CVE-2026-49170
Insufficient granularity of access control in Windows StateRepository API allows an authorized attacker to elevate privileges locally.
CVSS
7.8
High
EPSS
2.5%
p83
KEV
—
Exploit Today
25
0-100
Published: Jul 14, 2026 · Last modified: Jul 16, 2026 · CWE-285 · CWE-1220
2.5%EPSS · 30 days2.5%
2026-07-152026-07-16
Insufficient granularity of access control in Windows StateRepository API allows an authorized attacker to elevate privileges locally.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-561557.8 HIG30.2%
KEV—59Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability 1dCVE-2026-393637.5 HIG85.4%
——26Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.2dCVE-2025-44049.1 CRI76.4%
——23A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.16dCVE-2026-331869.1 CRI72.4%
——22gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.11hCVE-2026-541218.8 HIG52.5%
——16Improper authorization in Active Directory Certificate Services (AD CS) allows an authorized attacker to elevate privileges over a network.2dCVE-2026-582778.8 HIG50.5%
——15Improper authorization in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network.1d