CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key

VariantIncomplete

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

View on MITRE
Back to CWE Lookup

Extended Description

When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records. Database access control errors occur when: Data enters a program from an untrusted source. The data is used to specify the value of a primary key in a SQL query. The untrusted source does not have the permissions to be able to access all rows in the associated table.

Technical Details

Structure
Simple

Applicable To

Languages
SQL
Platforms

Frequently Asked Questions

What is CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key?+

CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records. Database access control errors occur when: Data enters a program from an untrusted source. The data is used to specify the value of a primary key in a SQL query. The untrusted source does not have the permissions to be able to access all rows in the associated table.

What are the security consequences of Authorization Bypass Through User-Controlled SQL Primary Key?+

If exploited, CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) it can compromise Confidentiality, Integrity and Access Control, leading to outcomes such as Read Application Data, Modify Application Data and Bypass Protection Mechanism.

How do you prevent or mitigate Authorization Bypass Through User-Controlled SQL Primary Key?+

Recommended mitigations for CWE-566 include: Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy. Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.

Which programming languages are affected by Authorization Bypass Through User-Controlled SQL Primary Key?+

CWE-566 commonly affects SQL. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-566 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More