CWE · MITRE source
CWE-266Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 11 mapping(s) from 8 framework(s): STIG ubuntu 24 04 2 (mostly) · STIG ubuntu 22 04 2 (partial) · ATT&CK 2 (partial) · OWASP-Web 1 (mostly) · STIG oracle linux 8 1 (partial) · STIG oracle linux 9 1 (partial) · STIG rhel 8 1 (partial) · STIG rhel 9 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A06:2025 Insecure Design.
NIST 800-53 r5 controls that address this weakness (5)AI
Showing the 3 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-1 | Policy and Procedures | AC | Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles. |
AC-13 | Supervision and Review — Access Control | AC | Regular reviews catch incorrect privilege assignments to users, roles, or processes. |
AC-2 | Account Management | AC | Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments. |
Show 2 more broadly-applicable controls
AC-5 | Separation of Duties | AC | The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement. |
AC-6 | Least Privilege | AC | Ensures privileges are assigned only as necessary rather than incorrectly over-granted. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2026-48172 KEV UPD | 10.0 | 9.8 | 0.1891 | 2026-05-21 |
CVE-2024-28000 | 8.0 | 9.8 | 0.6793 | 2024-08-21 |
CVE-2025-27007 UPD | 8.0 | 9.8 | 0.5088 | 2025-05-01 |
CVE-2019-10940 | 7.0 | 9.9 | 0.0121 | 2020-01-16 |
CVE-2023-1174 | 7.0 | 9.8 | 0.0076 | 2023-05-24 |
CVE-2024-2409 UPD | 7.0 | 9.8 | 0.0083 | 2024-03-29 |
CVE-2024-24882 | 7.0 | 9.8 | 0.0211 | 2024-05-17 |
CVE-2024-35700 | 7.0 | 9.8 | 0.0049 | 2024-06-04 |
CVE-2024-37927 | 7.0 | 9.8 | 0.0049 | 2024-07-12 |
CVE-2024-43153 | 7.0 | 9.8 | 0.0062 | 2024-08-13 |
CVE-2024-25660 | 7.0 | 9.0 | 0.0053 | 2024-10-01 |
CVE-2024-9863 | 7.0 | 9.8 | 0.0058 | 2024-10-17 |
CVE-2024-49217 | 7.0 | 9.8 | 0.0046 | 2024-10-17 |
CVE-2024-49322 | 7.0 | 9.8 | 0.0046 | 2024-10-17 |
CVE-2024-50485 | 7.0 | 9.8 | 0.0095 | 2024-10-29 |
CVE-2024-52442 | 7.0 | 9.8 | 0.0049 | 2024-11-20 |
CVE-2024-54293 | 7.0 | 9.8 | 0.0061 | 2024-12-13 |
CVE-2024-54363 | 7.0 | 9.8 | 0.0185 | 2024-12-16 |
CVE-2024-54229 | 7.0 | 9.8 | 0.0043 | 2024-12-16 |
CVE-2024-54383 | 7.0 | 9.8 | 0.0111 | 2024-12-18 |
CVE-2024-56220 | 7.0 | 9.8 | 0.0045 | 2024-12-31 |
CVE-2024-56071 | 7.0 | 9.8 | 0.0061 | 2024-12-31 |
CVE-2024-56205 | 7.0 | 9.8 | 0.0061 | 2024-12-31 |
CVE-2024-56040 | 7.0 | 9.8 | 0.0075 | 2024-12-31 |
CVE-2024-56043 | 7.0 | 9.8 | 0.0061 | 2024-12-31 |