logo

Incorrect User Management

Incomplete Class
Structure: Simple
Description

This vulnerability occurs when an application incorrectly handles user accounts, roles, or group memberships, leading to improper access control.

Extended Description

Incorrect user management happens when an application's logic for assigning users to roles or groups is flawed. This often stems from bugs in user provisioning workflows, role assignment scripts, or synchronization with external directories. The core issue is that a user's effective permissions don't match the intended security policy, creating a gap between who should have access and who actually does. The most common and dangerous result is privilege escalation, where a user is placed into a more powerful group than intended. For example, a regular user might be incorrectly granted administrator privileges, or an external contractor could gain access to internal-only resources. This flaw directly undermines the application's authorization layer, allowing unauthorized viewing, modification, or deletion of sensitive data and functions.
Common Consequences 1
Scope: Other

Impact: Varies by Context
Observed Examples 2
CVE-2022-36109Containerization product does not record a user's supplementary group ID, allowing bypass of group restrictions.
CVE-1999-1193Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Operation
Related Weaknesses
ChildOf: Improper Access Control (CWE-284)
Taxonomy Mapping
  • PLOVER
Notes
MaintenanceThe relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (Improper Control of a Resource Through its Lifetime) and protection mechanism failures (Protection Mechanism Failure).
MaintenanceThis item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or "configuration". It also might be better expressed as a category than a weakness.