DNA View

High Severity Vulnerability

This vulnerability has been rated as High severity. Immediate action is recommended.

CVE-2026-33430

High

Low Medium High Critical

7.3

CVSS Score

Published: Mar 26, 2026

Last Modified: Mar 30, 2026

CWE: CWE-732

Vulnerability Description

Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

References & Resources

Severity Details

7.3

out of 10.0

High

Weakness Type (CWE)

CWE-732

Incorrect Permission Assignment for Critical Resource

Description: The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Exploit Likelihood: High
Typical Severity: High
Abstraction Level: Class