Improper Privilege Management
Code runs with more privilege than it needs, or fails to drop privileges before processing untrusted input.
GateTest coverage
Caught by: dockerfile, kubernetes
Example
USER root in a Dockerfile that runs a public-facing web server — any code execution becomes root code execution.
How to fix it
Principle of least privilege. Run as a non-root user. Use Kubernetes runAsNonRoot, securityContext, capabilities drop. dockerfile and kubernetes modules catch the common over-privilege patterns.
Scan your repo for CWE-269
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-269 (Improper Privilege Management)?
Code runs with more privilege than it needs, or fails to drop privileges before processing untrusted input.
How do I fix improper privilege management?
Principle of least privilege. Run as a non-root user. Use Kubernetes runAsNonRoot, securityContext, capabilities drop. dockerfile and kubernetes modules catch the common over-privilege patterns.
Does GateTest detect improper privilege management?
Yes — GateTest's dockerfile, kubernetes modules catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Improper Privilege Management in the CWE Top 25?
Improper Privilege Management is ranked #22 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).