Microsoft
CVE-2026-33430
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
Impact
If a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges.
Patches
The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed with the following PRs:
- beeware/briefcase-windows-app-template#86
- beeware/briefcase-windows-VisualStudio-template#85
These patches have been backported to the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running briefcase create on your Briefcase project will result in the updated templates being used.
Workarounds
The change from beeware/briefcase-windows-app-template#86 can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.
Resources
beeware/briefcase#2759 is a formal bug report of the problem.
AnalysisAI
BeeWare Briefcase Windows MSI installer templates (versions <0.3.26, <0.4.0, <0.4.1) create installation directories with insecure inherited permissions when installed per-machine. Low-privilege authenticated local users can replace application binaries, achieving privilege escalation when an administrator later executes the modified binary. Vendor-released patches available for 0.3.26, 0.4.0, and 0.4.1. EPSS score of 0.01% indicates minimal observed exploitation attempts; no KEV listing or public POC identified.
Technical ContextAI
Briefcase is a Python packaging tool that generates native installers for desktop applications. This vulnerability affects the Windows Installer XML (WiX) templates used to generate MSI packages. The flaw stems from CWE-732 (Incorrect Permission Assignment for Critical Resource): the generated WXS template files lack explicit permission directives, causing installed directories to inherit ACLs from their parent folder. On Windows systems, this means a per-machine installation to a location like Program Files will create application directories that inherit permissions rather than explicitly restricting write access to administrators. The affected component is specifically pkg:pip/briefcase prior to the template updates incorporated in versions 0.3.26, 0.4.0, and 0.4.1. The vulnerability exists in the WiX template generation logic, not the Briefcase runtime itself.
RemediationAI
Developers using Briefcase 0.3.26, 0.4.0, or 0.4.1 should run 'briefcase create' command on their projects to regenerate installer templates with patched WXS files incorporating fixes from beeware/briefcase-windows-app-template#86 and beeware/briefcase-windows-VisualStudio-template#85. For developers on Briefcase 0.3.24 or 0.3.25, upgrade to 0.3.26 or later before regenerating. Manual workaround: apply the permission-hardening changes from PR#86 directly to existing .wxs files in your project's Windows build artifacts. After applying fixes, rebuild and redistribute MSI installers to end users. End users who installed affected per-machine MSI packages should uninstall and reinstall with patched versions; the vulnerability resides in directory ACLs set at install time, which persist until reinstallation. No compensating controls fully mitigate this issue without reinstallation, though restricting local user access and monitoring application directories for unauthorized modifications provide defense-in-depth. Patch references: https://github.com/beeware/briefcase-windows-app-template/pull/86 and https://github.com/beeware/briefcase-windows-VisualStudio-template/pull/85.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r3r2-35v9-v238