The vulnerability CVE-2026-33430 affects the BeeWare Briefcase tool, which is used to convert Python projects into standalone native applications. Versions from 0.3.0 up to but not including 0.3.26 contain a critical flaw in the Windows MSI installer generation process. When a developer uses Briefcase to create an MSI installer for a project installed for all users (per-machine scope), the installation directory inherits permissions from its parent directory. This inheritance can result in overly permissive access rights, allowing low-privileged but authenticated users on the system to replace or modify the installed application binaries. Since the binaries run with elevated privileges when executed by an administrator, this modification can lead to privilege escalation. The root cause is traced to the WXS template used by Briefcase to generate the Windows installer, which did not explicitly set secure permissions on the installation directory. The vulnerability is classified under CWE-732, indicating incorrect permission assignment for a critical resource. The issue was addressed in Briefcase version 0.3.26 and later by updating the installer templates to enforce stricter permissions. Users can remediate by upgrading Briefcase or by manually applying the patch to existing WXS files generated by versions 0.3.24 and later. Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the potential for privilege escalation via binary replacement. The CVSS v3.1 base score is 7.3 (high), reflecting the local attack vector, low complexity, required privileges, user interaction, and high impact on confidentiality, integrity, and availability.

This vulnerability allows low-privileged authenticated users to modify or replace application binaries installed by Briefcase-generated MSI installers in per-machine installations. The primary impact is privilege escalation, where an attacker can execute arbitrary code with elevated privileges when an administrator runs the compromised binary. This can lead to full system compromise, unauthorized access to sensitive data, and disruption of system availability. Organizations deploying applications using affected Briefcase versions on Windows systems are at risk, especially in environments where multiple users share the same machine or where strict privilege separation is enforced. The vulnerability undermines the integrity and trustworthiness of installed applications and can be exploited to bypass security controls. Although exploitation requires local access and some user interaction, the high impact on confidentiality, integrity, and availability makes this a critical concern for enterprise environments, development teams, and software distributors using Briefcase for Windows MSI packaging.

1. Upgrade Briefcase to version 0.3.26 or later, which includes the fixed WXS templates enforcing correct permissions on installation directories. 2. For existing MSI installers generated with affected versions, manually patch the WXS files to apply the corrected permission settings before rebuilding the installer. 3. Avoid installing Briefcase-generated MSI installers in locations inheriting overly permissive permissions; choose secure installation paths with restricted access. 4. Implement strict access controls on development and build environments to prevent unauthorized modification of installer templates or binaries. 5. Monitor installed applications for unexpected changes to binaries and use file integrity monitoring tools to detect unauthorized modifications. 6. Educate administrators and users to avoid running untrusted binaries with elevated privileges and to verify the integrity of installed applications. 7. Consider deploying application whitelisting and privilege management solutions to limit the impact of potential binary replacement attacks. 8. Regularly audit permissions on installed application directories to ensure they conform to least privilege principles.