Cyber Resilience

CVE-2026-33430

HighLPE

Published: 26 March 2026

Published
26 March 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33430 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Beeware Briefcase. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Executable Installer File Permissions Weakness (T1574.005); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-33430 is a vulnerability in Briefcase, a tool for converting Python projects into standalone native applications. It affects versions starting from 0.3.0 up to but not including 0.3.26, specifically when developers use Briefcase to generate Windows MSI installers for projects installed in per-machine scope (All Users). The issue stems from the template used to generate the WiX Source (WXS) file, which causes the installation process to create a directory that inherits all permissions from its parent directory. This misconfiguration, tied to CWE-732 (Incorrect Permission Assignment for Critical Resource), has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

A low-privilege authenticated user on the target Windows system can exploit this vulnerability by replacing or modifying the binaries installed in the affected directory, depending on the parent directory's location chosen during installation. Exploitation requires local access and user interaction, such as an administrator subsequently running the altered binary. Successful exploitation allows the modified binary to execute with elevated privileges, potentially leading to high confidentiality, integrity, and availability impacts.

The vulnerability was fixed in Briefcase versions 0.3.26, 0.4.0, and 0.4.1 through updates to the Windows template files, as detailed in the project's GitHub security advisory (GHSA-r3r2-35v9-v238) and related pull requests. Developers should re-run `briefcase create` on their projects to apply the updated templates. As a workaround, the provided patch can be manually added to any existing Briefcase-generated .wxs file from version 0.3.24 or later.

EU & UK References

Vulnerability details

Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project…

more

is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.005 Executable Installer File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes weak directory permissions (CWE-732) created by Briefcase-generated MSI installers, directly enabling an attacker to replace installed binaries that are later executed by a higher-privileged user. This maps exactly to T1574.005 (Executable Installer File Permissions Weakness) under Hijack Execution Flow and secondarily to the parent technique T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-50931Shared CWE-732
CVE-2025-27688Shared CWE-732
CVE-2026-2637Shared CWE-732
CVE-2026-25112Shared CWE-732
CVE-2025-21325Shared CWE-732
CVE-2026-24834Shared CWE-732
CVE-2025-12985Shared CWE-732
CVE-2024-55411Shared CWE-732
CVE-2025-21571Shared CWE-732
CVE-2026-41217Shared CWE-732

Affected Assets

beeware
briefcase
0.3.0 — 0.3.26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces and documents secure configuration settings for installed directories and binaries to prevent permission inheritance from parent directories, directly mitigating incorrect permission assignment.

prevent

Applies least privilege to restrict low-privilege authenticated users from writing to or modifying per-machine application binaries, preventing exploitation.

detect

Monitors integrity of software and binaries to detect unauthorized modifications by low-privilege users before elevated execution occurs.

References