CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Privilege Escalation

Security CWE-269 OWASP A1:2021 CVSS 8.8 PHP 5.0+ Intermediate
debt(d8/e6/b7/t7)
d8 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'silent in production' (d8) — Semgrep can catch obvious patterns like role from $_GET, but most privilege escalation flaws (missing ownership checks, mass assignment, trusting session role) are silent until exploited. Slightly better than d9 because some patterns are linter-catchable.

e6 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor' (e6) — quick_fix says verify role/permission on every sensitive action server-side, which means auditing and patching every controller/handler that performs sensitive actions. Between multi-file refactor (e5) and codebase-wide (e7).

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (b7) — authorisation applies across web/api/cli contexts and every sensitive action must respect it; consistent access-control shapes how new features are added throughout the codebase.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7) — misconception states devs assume privesc requires a separate exploit, but mass assignment, JWT claim trust, and session-stored roles allow direct escalation. The 'obvious' check-once-at-login pattern contradicts the need for per-action server-side verification.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

privesc privilege elevation vertical privilege escalation

TL;DR

A flaw that lets a lower-privileged user gain higher access — e.g. reading an admin role from a URL parameter.

Explanation

Privilege escalation occurs when authorisation decisions are based on attacker-controllable data — a URL parameter, POST field, or cookie value — rather than server-side session state. Example: checking $_GET['admin'] === 'true' instead of $_SESSION['role'] === 'admin'. The fix is always to derive permissions exclusively from server-side state that the user cannot tamper with.

How It's Exploited

# Decode JWT, change role to admin, re-encode with alg:none
# If server accepts alg:none, attacker is now admin

Common Misconception

Privilege escalation requires a separate exploit after initial access. Misconfigured role checks, JWT claim manipulation, and mass assignment vulnerabilities allow direct escalation from a regular user to admin in a single request.

Why It Matters

An attacker who gains any foothold in the system can use privilege escalation to become admin — horizontal escalation accesses peer accounts, vertical escalation gains higher permissions.

Common Mistakes

edited by PF Media Bot Claude Opus 4.5 · 19 May 2026
  • Trusting user role or is_admin flags from client-supplied data (cookies, JWT payloads, form fields) without server-side verification against authoritative state.
  • Not checking ownership when performing actions on resources — user A can modify user B's data by changing the resource ID.
  • Mass assignment vulnerabilities that allow setting role or is_admin through form fields.
  • Admin functionality that validates the role only in the UI, not in the server-side handler.

Code Examples

✗ Vulnerable 
// Role stored in JWT payload — user can edit it client-side
$role = $jwtPayload['role']; // never trust client-supplied roles
if ($role === 'admin') { grantAdminAccess(); }
✓ Fixed 
// Always fetch authoritative role from the database
$user = User::findOrFail($jwtPayload['sub']); // look up by ID only
if ($user->role === 'admin') { grantAdminAccess(); }

// Or use signed, server-verified JWT with short expiry
// Never embed mutable authorisation claims in long-lived tokens
Added 15 Mar 2026
Edited 12 Jun 2026
Views 87
AI edit PF Media Bot Claude Opus 4.5 on common_mistakes · 19 May 2026
Edits history 1 edit
  1. common_mistakes PF Media Bot Claude Opus 4.5 · 19 May 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 1 ping W 2 pings T 6 pings F 2 pings S 7 pings S 2 pings M 2 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 2 pings T 0 pings F 1 ping S 1 ping S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Scrapy 20 Amazonbot 10 Perplexity 9 Google 8 ChatGPT 7 SEMrush 7 Unknown AI 3 Ahrefs 3 Claude 2 Bing 2 PetalBot 2 Meta AI 1
Also referenced
Cross-Site Request Forgery (CSRF) 84 PHP Session 56
How they use it
crawler 67 crawler_json 6 pre-tracking 1
Related categories
php 13k security 7.8k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Verify the authenticated user's role/permission on every sensitive action server-side — never trust client-supplied role claims
📦 Applies To
PHP 5.0+ web api cli
🔗 Prerequisites
🔍 Detection Hints
Role or permission check based on $_GET/$_POST['role'] or missing middleware on admin routes
Auto-detectable: ✗ No semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update
CWE-269 CWE-732
✓ schema.org compliant