CWE-285β€”Improper Authorization

PUBLISHEDweakness recordHigh
released 2006-07-19 Β· last modified 2026-04-30
CWE-285 - Improper Authorization - Diagram

Metadata

CWE ID:
CWE-285
Abstraction:
Class
Structure:
Simple
Status:
Draft
Release Date:
2006-07-19
Latest Modification Date:
2026-04-30

Weakness Name

Improper Authorization

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Common Consequences

Scope:
Confidentiality
Impact:
Read Application Data, Read Files or Directories
Notes:
An attacker could read sensitive data, either by reading the data directly from a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
Scope:
Integrity
Impact:
Modify Application Data, Modify Files or Directories
Notes:
An attacker could modify sensitive data, either by writing the data directly to a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
Scope:
Access Control
Impact:
Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
Notes:
When access control checks are not applied consistently - or not at all - an attacker could gain privileges and execute unauthorized code or commands by modifying or reading critical data directly, or by accessing insufficiently-protected, privileged functionality.

Related Weaknesses