Skip to main content

Microsoft CVE-2026-33430

HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-03-23 https://github.com/beeware/briefcase GHSA-r3r2-35v9-v238
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 20, 2026 - 14:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 14:07 vuln.today
cvss_changed
Analysis Generated
Mar 23, 2026 - 21:45 vuln.today
Patch released
Mar 23, 2026 - 21:45 nvd
Patch available
CVE Published
Mar 23, 2026 - 21:40 nvd
HIGH 7.3

DescriptionGitHub Advisory

Impact

If a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges.

Patches

The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed with the following PRs:

  • beeware/briefcase-windows-app-template#86
  • beeware/briefcase-windows-VisualStudio-template#85

These patches have been backported to the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running briefcase create on your Briefcase project will result in the updated templates being used.

Workarounds

The change from beeware/briefcase-windows-app-template#86 can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.

Resources

beeware/briefcase#2759 is a formal bug report of the problem.

AnalysisAI

BeeWare Briefcase Windows MSI installer templates (versions <0.3.26, <0.4.0, <0.4.1) create installation directories with insecure inherited permissions when installed per-machine. Low-privilege authenticated local users can replace application binaries, achieving privilege escalation when an administrator later executes the modified binary. Vendor-released patches available for 0.3.26, 0.4.0, and 0.4.1. EPSS score of 0.01% indicates minimal observed exploitation attempts; no KEV listing or public POC identified.

Technical ContextAI

Briefcase is a Python packaging tool that generates native installers for desktop applications. This vulnerability affects the Windows Installer XML (WiX) templates used to generate MSI packages. The flaw stems from CWE-732 (Incorrect Permission Assignment for Critical Resource): the generated WXS template files lack explicit permission directives, causing installed directories to inherit ACLs from their parent folder. On Windows systems, this means a per-machine installation to a location like Program Files will create application directories that inherit permissions rather than explicitly restricting write access to administrators. The affected component is specifically pkg:pip/briefcase prior to the template updates incorporated in versions 0.3.26, 0.4.0, and 0.4.1. The vulnerability exists in the WiX template generation logic, not the Briefcase runtime itself.

RemediationAI

Developers using Briefcase 0.3.26, 0.4.0, or 0.4.1 should run 'briefcase create' command on their projects to regenerate installer templates with patched WXS files incorporating fixes from beeware/briefcase-windows-app-template#86 and beeware/briefcase-windows-VisualStudio-template#85. For developers on Briefcase 0.3.24 or 0.3.25, upgrade to 0.3.26 or later before regenerating. Manual workaround: apply the permission-hardening changes from PR#86 directly to existing .wxs files in your project's Windows build artifacts. After applying fixes, rebuild and redistribute MSI installers to end users. End users who installed affected per-machine MSI packages should uninstall and reinstall with patched versions; the vulnerability resides in directory ACLs set at install time, which persist until reinstallation. No compensating controls fully mitigate this issue without reinstallation, though restricting local user access and monitoring application directories for unauthorized modifications provide defense-in-depth. Patch references: https://github.com/beeware/briefcase-windows-app-template/pull/86 and https://github.com/beeware/briefcase-windows-VisualStudio-template/pull/85.

Share

CVE-2026-33430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy