SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-276 Incorrect Default Permissions

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged default permissions that are too permissive (files created world-readable/world-writable, buckets or resources opened broadly by default).

Why it matters

Excessive permissions allow unintended access to sensitive data.

Safer examples

1) Use least-privilege permissions on creation

Create files with owner-only permissions unless sharing is explicitly intended.

2) Separate public and private resources

If something must be public (static assets), keep it isolated from sensitive storage.

3) Review defaults in IaC and frameworks

Many exposures happen because defaults were accepted without review (see CLOUD01).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.