Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5431 vulnerabilities reference this CWE, most recent first.

CVE-2026-44987 (GCVE-0-2026-44987)

Vulnerability from cvelistv5 – Published: 2026-05-08 21:59 – Updated: 2026-05-12 18:31
VLAI
Title
SysReptor: Privilege Escalation from User Admin to Superuser
Summary
SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
Syslifters sysreptor Affected: < 2026.29
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44987",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T13:00:12.318338Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T18:31:48.576Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sysreptor",
          "vendor": "Syslifters",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2026.29"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with \"User Admin\" permissions can change the email addresses of users with \"Superuser\" permissions. If the SysReptor installation has the \"Forgot Password\" functionality enabled (non-default), they can reset the Superusers\u0027 passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves \"Project Admin\" permissions. This is intentional and by design. This issue has been patched in version 2026.29."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T21:59:12.204Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Syslifters/sysreptor/security/advisories/GHSA-6x8f-v3cf-cvr3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Syslifters/sysreptor/security/advisories/GHSA-6x8f-v3cf-cvr3"
        },
        {
          "name": "https://github.com/Syslifters/sysreptor/releases/tag/2026.29",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Syslifters/sysreptor/releases/tag/2026.29"
        }
      ],
      "source": {
        "advisory": "GHSA-6x8f-v3cf-cvr3",
        "discovery": "UNKNOWN"
      },
      "title": "SysReptor: Privilege Escalation from User Admin to Superuser"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44987",
    "datePublished": "2026-05-08T21:59:12.204Z",
    "dateReserved": "2026-05-08T16:23:33.265Z",
    "dateUpdated": "2026-05-12T18:31:48.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44787 (GCVE-0-2026-44787)

Vulnerability from cvelistv5 – Published: 2026-07-09 22:03 – Updated: 2026-07-10 20:59
VLAI
Title
Discourse: Signup-time primary_group_id assignment grants whisperer access
Summary
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
Impacted products
Vendor Product Version
discourse discourse Affected: >= 2026.1.0-latest, < 2026.1.5
Affected: >= 2026.4.0-latest, < 2026.4.2
Affected: >= 2026.5.0-latest, < 2026.5.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44787",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T20:53:15.561918Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T20:59:36.502Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "discourse",
          "vendor": "discourse",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2026.1.0-latest, \u003c 2026.1.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 2026.4.0-latest, \u003c 2026.4.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2026.5.0-latest, \u003c 2026.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T22:03:41.409Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/discourse/discourse/security/advisories/GHSA-vmwq-jvxx-jwfx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/discourse/discourse/security/advisories/GHSA-vmwq-jvxx-jwfx"
        },
        {
          "name": "https://github.com/discourse/discourse/commit/012796ac28c85b30aa233c5ef042fc66efff8126",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/commit/012796ac28c85b30aa233c5ef042fc66efff8126"
        },
        {
          "name": "https://github.com/discourse/discourse/commit/0f50a07a6ef4b33f3f826ce6d7bf6d7bd16912d8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/commit/0f50a07a6ef4b33f3f826ce6d7bf6d7bd16912d8"
        },
        {
          "name": "https://github.com/discourse/discourse/commit/5418e3027dba109e27a4796463686d61e190ac29",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/commit/5418e3027dba109e27a4796463686d61e190ac29"
        },
        {
          "name": "https://github.com/discourse/discourse/commit/6fc7e6cf04422fc3f9d1c99134803071e983ff0a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/commit/6fc7e6cf04422fc3f9d1c99134803071e983ff0a"
        },
        {
          "name": "https://github.com/discourse/discourse/releases/tag/v2026.1.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/releases/tag/v2026.1.5"
        },
        {
          "name": "https://github.com/discourse/discourse/releases/tag/v2026.4.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/releases/tag/v2026.4.2"
        },
        {
          "name": "https://github.com/discourse/discourse/releases/tag/v2026.5.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/releases/tag/v2026.5.1"
        },
        {
          "name": "https://github.com/discourse/discourse/releases/tag/v2026.6.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/releases/tag/v2026.6.0"
        }
      ],
      "source": {
        "advisory": "GHSA-vmwq-jvxx-jwfx",
        "discovery": "UNKNOWN"
      },
      "title": "Discourse: Signup-time primary_group_id assignment grants whisperer access"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44787",
    "datePublished": "2026-07-09T22:03:41.409Z",
    "dateReserved": "2026-05-07T19:20:44.691Z",
    "dateUpdated": "2026-07-10T20:59:36.502Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44543 (GCVE-0-2026-44543)

