CWE · MITRE source
CWE-862Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 11 mapping(s) from 5 framework(s): ATT&CK 5 (partial) · STIG rhel 7 2 (mostly) · STIG oracle linux 8 2 (partial) · OWASP-Web 1 (full) · CAPEC 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (57)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-1 | Policy and Procedures | AC | Requiring an access control policy ensures authorization checks are defined and applied for critical functions. |
AC-13 | Supervision and Review — Access Control | AC | Reviews of access controls detect missing authorization checks on critical functions or resources. |
AC-14 | Permitted Actions Without Identification or Authentication | AC | Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review. |
PM-10 | Authorization Process | PM | Requiring documented authorization for system operation and critical functions ensures missing authorization controls are identified and corrected during the approval process. |
PM-12 | Insider Threat Program | PM | Dedicated team detects missing authorization checks being bypassed by insiders through monitoring and response procedures. |
PM-18 | Privacy Program Plan | PM | Requiring a documented, approved set of privacy controls and role responsibilities makes omission of authorization checks for functions that handle personal information far less likely. |
SC-14 | Public Access Protections | SC | Forces explicit authorization enforcement before any public request can affect protected data or functions. |
SC-15 | Collaborative Computing Devices and Applications | SC | Eliminates missing authorization checks for activating devices that can capture sensitive information. |
SC-26 | Decoys | SC | Decoys expose and log missing authorization flaws by serving as monitored targets for unauthorized function access attempts. |
CA-2 | Control Assessments | CA | Control assessments determine if authorization is enforced for functions and resources, detecting missing authorization weaknesses. |
CA-4 | Security Certification | CA | Requires verification that authorization checks are present and operational for protected resources. |
CA-6 | Authorization | CA | Prevents systems from commencing operations without assigned authorizing official approval, addressing missing authorization for critical functions. |
PS-1 | Policy and Procedures | PS | The required procedures explicitly address authorization checks for personnel actions, lowering the incidence of missing authorization. |
PS-6 | Access Agreements | PS | Mandating a signed agreement as a prerequisite for access implements a concrete authorization step that would otherwise be missing. |
PS-7 | External Personnel Security | PS | Requires explicit authorization rules and termination notifications for external personnel, preventing missing authorization checks on retained credentials. |
Show 42 more broadly-applicable controls
AC-16 | Security and Privacy Attributes | AC | Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context. |
AC-17 | Remote Access | AC | Mandating authorization prior to allowing remote connections addresses missing authorization for remote access. |
AC-18 | Wireless Access | AC | Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access. |
AC-19 | Access Control for Mobile Devices | AC | The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access. |
AC-2 | Account Management | AC | Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access. |
AC-20 | Use of External Systems | AC | Mandates authorization checks before permitting access or data processing via external systems. |
AC-21 | Information Sharing | AC | The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification. |
AC-24 | Access Control Decisions | AC | Requiring a decision for every access request prevents missing authorization checks that would otherwise allow unauthorized access. |
AC-25 | Reference Monitor | AC | Always invoking the reference monitor prevents missing authorization checks for protected resources. |
AC-3 | Access Enforcement | AC | Requiring enforcement of authorizations ensures checks are performed rather than omitted for resources. |
AC-4 | Information Flow Enforcement | AC | Mandates authorization checks and enforcement for all information flows, addressing missing authorization. |
PM-21 | Accounting of Disclosures | PM | Organizations must be able to justify every disclosure, which makes missing authorization for data release both detectable and operationally costly. |
PM-23 | Data Governance Body | PM | Ensures missing authorization mechanisms for critical data functions are identified and remediated via policy. |
PM-24 | Data Integrity Board | PM | Proposal review forces explicit authorization checks for each matching program, preventing execution of matching without required approvals. |
PM-27 | Privacy Reporting | PM | Monitoring privacy program compliance forces identification of missing authorization checks on personal data resources. |
PM-29 | Risk Management Program Leadership Roles | PM | Leadership accountability for risk management makes missing authorization controls visible at the enterprise level and subject to remediation. |
PM-5 | System Inventory | PM | An authoritative inventory ensures no organizational system is omitted from authorization enforcement checks. |
SC-43 | Usage Restrictions | SC | The control mandates authorization prior to allowing use of designated components, eliminating missing authorization paths. |
