CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Privilege Escalation

security CWE-269 OWASP A1:2021 CVSS 8.8 PHP 5.0+ Intermediate

Also Known As

privesc privilege elevation vertical privilege escalation

TL;DR

A flaw that lets a lower-privileged user gain higher access — e.g. reading an admin role from a URL parameter.

Explanation

Privilege escalation occurs when authorisation decisions are based on attacker-controllable data — a URL parameter, POST field, or cookie value — rather than server-side session state. Example: checking $_GET['admin'] === 'true' instead of $_SESSION['role'] === 'admin'. The fix is always to derive permissions exclusively from server-side state that the user cannot tamper with.

How It's Exploited

# Decode JWT, change role to admin, re-encode with alg:none
# If server accepts alg:none, attacker is now admin

Common Misconception

Privilege escalation requires a separate exploit after initial access. Misconfigured role checks, JWT claim manipulation, and mass assignment vulnerabilities allow direct escalation from a regular user to admin in a single request.

Why It Matters

An attacker who gains any foothold in the system can use privilege escalation to become admin — horizontal escalation accesses peer accounts, vertical escalation gains higher permissions.

Common Mistakes

  • Storing the user role or is_admin flag in the session without re-verifying against the database on sensitive actions.
  • Not checking ownership when performing actions on resources — user A can modify user B's data by changing the resource ID.
  • Mass assignment vulnerabilities that allow setting role or is_admin through form fields.
  • Admin functionality that validates the role only in the UI, not in the server-side handler.

Code Examples

✗ Vulnerable 
// Role stored in JWT payload — user can edit it client-side
\$role = \$jwtPayload['role']; // never trust client-supplied roles
if (\$role === 'admin') { grantAdminAccess(); }
✓ Fixed 
// Always fetch authoritative role from the database
\$user = User::findOrFail(\$jwtPayload['sub']); // look up by ID only
if (\$user->role === 'admin') { grantAdminAccess(); }

// Or use signed, server-verified JWT with short expiry
// Never embed mutable authorisation claims in long-lived tokens
Added 15 Mar 2026
Edited 22 Mar 2026
Views 37

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 2 pings S 0 pings M 0 pings T 1 ping W 0 pings T 2 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Perplexity 9 Amazonbot 8 Google 7 ChatGPT 4 Unknown AI 3 SEMrush 2 Ahrefs 1
Also referenced
Cross-Site Request Forgery (CSRF) 28 PHP Session 20
How they use it
crawler 30 crawler_json 3 pre-tracking 1
Related categories
php 6.3k security 4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Verify the authenticated user's role/permission on every sensitive action server-side — never trust client-supplied role claims
📦 Applies To
PHP 5.0+ web api cli
🔗 Prerequisites
🔍 Detection Hints
Role or permission check based on $_GET/$_POST['role'] or missing middleware on admin routes
Auto-detectable: ✗ No semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update
CWE-269 CWE-732
✓ schema.org compliant