SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-266 Incorrect Privilege Assignment

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged privilege/role assignment that can grant more access than intended (wrong default role, client-controlled privilege fields, missing admin-only guards).

Why it matters

Incorrect privilege assignment can grant excessive access.

Safer examples

1) Make "least privilege" the default

New accounts should start with minimal permissions and require explicit elevation.

2) Don't accept role/permission fields from clients

Ignore fields like role, isAdmin, permissions in normal user flows (see API01).

3) Require re-auth/MFA for privilege changes

Role changes should be admin-only and require step-up auth (see MFA01).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.