Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-281 (权限预留不恰当) — Vulnerability Class 97

97 vulnerabilities classified as CWE-281 (权限预留不恰当). AI Chinese analysis included.

CWE-281 represents a critical security weakness where software fails to maintain the intended access controls during file operations such as copying, restoring, or sharing. This flaw typically arises when developers rely on default system behaviors that reset permissions to more permissive states, inadvertently exposing sensitive data to unauthorized users. Attackers exploit this vulnerability by manipulating file transfer processes to gain elevated privileges or access restricted resources that should remain private. To mitigate this risk, developers must explicitly enforce permission preservation by using secure APIs that retain original access control lists during object manipulation. Implementing strict validation checks and avoiding generic file copy functions in favor of secure alternatives ensures that security boundaries remain intact. Regular code reviews focusing on file handling routines further help identify and correct these oversights before deployment.

MITRE CWE Description
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
CVE IDTitleCVSSSeverityPublished
CVE-2024-47270 Synology Surveillance Station 安全漏洞 — Surveillance Station 2.7 Low2026-05-27
CVE-2026-44832 Snipe-IT: Privilege Escalation via API Permissions Assignment — snipe-it--2026-05-26
CVE-2026-24194 NVIDIA Display Driver for Linux 安全漏洞 — GeForce 7.8 High2026-05-26
CVE-2026-34600 Joplin Server delta API returns note content after share access is revoked — joplin 5.7 Medium2026-05-19
CVE-2026-25850 filemanagement_storage_service has an improper preservation of permissions vulnerability — OpenHarmony 5.5 Medium2026-05-19
CVE-2025-8325 Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations — WSO2 API Control Plane 6.3 Medium2026-05-11
CVE-2026-35361 uutils coreutils mknod Security Label Inconsistency and Broken Cleanup on SELinux Systems — coreutils 3.4 Low2026-04-22
CVE-2026-35351 uutils coreutils mv Silent Ownership Loss in Cross-Device Operations — coreutils 4.2 Medium2026-04-22
CVE-2026-35350 uutils coreutils cp Unexpected Privileged Executable Creation with -p — coreutils 6.6 Medium2026-04-22
CVE-2026-35385 OpenSSH 安全漏洞 — OpenSSH 7.5 High2026-04-02
CVE-2025-9615 Networkmanager: networkmanager file access — Red Hat Enterprise Linux 10 8.1AIHighAI2026-01-26
CVE-2024-12125 3scale-porta: readonly fields not validated server-side — porta 7.5 High2025-11-06
CVE-2025-37735 Elastic Defend 安全漏洞 — Kibana 7.0 High2025-11-06
CVE-2025-34298 Nagios Log Server < 2024R1.3.2 Set Email Privilege Escalation — Log Server 8.8AIHighAI2025-10-30
CVE-2023-32199 Rancher user retains access to clusters despite Global Role removal — rancher 4.3 Medium2025-10-29
CVE-2025-7346 pyLoad 安全漏洞 — Pyload 6.2AIMediumAI2025-07-08
CVE-2025-43698 Salesforce OmniStudio 安全漏洞 — OmniStudio 8.1AIHighAI2025-06-10
CVE-2025-43697 Salesforce OmniStudio 安全漏洞 — OmniStudio 6.5AIMediumAI2025-06-10
CVE-2025-43701 Salesforce OmniStudio 安全漏洞 — OmniStudio 4.3AIMediumAI2025-06-10
CVE-2025-43700 Salesforce OmniStudio 安全漏洞 — OmniStudio 6.5AIMediumAI2025-06-10
CVE-2025-27247 Pasteboard has an improper preservation of permissions vulnerability — OpenHarmony 5.5 Medium2025-06-08
CVE-2025-27563 security_access_token has an improper preservation of permissions vulnerability — OpenHarmony 3.3 Low2025-06-08
CVE-2025-26693 security_access_token has an improper preservation of permissions vulnerability — OpenHarmony 3.3 Low2025-06-08
CVE-2025-26691 telephony_call_manager has an improper preservation of permissions vulnerability — OpenHarmony 5.5 Medium2025-06-08
CVE-2024-46941 SystemUI component protection settings vulnerability — SystemUI 4.3AIMediumAI2025-06-06
CVE-2025-43026 HP Support Assistant – Potential Escalation of Privilege — HP Support Assistant 7.8AIHighAI2025-06-05
CVE-2025-32697 Cascading protection is not preventing file reversions — MediaWiki 8.2AIHighAI2025-04-10
CVE-2025-32696 "reupload-own" restriction can be bypassed by reverting file — MediaWiki 7.5AIHighAI2025-04-10
CVE-2025-0914 Velociraptor Shell Plugin Prevent_execve Bypass — Velociraptor 3.8 Low2025-02-27
CVE-2024-53994 Potential bypass of chat permissions in Discourse — discourse 4.3 Medium2025-02-04

Vulnerabilities classified as CWE-281 (权限预留不恰当) represent 97 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.