Weakness reference
CWE-272

Least Privilege Violation

Least privilege violation occurs when software runs with more permissions, access rights, or capabilities than necessary to perform its intended function. This…

01Summary

Least privilege violation occurs when software runs with more permissions, access rights, or capabilities than necessary to perform its intended function. This creates unnecessary risk: if the application is compromised, an attacker gains all those excess permissions automatically. By restricting access to only what is truly needed, you reduce the blast radius of any breach.

02How It Happens

Least privilege violations typically arise from convenience or incomplete threat modeling during development. A developer might run an entire application as root or an administrative user to avoid permission errors, rather than identifying the minimal set of permissions required. Similarly, database accounts may be created with full schema access when only specific tables are needed, or file system permissions may grant read-write access to entire directories when only a subdirectory is relevant. Over time, as features are added, permissions accumulate without being trimmed back. The result is that a single compromised component or account grants far more access than that component actually needs.

03Real-World Impact

When an application running with excessive privileges is exploited—whether through a code injection flaw, authentication bypass, or supply-chain compromise—the attacker inherits all those privileges. A web application running as root can modify system files, install rootkits, or pivot to other services. A database user with admin rights can exfiltrate or destroy data across all tables, not just the ones the application uses. A file-upload handler with write access to the entire web root can overwrite critical application files. Least privilege violations transform isolated bugs into full system compromises.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import sqlite3
import os

# Application runs as root (or with full DB admin rights)
conn = sqlite3.connect('/var/app/data.db')
cursor = conn.cursor()

# This account can read, write, and delete ANY table
cursor.execute("SELECT * FROM users")
cursor.execute("DELETE FROM audit_logs")  # Unintended access
cursor.execute("DROP TABLE sensitive_data")  # Catastrophic if exploited

Why it's vulnerable:
The application uses a single database account with unrestricted permissions. If the application is compromised, the attacker can perform any SQL operation, not just the queries the application legitimately needs.

Fixed pattern
import sqlite3

# Application uses a restricted account with only SELECT on users table
# (In production, this would be enforced at the database level)
conn = sqlite3.connect('/var/app/data.db')
cursor = conn.cursor()

# Restricted to only reading the users table
cursor.execute("SELECT id, name FROM users WHERE id = ?", (user_id,))

# These operations would fail at the database layer (permission denied)
# cursor.execute("DELETE FROM audit_logs")  # Not allowed
# cursor.execute("DROP TABLE sensitive_data")  # Not allowed
Vulnerable pattern
<?php
// Web server runs as root; file upload handler has write access to entire filesystem
$upload_dir = '/';  // Entire filesystem writable

if ($_FILES['file']['error'] === UPLOAD_ERR_OK) {
    $tmp_name = $_FILES['file']['tmp_name'];
    $name = $_FILES['file']['name'];
    move_uploaded_file($tmp_name, $upload_dir . $name);
}

// Database user has all privileges
$db = new mysqli('localhost', 'app_user', 'password', 'database');
$db->query("GRANT ALL PRIVILEGES ON *.* TO 'app_user'@'localhost'");
?>

Why it's vulnerable:
The upload handler can write anywhere on the filesystem, and the database user has unrestricted access to all databases. A file-upload vulnerability becomes a full system compromise.

Fixed pattern
<?php
// Web server runs as unprivileged 'www-data' user
// File uploads restricted to a specific, non-executable directory
$upload_dir = '/var/app/uploads/';

if ($_FILES['file']['error'] === UPLOAD_ERR_OK) {
    $tmp_name = $_FILES['file']['tmp_name'];
    $name = basename($_FILES['file']['name']);  // Prevent directory traversal
    $safe_path = $upload_dir . $name;
    move_uploaded_file($tmp_name, $safe_path);
}

// Database user has only SELECT, INSERT, UPDATE on specific tables
$db = new mysqli('localhost', 'app_user', 'password', 'database');
// Permissions enforced at DB level:
// GRANT SELECT, INSERT, UPDATE ON database.users TO 'app_user'@'localhost';
// GRANT SELECT ON database.products TO 'app_user'@'localhost';
?>

05Prevention Checklist

Run services as unprivileged users.
Web servers, application servers, and background workers should run under dedicated, non-root accounts with minimal system permissions.
Restrict database accounts by operation and table.
Create separate database users for read-only, read-write, and administrative tasks; grant each only the tables and columns it needs.
Limit file system access.
Application processes should have write access only to directories they genuinely need (e.g., upload directories, temp folders), never to system directories or the entire web root.
Use role-based access control (RBAC) within the application.
Even if the process runs as one OS user, implement application-level roles so that different features operate with different permission sets.
Audit and remove unused permissions regularly.
Review what each service account actually uses; remove grants that were added "just in case" or are no longer needed.
Apply the principle at every layer.
Check OS-level permissions, database permissions, file permissions, API scopes, and application roles—don't assume one layer is enough.

06Signs You May Already Be Affected

Review your deployment configuration: if your application runs as root, or if your database user has admin or "all privileges" grants, you are violating least privilege. Check your file system permissions—if your web server process can write to system directories or outside its designated upload folder, that is a sign of excessive access. Look for overly broad role assignments in your application code, where a single user account or service principal has access to features or data it should not need.

07Related Recent Vulnerabilities