CVE-2026-33430

HIGH
2026-03-23 https://github.com/beeware/briefcase
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 21:45 vuln.today
Patch Released
Mar 23, 2026 - 21:45 nvd
Patch available
CVE Published
Mar 23, 2026 - 21:40 nvd
HIGH 7.3

Tags

Information Disclosure Microsoft

Description

### Impact If a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. ### Patches The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed with the following PRs: * beeware/briefcase-windows-app-template#86 * beeware/briefcase-windows-VisualStudio-template#85 These patches have been backported to the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. ### Workarounds The change from beeware/briefcase-windows-app-template#86 can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later. ### Resources beeware/briefcase#2759 is a formal bug report of the problem.

Analysis

Microsoft Briefcase Windows MSI installers with per-machine scope create directories that inherit parent permissions insecurely, allowing authenticated local users to modify or replace application binaries. An attacker with low privileges can exploit this misconfiguration to inject malicious code that executes with administrator rights when launched. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all applications built with vulnerable BeeWare Briefcase versions (prior to 0.3.26, 0.4.0, and 0.4.1) and identify systems where these are installed with per-machine scope. Within 7 days: Prioritize patching or rebuilding affected applications using patched Briefcase versions, starting with business-critical systems and those with the highest user privilege levels. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2026-33430 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy