Improper Access Control

What it is

Access-control restrictions are missing or wrong, letting actors reach resources or actions they shouldn't.

How to fix it

Upgrade and enforce correct, default-deny access checks.

How to avoid it

Centralize authorization, default-deny, and test every access boundary.

Known Improper Access Control vulnerabilities

• WEB3-KILOEX-2025 — critical · Web3 · Multichain/KiloEx (perpetuals DEX price feed) · exploited
• WEB3-RADIANT-2024 — critical · Web3 · Arbitrum/Radiant Capital · exploited
• WEB3-VOW-2024 — high · Web3 · Ethereum/Vow (Vowcurrency) USD rate setter
• CLOUD-BUCKET-MONOPOLY-2024 — critical · Cloud · AWS/AWS S3 bucket-name takeover
• CVE-2024-6385 — critical · CI/CD · GitLab/GitLab CE/EE
• CONTAINER-EXPOSED-DOCKER-API — critical · Container/Docker Engine remote API / daemon (ports 2375/2376) · exploited
• WEB3-VELOCORE-2024 — critical · Web3 · Linea/Velocore · exploited
• WEB3-GALA-2024 — critical · Web3 · Ethereum/Gala Games
• WEB3-HEDGEY-2024 — critical · Web3 · Ethereum/Hedgey Finance
• WEB3-MUNCHABLES-2024 — critical · Web3 · Blast/Munchables · exploited
• WEB3-FIXEDFLOAT-2024 — critical · Web3/FixedFloat · exploited
• WEB3-PLAYDAPP-2024 — critical · Web3 · Ethereum/PlayDapp · exploited
• WEB3-MIXIN-NETWORK-2023 — critical · Web3 · Ethereum/Mixin Network
• SC-CRED-HYGIENE-CICDSEC6-2023 — high · CI/CD/Insufficient CI credential hygiene
• CLOUD-AZURESCAPE-2021 — critical · Cloud · Azure/Azure Container Instances (ACI)
• CLOUD-CHAOSDB-2021 — critical · Cloud · Azure/Azure Cosmos DB
• WEB3-POLY-NETWORK-2021 — critical · Web3 · Ethereum/Poly Network · exploited
• WEB3-PICKLE-2020 — critical · Web3 · Ethereum/Pickle Finance · exploited

Stateward flags Improper Access Control in your own code and dependencies on every pull request.

Summarize with AI

ChatGPTClaudePerplexity