CWE-266 Incorrect Privilege Assignment
Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged privilege/role assignment that can grant more access than intended (wrong default role, client-controlled privilege fields, missing admin-only guards).
Why it matters
Incorrect privilege assignment can grant excessive access.
- Privilege escalation: users gain admin/staff capabilities.
- Persistent compromise: once stored, bad privileges remain until fixed.
- High blast radius: privileged roles can access/export/modify everything.
Safer examples
1) Make "least privilege" the default
New accounts should start with minimal permissions and require explicit elevation.
2) Don't accept role/permission fields from clients
Ignore fields like role, isAdmin, permissions in normal user flows (see API01).
3) Require re-auth/MFA for privilege changes
Role changes should be admin-only and require step-up auth (see MFA01).
How SiteShadow detects it (high level)
- Flags client-controlled privilege fields flowing into persistence or security decisions.
- Detects admin-only operations without strong guards.
References
- CWE-266: https://cwe.mitre.org/data/definitions/266.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.