily to the parent technique T1068 (Exploitation for Privilege Escalation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces and documents secure configuration settings for installed directories and binaries to prevent permission inheritance from parent directories, directly mitigating incorrect permission assignment.
Applies least privilege to restrict low-privilege authenticated users from writing to or modifying per-machine application binaries, preventing exploitation.
Monitors integrity of software and binaries to detect unauthorized modifications by low-privilege users before elevated execution occurs.