CVE-2026-33430: CWE-732: Incorrect Permission Assignment for Critical Resource in beeware briefcase
Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.
AI Analysis
Technical Summary
Briefcase versions from 0.3.0 to before 0.3.26 have a vulnerability (CWE-732) related to incorrect permission assignment for critical resources during MSI installer creation for Windows projects installed per-machine. The installer creates a directory inheriting parent directory permissions, which may allow low-privileged authenticated users to replace or modify application binaries. This can lead to privilege escalation if an administrator executes the tampered binary. The root cause is the template used to generate the WXS file. The vulnerability was fixed in briefcase 0.3.26 and later by updating the WXS templates. Remediation involves regenerating the WXS file with updated templates or applying the patch manually to existing WXS files.
Potential Impact
An attacker with low privilege but authenticated access on a Windows system where an affected briefcase-generated MSI installer is used can modify installed application binaries due to improper directory permissions. This modification can lead to privilege escalation if an administrator runs the altered binary, resulting in full system compromise. The vulnerability affects installations scoped to all users (per-machine).
Mitigation Recommendations
A fix is available in beeware briefcase versions 0.3.26, 0.4.0, and 0.4.1, which include updated WXS templates correcting the permission assignment issue. Users should upgrade to one of these versions and re-run `briefcase create` to regenerate the installer templates. For existing WXS files generated by briefcase 0.3.24 or later, the patch can be manually applied to correct the permissions. No vendor advisory was provided, so check the official beeware documentation or repository for the patch details and instructions.
CVE-2026-33430: CWE-732: Incorrect Permission Assignment for Critical Resource in beeware briefcase
Description
Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an administrator then runs the altered binary, the binary will run with elevated privileges. The problem is caused by the template used to generate the WXS file for Windows projects. It was fixed in the templates used in Briefcase 0.3.26, 0.4.0, and 0.4.1. Re-running `briefcase create` on your Briefcase project will result in the updated templates being used. As a workaround, the patch can be added to any existing Briefcase .wxs file generated by Briefcase 0.3.24 or later.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Briefcase versions from 0.3.0 to before 0.3.26 have a vulnerability (CWE-732) related to incorrect permission assignment for critical resources during MSI installer creation for Windows projects installed per-machine. The installer creates a directory inheriting parent directory permissions, which may allow low-privileged authenticated users to replace or modify application binaries. This can lead to privilege escalation if an administrator executes the tampered binary. The root cause is the template used to generate the WXS file. The vulnerability was fixed in briefcase 0.3.26 and later by updating the WXS templates. Remediation involves regenerating the WXS file with updated templates or applying the patch manually to existing WXS files.
Potential Impact
An attacker with low privilege but authenticated access on a Windows system where an affected briefcase-generated MSI installer is used can modify installed application binaries due to improper directory permissions. This modification can lead to privilege escalation if an administrator runs the altered binary, resulting in full system compromise. The vulnerability affects installations scoped to all users (per-machine).
Mitigation Recommendations
A fix is available in beeware briefcase versions 0.3.26, 0.4.0, and 0.4.1, which include updated WXS templates correcting the permission assignment issue. Users should upgrade to one of these versions and re-run `briefcase create` to regenerate the installer templates. For existing WXS files generated by briefcase 0.3.24 or later, the patch can be manually applied to correct the permissions. No vendor advisory was provided, so check the official beeware documentation or repository for the patch details and instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-19T18:45:22.435Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c569d6f4197a8e3be94d83
Added to database: 3/26/2026, 5:16:06 PM
Last enriched: 4/3/2026, 12:57:09 PM
Last updated: 5/10/2026, 8:04:02 AM
Views: 43
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.