CWE-266 describes incorrect privilege assignment: software gives a user, process, or component more authority than it should have. The flaw is not about breaking encryption or crashing code; it is about a bad trust decision. A low-privilege action may unexpectedly reach an admin function, a backend script, or a system service that should have been protected.
This matters because privilege errors often turn small bugs into full compromise. In real attacks, an attacker may start with a normal account and use a weak authorization path to read data, change settings, or run commands with elevated rights. Defenders look for this by checking every server-side control, not just the user interface. Effective fixes include strict authorization checks on each code path, least-privilege design, separation of duties, and logs that reveal when a feature is being used outside its intended role.