CWE-276 Incorrect Default Permissions
Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.
What this means
SiteShadow flagged default permissions that are too permissive (files created world-readable/world-writable, buckets or resources opened broadly by default).
Why it matters
Excessive permissions allow unintended access to sensitive data.
- Data exposure: other users/processes can read secrets or private data.
- Tampering: overly broad write permissions enable modification and persistence.
- These issues often hide until production or multi-tenant environments.
Safer examples
1) Use least-privilege permissions on creation
Create files with owner-only permissions unless sharing is explicitly intended.
2) Separate public and private resources
If something must be public (static assets), keep it isolated from sensitive storage.
3) Review defaults in IaC and frameworks
Many exposures happen because defaults were accepted without review (see CLOUD01).
How SiteShadow detects it (high level)
- Flags "open permissions" patterns in configs and code where resources are created.
- Highlights defaults that grant broader access than typical secure baselines.
References
- CWE-276: https://cwe.mitre.org/data/definitions/276.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.