What is Privilege Escalation? Vertical Privilege Escalation Explained

Vertical Privilege Escalation (Privilege Escalation)

Privilege escalation is a broken access control flaw where a low-privileged user can elevate their own permissions — typically to admin — by manipulating request parameters that the server blindly trusts. It is classified under CWE-269 (Improper Privilege Management) and falls within OWASP Top 10 #1: Broken Access Control.

What is Privilege Escalation?

You signed up as a regular member. You open your profile update request in the network tab and notice the API accepts a role field. You change it from member to admin, hit send, and suddenly you have full control. That's privilege escalation.

The server assumes that if a field is in the request body, the client is allowed to set it. It never checks whether the current user has permission to change roles — it just writes whatever comes in.

This is different from IDOR (accessing someone else's data at the same privilege level). Privilege escalation means moving up — from member to manager, from viewer to admin, from user to superuser. It's classified under CWE-269 and is one of the most impactful bugs in the OWASP Top 10 #1 category.

How does Privilege Escalation work?

A privilege escalation bug needs two things: a writable field that controls access level (like role, isAdmin, or permissions), and a server that applies that field without verifying the requester's authority to set it.

Here's a typical vulnerable profile update endpoint:

Vulnerable — role accepted from request body

// app/api/users/[id]/route.ts
export async function PATCH(req, { params }) {
  const session = await getSession(req);
  const body = await req.json();

  // Problem: spreads the entire body into the update,
  // including role, isAdmin, or any other field.
  const user = await db.user.update({
    where: { id: session.user.id },
    data: { ...body },
  });

  return Response.json(user);
}

Fixed — role comes from session, never from request

// app/api/users/[id]/route.ts
export async function PATCH(req, { params }) {
  const session = await getSession(req);
  const body = await req.json();

  // Only allow safe fields — role is never writable.
  const { name, email, avatar } = body;

  const user = await db.user.update({
    where: { id: session.user.id },
    data: { name, email, avatar },
  });

  return Response.json(user);
}

Why do AI tools generate Privilege Escalation vulnerabilities?

AI code generators build what you ask for. When you say "add a profile update endpoint," the model generates one that updates every field it receives. It doesn't know which fields are sensitive — because you never told it.

Object spread is the default pattern. Models love <code>{ ...body }</code> and <code>Object.assign</code>. These patterns are concise and common in training data — but they pass every field straight to the database.
Role management is an afterthought. Prompts like "build a user API" don't mention role protection. The model generates working CRUD and moves on.
Authorization requires business context. The model can't infer that only superadmins should set roles, or that <code>isAdmin</code> should never appear in a self-update request. That's your app's policy, not a generic rule.

Privilege escalation through mass assignment is one of the most common patterns in AI-generated code. The fix is straightforward — explicitly allowlist writable fields — but the model rarely does it unprompted.

Common Privilege Escalation patterns

Role field in profile update

PATCH /api/users/me with { "role": "admin" } — the API writes it directly.

isAdmin boolean toggle

A hidden field like isAdmin or is_superuser that the API accepts without question.

Permissions array manipulation

Sending { "permissions": ["read", "write", "delete", "admin"] } in a settings update.

Registration-time escalation

Sign-up endpoint accepts a role field — create an account as admin on day one.

How Flowpatrol detects Privilege Escalation

Flowpatrol doesn't just look at your code — it tests your running app the way an attacker would:

1Registers a low-privilege user and captures the baseline session and role.
2Injects role fields into update requests — tries adding role, isAdmin, permissions, and similar fields to every writable endpoint.
3Checks whether the privilege stuck — re-fetches the user profile to see if the role actually changed server-side.
4Reports the escalation path with the exact request payload, the before/after role, and how to lock it down.

Traditional scanners miss this entirely because it requires understanding your app's role model. Flowpatrol tests the actual behavior.

Check your app for privilege escalation.

Flowpatrol tests whether your users can promote themselves. Five minutes. One URL.

Try it free

Vertical Privilege Escalation (Privilege Escalation)

What is Privilege Escalation?

How does Privilege Escalation work?

Here's a typical vulnerable profile update endpoint:

Vulnerable — role accepted from request body

// app/api/users/[id]/route.ts
export async function PATCH(req, { params }) {
  const session = await getSession(req);
  const body = await req.json();

  // Problem: spreads the entire body into the update,
  // including role, isAdmin, or any other field.
  const user = await db.user.update({
    where: { id: session.user.id },
    data: { ...body },
  });

  return Response.json(user);
}

Fixed — role comes from session, never from request

// app/api/users/[id]/route.ts
export async function PATCH(req, { params }) {
  const session = await getSession(req);
  const body = await req.json();

  // Only allow safe fields — role is never writable.
  const { name, email, avatar } = body;

  const user = await db.user.update({
    where: { id: session.user.id },
    data: { name, email, avatar },
  });

  return Response.json(user);
}

Why do AI tools generate Privilege Escalation vulnerabilities?

Object spread is the default pattern. Models love <code>{ ...body }</code> and <code>Object.assign</code>. These patterns are concise and common in training data — but they pass every field straight to the database.
Role management is an afterthought. Prompts like "build a user API" don't mention role protection. The model generates working CRUD and moves on.
Authorization requires business context. The model can't infer that only superadmins should set roles, or that <code>isAdmin</code> should never appear in a self-update request. That's your app's policy, not a generic rule.

Common Privilege Escalation patterns

Role field in profile update

PATCH /api/users/me with { "role": "admin" } — the API writes it directly.

isAdmin boolean toggle

A hidden field like isAdmin or is_superuser that the API accepts without question.

Permissions array manipulation

Sending { "permissions": ["read", "write", "delete", "admin"] } in a settings update.

Registration-time escalation

Sign-up endpoint accepts a role field — create an account as admin on day one.

How Flowpatrol detects Privilege Escalation

Flowpatrol doesn't just look at your code — it tests your running app the way an attacker would:

1Registers a low-privilege user and captures the baseline session and role.
2Injects role fields into update requests — tries adding role, isAdmin, permissions, and similar fields to every writable endpoint.
3Checks whether the privilege stuck — re-fetches the user profile to see if the role actually changed server-side.
4Reports the escalation path with the exact request payload, the before/after role, and how to lock it down.

Traditional scanners miss this entirely because it requires understanding your app's role model. Flowpatrol tests the actual behavior.

Vertical Privilege Escalation (Privilege Escalation)