1. Home
  2. CWE Database
  3. CWE-286
Class · High

CWE-286: Incorrect User Management

The product does not properly manage a user within its environment.

CWE-286 · Class Level ·2 CVEs

Description

The product does not properly manage a user within its environment.

Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects.

Potential Impact

Other

Varies by Context

Real-World CVE Examples

CVE IDDescription
CVE-2022-36109Containerization product does not record a user's supplementary group ID, allowing bypass of group restrictions.
CVE-1999-1193Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.

CWE-284: Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Taxonomy Mappings

  • PLOVER: — User management errors

Frequently Asked Questions

What is CWE-286?

CWE-286 (Incorrect User Management) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not properly manage a user within its environment.

How can CWE-286 be exploited?

Attackers can exploit CWE-286 (Incorrect User Management) to varies by context. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-286?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-286?

CWE-286 is classified as a Class-level weakness (High abstraction). It has been observed in 2 real-world CVEs.