CWE-285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action....

Verified by Precogs Threat Research
BASE SCORE
7.5 CRITICAL

Precogs AI Insight

"Precogs AI identifies improper authorization patterns through automated binary and source code analysis, detecting CWE-285 weaknesses before they reach production."

EXPLOIT PROBABILITYHigh
PUBLIC POCAvailable

What is CWE-285 (Improper Authorization)?

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Vulnerability Insights

Improper Authorization (CWE-285) represents a security risk across modern software systems. This weakness enables attackers to exploit access control flaws, potentially leading to unauthorized access, data exfiltration, or system compromise. Organizations should implement defense-in-depth strategies combining static analysis, runtime monitoring, and binary analysis.

Impact on Systems

  • Horizontal Privilege Escalation: Accessing other users' resources
  • Vertical Privilege Escalation: Gaining administrative capabilities

Real-World Attack Scenario

The attacker logs in as a standard user and intercepts the HTTP traffic. They observe that object identifiers (like user IDs or document IDs) are passed sequentially. By incrementing or modifying the ID in subsequent requests, they access resources belonging to other users or administrators because the server fails to verify authorization context.

Code Examples

Vulnerable Implementation

// VULNERABLE: Object-level access check missing
function getProfile(userId) {
    return db.find(userId);
}

Secure Alternative

// SECURE: Verifies caller owns the object
function getProfile(userId, activeSession) {
    if (activeSession.id !== userId && !activeSession.isAdmin) throw "Unauthorized";
    return db.find(userId);
}

Detection with Precogs AI

Precogs AI identifies improper authorization patterns through automated binary and source code analysis, detecting CWE-285 weaknesses before they reach production. Our analysis engine examines compiled artifacts without requiring source code access, identifying CWE-285 patterns in vendor software, containers, firmware, and third-party libraries.

Remediation

Implement proper access control controls following secure coding guidelines. Use automated scanning tools like Precogs AI to continuously monitor for CWE-285 vulnerabilities. Apply the principle of least privilege and validate all inputs from untrusted sources.

CVEs Classified Under CWE-28510 vulnerabilities

The following CVEs have been classified under CWE-285 (Improper Authorization). Each CVE represents a specific vulnerability instance of this weakness type.

CVE-2026-33186gRPC-Go is the Go language implementation of gRPC
CVSS 9.1CRITICALMar 20, 2026
CVE-2026-31836Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations
CVSS 8.1HIGHMar 20, 2026
CVE-2025-53944[AutoGPT] Authorization Bypass in Graph Execution External API
CVSS 8HIGHJul 29, 2025
CVE-2026-34056Broken Access Control in OpenEMR up to 8
CVSS 7.7HIGHMar 26, 2026
CVE-2026-32692An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3
CVSS 7.6HIGHMar 18, 2026
CVE-2026-21886OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables
CVSS 6.5MEDIUMMar 17, 2026
CVE-2026-32704SiYuan is a personal knowledge management system
CVSS 6.5MEDIUMMar 16, 2026
CVE-2026-4171A security vulnerability has been detected in CodeGenieApp serverless-express up to 4
CVSS 6.3MEDIUMMar 16, 2026
CVE-2026-34051Broken Access Control in OpenEMR Import/Export functionality before 8
CVSS 5.4MEDIUMMar 26, 2026
CVE-2026-31869Discourse is an open-source discussion platform
CVSS 0UNKNOWNMar 20, 2026