CVE-2026-33430 Overview
CVE-2026-33430 is an insecure permissions vulnerability in Briefcase, a tool for converting Python projects into standalone native applications. When Briefcase generates Windows MSI installers and the application is installed for "All Users" (per-machine scope), the installation process creates directories that inherit all permissions from the parent directory. This improper permission configuration (CWE-732) enables local privilege escalation attacks where a low-privileged authenticated user can modify application binaries that may later be executed by administrators.
Critical Impact
A low-privileged local attacker can replace or modify installed binaries. If an administrator subsequently executes the altered binary, the attacker's malicious code runs with elevated privileges, leading to full system compromise.
Affected Products
- Briefcase versions 0.3.0 through 0.3.25
- Windows MSI installers generated using vulnerable Briefcase templates
- Applications installed with "All Users" (per-machine) scope
Discovery Timeline
- 2026-03-26 - CVE-2026-33430 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33430
Vulnerability Analysis
The vulnerability stems from an improper permission configuration in the WXS (Windows Installer XML) templates used by Briefcase to generate Windows MSI installers. When a Briefcase-packaged application is installed with the "All Users" option (per-machine scope), the installation directories are created without explicit security descriptors, causing them to inherit permissions from their parent directory.
In many Windows environments, particularly when applications are installed to non-standard locations or directories without restricted ACLs, this inheritance behavior grants write access to authenticated users. A local attacker with limited privileges can exploit this by replacing legitimate application executables or DLLs with malicious versions.
The attack achieves privilege escalation when an administrator or elevated process runs the compromised binary, executing the attacker's payload with those elevated privileges. This represents a classic binary planting or DLL hijacking scenario enabled by weak file system permissions.
Root Cause
The root cause is CWE-732: Incorrect Permission Assignment for Critical Resource. The WXS template files used in Briefcase versions 0.3.0 through 0.3.25 did not specify restrictive directory permissions during MSI-based installations. Instead of explicitly configuring secure ACLs that limit write access to administrators only, the templates allowed directory permission inheritance from parent folders, which may include overly permissive write access for standard users.
Attack Vector
This vulnerability requires local access to the target system. An attacker must have authenticated access to the Windows system where a vulnerable Briefcase-generated application is installed with per-machine scope. The attack involves identifying the installation directory, verifying write permissions exist, and replacing or modifying executable files within that directory.
The vulnerability is exploited through the following mechanism:
- The attacker identifies a Briefcase-generated application installed for All Users
- The attacker verifies that the installation directory inherited permissive ACLs allowing write access
- The attacker replaces a legitimate executable or DLL with a malicious payload
- When an administrator or elevated service executes the modified binary, the malicious code runs with elevated privileges
For technical details on the vulnerable template code and the applied fix, see the GitHub Pull Request #85 and GitHub Pull Request #86.
Detection Methods for CVE-2026-33430
Indicators of Compromise
- Unexpected modifications to executable files or DLLs in Briefcase-generated application directories
- File timestamps on application binaries that differ from the original installation date
- Changes to file hashes of installed executables compared to known-good baseline
- Anomalous process execution chains where low-integrity processes modify files later executed by high-integrity processes
Detection Strategies
- Monitor file system integrity of installed application directories using Windows Security Event IDs 4663 (file access) and 4656 (handle requests)
- Implement application whitelisting or code signing verification to detect unauthorized binary modifications
- Use SentinelOne's Behavioral AI to detect privilege escalation patterns involving binary replacement attacks
- Audit ACLs on application installation directories to identify overly permissive configurations
Monitoring Recommendations
- Deploy file integrity monitoring (FIM) on directories containing Briefcase-generated applications
- Configure alerts for write operations to application directories by non-administrator accounts
- Monitor for execution of modified binaries through process lineage analysis
- Review Windows Installer logs for applications installed with per-machine scope to identify potentially vulnerable deployments
How to Mitigate CVE-2026-33430
Immediate Actions Required
- Upgrade Briefcase to version 0.3.26, 0.4.0, or 0.4.1 which contain the fixed templates
- Re-run briefcase create on all existing projects to regenerate installers with secure templates
- Audit existing installations for permissive directory ACLs and remediate manually if necessary
- Consider reinstalling affected applications to apply correct permissions
Patch Information
The vulnerability was fixed in Briefcase versions 0.3.26, 0.4.0, and 0.4.1. The fix modifies the WXS template files to explicitly set restrictive directory permissions during MSI installation, preventing permission inheritance from parent directories. Detailed information about the fix is available in the GitHub Security Advisory GHSA-r3r2-35v9-v238.
To apply the fix, upgrade Briefcase and regenerate your application installers:
pip install --upgrade briefcase
briefcase create
briefcase package
Workarounds
- For Briefcase 0.3.24 or later, manually patch existing .wxs files with the security fix before building installers
- Manually set restrictive ACLs on installation directories after deployment using icacls or PowerShell commands
- Avoid installing applications for "All Users" and use per-user installation scope when possible
- Implement additional access controls through Group Policy to restrict write access to program directories
# Manually fix directory permissions on existing installations
icacls "C:\Program Files\YourApp" /inheritance:r
icacls "C:\Program Files\YourApp" /grant:r Administrators:(OI)(CI)F
icacls "C:\Program Files\YourApp" /grant:r SYSTEM:(OI)(CI)F
icacls "C:\Program Files\YourApp" /grant:r Users:(OI)(CI)RX
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
