CVE-2026-33430 (GCVE-0-2026-33430)
Vulnerability from cvelistv5
Published
2026-03-26 16:54
Modified
2026-04-01 03:55
Severity ?
7.3 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-732 - Incorrect Permission Assignment for Critical Resource
Summary
Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.
References
Impacted products
Vendor Product Version
beeware briefcase Version: >= 0.3.0, < 0.3.26
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33430",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T03:55:18.727Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "briefcase",
          "vendor": "beeware",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.3.0, \u003c 0.3.26"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T16:54:42.992Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/beeware/briefcase/security/advisories/GHSA-r3r2-35v9-v238",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/beeware/briefcase/security/advisories/GHSA-r3r2-35v9-v238"
        },
        {
          "name": "https://github.com/beeware/briefcase/issues/2759",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/beeware/briefcase/issues/2759"
        },
        {
          "name": "https://github.com/beeware/briefcase-windows-VisualStudio-template/pull/85",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/beeware/briefcase-windows-VisualStudio-template/pull/85"
        },
        {
          "name": "https://github.com/beeware/briefcase-windows-app-template/pull/86",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/beeware/briefcase-windows-app-template/pull/86"
        }
      ],
      "source": {
        "advisory": "GHSA-r3r2-35v9-v238",
        "discovery": "UNKNOWN"
      },
      "title": "Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33430",
    "datePublished": "2026-03-26T16:54:42.992Z",
    "dateReserved": "2026-03-19T18:45:22.435Z",
    "dateUpdated": "2026-04-01T03:55:18.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33430\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T17:47:32.562930Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T17:47:36.704Z\"}}], \"cna\": {\"title\": \"Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions\", \"source\": {\"advisory\": \"GHSA-r3r2-35v9-v238\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"beeware\", \"product\": \"briefcase\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.3.0, \u003c 0.3.26\"}]}], \"references\": [{\"url\": \"https://github.com/beeware/briefcase/security/advisories/GHSA-r3r2-35v9-v238\", \"name\": \"https://github.com/beeware/briefcase/security/advisories/GHSA-r3r2-35v9-v238\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/beeware/briefcase/issues/2759\", \"name\": \"https://github.com/beeware/briefcase/issues/2759\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/beeware/briefcase-windows-VisualStudio-template/pull/85\", \"name\": \"https://github.com/beeware/briefcase-windows-VisualStudio-template/pull/85\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/beeware/briefcase-windows-app-template/pull/86\", \"name\": \"https://github.com/beeware/briefcase-windows-app-template/pull/86\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732: Incorrect Permission Assignment for Critical Resource\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T16:54:42.992Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33430\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T03:55:18.727Z\", \"dateReserved\": \"2026-03-19T18:45:22.435Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T16:54:42.992Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.