Incorrect Default Permissions
Files, directories, S3 buckets, or database tables are created with overly permissive default access (world-readable, public, etc).
GateTest coverage
Caught by: terraform, kubernetes, dockerfile
Example
Public S3 bucket policy with Principal: '*' on s3:GetObject, used to host private user uploads.
How to fix it
Audit IaC for permissive defaults. terraform flags public S3, IAM wildcards, 0.0.0.0/0 security-group rules. kubernetes flags hostNetwork, privileged, allowPrivilegeEscalation. dockerfile flags chmod 777.
Scan your repo for CWE-276
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-276 (Incorrect Default Permissions)?
Files, directories, S3 buckets, or database tables are created with overly permissive default access (world-readable, public, etc).
How do I fix incorrect default permissions?
Audit IaC for permissive defaults. terraform flags public S3, IAM wildcards, 0.0.0.0/0 security-group rules. kubernetes flags hostNetwork, privileged, allowPrivilegeEscalation. dockerfile flags chmod 777.
Does GateTest detect incorrect default permissions?
Yes — GateTest's terraform, kubernetes, dockerfile modules catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Incorrect Default Permissions in the CWE Top 25?
Incorrect Default Permissions is ranked #25 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).