CWE · MITRE source
CWE-271Privilege Dropping / Lowering Errors
The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker.
Last updated: 04 July 2026 14:16 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: partial · 4 mapping(s) from 1 framework(s): ATT&CK 4 (partial)
NIST 800-53 r5 controls that address this weakness (1)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
PS-5 | Personnel Transfer | PS | Mandates lowering or adjusting privileges to match new operational needs, reducing errors in privilege dropping during transfers. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2026-44477 UPD | 7.0 | 9.9 | 0.0048 | 2026-05-28 |
CVE-2019-11243 | 5.5 | 8.1 | 0.0149 | 2019-04-22 |
CVE-2022-3569 | 5.5 | 7.8 | 0.0069 | 2022-10-17 |
CVE-2023-22648 | 5.5 | 8.0 | 0.0045 | 2023-06-01 |
CVE-2024-0985 | 5.5 | 8.0 | 0.0146 | 2024-02-08 |
CVE-2025-23395 UPD | 5.5 | 7.8 | 0.0020 | 2025-05-26 |
CVE-2025-53819 UPD | 5.5 | 7.9 | 0.0012 | 2025-07-14 |
CVE-2026-35535 UPD | 5.5 | 7.4 | 0.0017 | 2026-04-03 |
CVE-2020-35513 | 3.5 | 4.9 | 0.0135 | 2021-01-26 |
CVE-2023-38496 | 3.5 | 6.1 | 0.0024 | 2023-07-25 |
CVE-2024-35179 | 3.5 | 6.8 | 0.0062 | 2024-05-15 |