SC-46 | Cross Domain Policy Enforcement | SC | Implementing the enforcement point directly addresses missing authorization checks for operations that cross security domains. |
SC-50 | Software-enforced Separation and Policy Enforcement | SC | Requires explicit authorization checks as part of the enforced policy between separated components. |
SC-51 | Hardware-based Protection | SC | Eliminates missing authorization for writes by requiring physical/hardware action under controlled procedures. |
SC-7 | Boundary Protection | SC | Missing authorization for internal functions is mitigated by requiring all external access to traverse managed boundaries. |
CA-9 | Internal System Connections | CA | Requiring explicit authorization for each internal connection prevents missing authorization. |
PS-8 | Personnel Sanctions | PS | Makes missing authorization checks or bypasses less likely by sanctioning responsible individuals for policy violations. |
PT-1 | Policy and Procedures | PT | Requiring designated ownership and periodic updates ensures authorization checks are defined and maintained for PII operations. |
PT-2 | Authority to Process Personally Identifiable Information | PT | Requires explicit determination and documentation of authority before any PII processing occurs, addressing missing authorization. |
PT-4 | Consent | PT | The control supplies the missing authorization check that would otherwise allow processing without user approval. |
PT-8 | Computer Matching Requirements | PT | Eliminates missing authorization by requiring documented approval and agreements prior to initiating any computer matching program. |
MA-2 | Controlled Maintenance | MA | Mandating explicit approval for removal of components for off-site maintenance addresses missing authorization for critical maintenance functions. |
MA-5 | Maintenance Personnel | MA | Maintains lists of authorized personnel and verifies required access authorizations before allowing maintenance. |
MA-7 | Field Maintenance | MA | Field maintenance is a critical function; the control supplies the missing authorization step by limiting it to specified entities. |
IA-13 | Identity Providers and Authorization Servers | IA | Requiring authorization servers ensures authorization is performed for protected functions. |
IA-4 | Identifier Management | IA | Requires explicit authorization before any identifier can be assigned, preventing missing authorization. |
PL-11 | Baseline Tailoring | PL | Tailoring ensures the authorization baseline is scoped and augmented so that missing authorization checks are identified and addressed for the target system. |
PL-4 | Rules of Behavior | PL | Users must acknowledge that access is granted only through proper authorization, directly addressing missing authorization. |
RA-7 | Risk Response | RA | Missing authorization is frequently identified by security assessments; organizational risk-response procedures drive remediation, directly limiting an attacker's ability to invoke protected functionality. |
RA-9 | Criticality Analysis | RA | Criticality analysis highlights functions that must be protected by authorization checks, mitigating missing authorization on those paths. |
SA-14 | Criticality Analysis | SA | Criticality analysis reveals functions that must be protected by authorization checks, making missing-authorization weaknesses far less likely to affect high-value operations. |
SA-3 | System Development Life Cycle | SA | Requiring security roles and risk processes throughout the SDLC ensures that authorization checks are identified as requirements and implemented for every sensitive operation. |
AU-14 | Session Audit | AU | Session auditing detects missing authorization by exposing unauthorized actions taken within sessions. |
CM-5 | Access Restrictions for Change | CM | Mandating authorization for changes prevents missing authorization checks on critical modification functions. |
SI-9 | Information Input Restrictions | SI | Prevents missing authorization checks for input operations by restricting the capability itself. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-30657 KEV | 10.0 | 5.5 | 0.6853 | 2021-09-08 |
CVE-2021-30713 KEV | 10.0 | 7.8 | 0.0658 | 2021-09-08 |
CVE-2021-39226 KEV | 10.0 | 9.8 | 0.9989 | 2021-10-05 |
CVE-2021-37976 KEV | 10.0 | 6.5 | 0.1990 | 2021-10-08 |
CVE-2022-0543 KEV | 10.0 | 10.0 | 0.9967 | 2022-02-18 |
CVE-2022-0492 KEV UPD | 10.0 | 7.8 | 0.0553 | 2022-03-03 |
CVE-2024-57726 KEV | 10.0 | 9.9 | 0.0933 | 2025-01-15 |
CVE-2023-52163 KEV | 10.0 | 8.8 | 0.9643 | 2025-02-03 |
CVE-2025-6205 KEV UPD | 10.0 | 9.1 | 0.6917 | 2025-08-04 |
CVE-2025-20362 KEV | 10.0 | 6.5 | 0.8554 | 2025-09-25 |
CVE-2025-40602 KEV | 10.0 | 6.6 | 0.0191 | 2025-12-18 |
CVE-2017-6622 | 8.0 | 9.8 | 0.6217 | 2017-05-18 |
CVE-2018-6000 | 8.0 | 9.8 | 0.8420 | 2018-01-22 |
CVE-2018-10093 | 8.0 | 8.8 | 0.6868 | 2019-03-21 |
CVE-2019-11248 | 8.0 | 8.2 | 0.6114 | 2019-08-29 |
CVE-2019-15954 | 8.0 | 9.9 | 0.7920 | 2019-09-05 |
CVE-2019-19985 | 8.0 | 5.3 | 0.7140 | 2019-12-26 |
CVE-2020-8772 | 8.0 | 9.8 | 0.8787 | 2020-02-06 |
CVE-2021-21307 | 8.0 | 8.6 | 0.8919 | 2021-02-11 |
CVE-2021-21978 | 8.0 | 9.8 | 0.9900 | 2021-03-03 |
CVE-2021-32172 | 8.0 | 9.8 | 0.6643 | 2021-10-07 |
CVE-2022-23944 | 8.0 | 9.1 | 0.7901 | 2022-01-25 |
CVE-2022-0218 | 8.0 | 8.3 | 0.7051 | 2022-02-04 |
CVE-2022-23642 | 8.0 | 8.8 | 0.7431 | 2022-02-18 |
CVE-2022-1329 | 8.0 | 8.8 | 0.9294 | 2022-04-19 |