Incorrect Authorization
Authorisation is implemented but wrong — checking the wrong field, comparing strings non-constant-time, or allowing the user to set their own role.
GateTest coverage
Caught by: authFlaws
Example
if (req.body.role === 'admin') grantAdmin() — trusting a client-provided role field.
How to fix it
Authorisation belongs server-side, against persisted state. Never accept role / permission claims from the client. Use a vetted policy library (Casbin, OPA). authFlaws catches the common pattern errors.
Scan your repo for CWE-863
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-863 (Incorrect Authorization)?
Authorisation is implemented but wrong — checking the wrong field, comparing strings non-constant-time, or allowing the user to set their own role.
How do I fix incorrect authorization?
Authorisation belongs server-side, against persisted state. Never accept role / permission claims from the client. Use a vetted policy library (Casbin, OPA). authFlaws catches the common pattern errors.
Does GateTest detect incorrect authorization?
Yes — GateTest's authFlaws module catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Incorrect Authorization in the CWE Top 25?
Incorrect Authorization is ranked #24 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).