A01:2025 Broken Access Control
Authorization decisions fail or are bypassed, letting users do or see things they shouldn't. Includes path traversal, IDOR, missing function-level access checks, and CSRF.
Related on the LLM side: OWASP Top 10 for LLMs LLM02:2025.
Member CWEs (40)
- CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-23 Relative Path Traversal
- CWE-36 Absolute Path Traversal
- CWE-59 Improper Link Resolution Before File Access ('Link Following')
- CWE-61 UNIX Symbolic Link (Symlink) Following
- CWE-65 Windows Hard Link
- CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
- CWE-201 Insertion of Sensitive Information Into Sent Data
- CWE-219 Storage of File with Sensitive Data Under Web Root
- CWE-276 Incorrect Default Permissions
- CWE-281 Improper Preservation of Permissions
- CWE-282 Improper Ownership Management
- CWE-283 Unverified Ownership
- CWE-284 Improper Access Control
- CWE-285 Improper Authorization
- CWE-352 Cross-Site Request Forgery (CSRF)
- CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
- CWE-377 Insecure Temporary File
- CWE-379 Creation of Temporary File in Directory with Insecure Permissions
- CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')
- CWE-424 Improper Protection of Alternate Path
- CWE-425 Direct Request ('Forced Browsing')
- CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')
- CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
- CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory
- CWE-540 Inclusion of Sensitive Information in Source Code
- CWE-548 Exposure of Information Through Directory Listing
- CWE-552 Files or Directories Accessible to External Parties
- CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key
- CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
- CWE-615 Inclusion of Sensitive Information in Source Code Comments
- CWE-639 Authorization Bypass Through User-Controlled Key
- CWE-668 Exposure of Resource to Wrong Sphere
- CWE-732 Incorrect Permission Assignment for Critical Resource
- CWE-749 Exposed Dangerous Method or Function
- CWE-862 Missing Authorization
- CWE-863 Incorrect Authorization
- CWE-918 Server-Side Request Forgery (SSRF)
- CWE-922 Insecure Storage of Sensitive Information
- CWE-1275 Sensitive Cookie with Improper SameSite Attribute
Mapped NIST 800-53 r5 controls (3)
Our two-way, human-QA’d reading of how this category and each NIST 800-53 control relate. No external body publishes an OWASP→800-53 mapping, so these are our assessment.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Tagged CVEs (showing 50 most recent of 59,810)
- CVE-2026-59101
- CVE-2026-59100
- CVE-2026-59098
- CVE-2026-59097
- CVE-2026-59095
- CVE-2026-58653
- CVE-2026-58580
- CVE-2026-58520
- CVE-2026-58518
- CVE-2026-58467
- CVE-2026-58460
- CVE-2026-58451
- CVE-2026-58450
- CVE-2026-58448
- CVE-2026-58447
- CVE-2026-58377
- CVE-2026-58373
- CVE-2026-58372
- CVE-2026-58302
- CVE-2026-58176
- CVE-2026-58174
- CVE-2026-58173
- CVE-2026-58171
- CVE-2026-58170
- CVE-2026-58168
- CVE-2026-58167
- CVE-2026-58166
- CVE-2026-58165
- CVE-2026-58056
- CVE-2026-58036
- CVE-2026-58033
- CVE-2026-58027
- CVE-2026-58026
- CVE-2026-58024
- CVE-2026-58015
- CVE-2026-57966
- CVE-2026-57960
- CVE-2026-57956
- CVE-2026-57954
- CVE-2026-57953
- CVE-2026-57952
- CVE-2026-57951
- CVE-2026-57950
- CVE-2026-57949
- CVE-2026-57947
- CVE-2026-57946
- CVE-2026-57945
- CVE-2026-57943
- CVE-2026-57940
- CVE-2026-57925
Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1436).