What is Privilege Escalation? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Privilege Escalation[Back to Glossary](/glossary)Privilege Escalation
====================

A technique where an attacker gains higher access levels than originally granted, moving from a low-privilege user to an admin or root account.

vulnerabilityaccess controlattack technique

Privilege escalation occurs when an attacker exploits a vulnerability, design flaw, or configuration weakness to gain elevated access to resources that are normally protected. It's divided into two categories: vertical escalation (gaining higher privilege levels, like user to admin) and horizontal escalation (accessing resources of another user at the same privilege level).

In web applications, privilege escalation often manifests as Insecure Direct Object References (IDOR), missing function-level access controls, or flawed role-based access control implementations. An attacker might modify a user ID in an API request to access another user's data, or change a role parameter to grant themselves admin privileges.

Privilege escalation is a critical step in most attack chains. An attacker who gains initial access through a low-severity vulnerability can compound the impact significantly by escalating their privileges.

How APVISO tests for this: APVISO's pentester agent systematically tests access controls by manipulating user IDs, role parameters, and API authorization headers. The lead agent coordinates multi-step attacks that chain initial access with privilege escalation to demonstrate real-world impact.

Related Terms
-------------

[Broken Access Control](/glossary/broken-access-control)[Insecure Direct Object Reference (IDOR)](/glossary/idor)[OWASP Top 10](/glossary/owasp-top-10)

Test your applications for privilege escalation vulnerabilities
---------------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
