CWE-1220: Insufficient Granularity of Access Control
low-riskThe product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
Abstraction: Base
Common Consequences
Confidentiality
→
Modify Memory
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2024-42365 | 7.4 | 31.9% | — |
| CVE-2023-43040 | 6.5 | 6.2% | — |
| CVE-2022-1177 | 4.3 | 3.3% | — |
| CVE-2025-31201 | 9.8 | 2.3% | Y |
| CVE-2022-1461 | 6.5 | 1.6% | — |
| CVE-2023-33127 | 8.1 | 1.5% | — |
| CVE-2025-32703 | 5.5 | 1.0% | — |
| CVE-2024-43604 | 5.7 | 0.7% | — |
| CVE-2023-27591 | 7.5 | 0.5% | — |
| CVE-2024-8927 | 7.5 | 0.4% | — |
1
/ 100
low-risk
Active Threat
1/50 · Minimal
Exploit Availability
0/50 · Minimal