Vulnerability from cvelistv5 – Published: 2026-05-28 16:41 – Updated: 2026-05-30 01:59
VLAI
Title
Local Path Provisioner: HelperPod Template Injection
Summary
Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44543",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-30T01:59:44.054722Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-30T01:59:56.553Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "local-path-provisioner",
          "vendor": "rancher",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.0.36"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants\u0027 local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T16:41:35.596Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rancher/local-path-provisioner/security/advisories/GHSA-7fxv-8wr2-mfc4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rancher/local-path-provisioner/security/advisories/GHSA-7fxv-8wr2-mfc4"
        }
      ],
      "source": {
        "advisory": "GHSA-7fxv-8wr2-mfc4",
        "discovery": "UNKNOWN"
      },
      "title": "Local Path Provisioner: HelperPod Template Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44543",
    "datePublished": "2026-05-28T16:41:35.596Z",
    "dateReserved": "2026-05-06T19:38:10.567Z",
    "dateUpdated": "2026-05-30T01:59:56.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44470 (GCVE-0-2026-44470)

Vulnerability from cvelistv5 – Published: 2026-05-13 15:41 – Updated: 2026-05-13 18:37
VLAI
Title
Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService
Summary
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the service to create a SYSTEM-owned file in an arbitrary directory. This could be leveraged for local privilege escalation. This vulnerability is fixed in 1.3834.0.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
anthropics claude-code Affected: < 1.3834.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44470",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T18:36:56.249906Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T18:37:19.139Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "claude-code",
          "vendor": "anthropics",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3834.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the service to create a SYSTEM-owned file in an arbitrary directory. This could be leveraged for local privilege escalation. This vulnerability is fixed in 1.3834.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T15:41:48.424Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-5p5x-5294-qhp3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-5p5x-5294-qhp3"
        }
      ],
      "source": {
        "advisory": "GHSA-5p5x-5294-qhp3",
        "discovery": "UNKNOWN"
      },
      "title": "Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44470",
    "datePublished": "2026-05-13T15:41:48.424Z",
    "dateReserved": "2026-05-06T17:18:51.782Z",
    "dateUpdated": "2026-05-13T18:37:19.139Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44224 (GCVE-0-2026-44224)

Vulnerability from cvelistv5 – Published: 2026-05-12 20:33 – Updated: 2026-05-13 14:22
VLAI
Title
Wiki.js: Privilege Escalation via Missing Group Validation in users.update
Summary
Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
requarks wiki Affected: < 2.5.313
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44224",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T14:21:48.952199Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T14:22:28.495Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wiki",
          "vendor": "requarks",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.5.313"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller\u0027s arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users \u2014 a permission typically delegated to wiki moderators for account management \u2014 can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T20:33:53.046Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv"
        }
      ],
      "source": {
        "advisory": "GHSA-cq3g-mwrg-v2rv",
        "discovery": "UNKNOWN"
      },
      "title": "Wiki.js: Privilege Escalation via Missing Group Validation in users.update"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44224",
    "datePublished": "2026-05-12T20:33:53.046Z",
    "dateReserved": "2026-05-05T15:42:40.518Z",
    "dateUpdated": "2026-05-13T14:22:28.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44218 (GCVE-0-2026-44218)

Vulnerability from cvelistv5 – Published: 2026-05-12 19:39 – Updated: 2026-05-14 12:30
VLAI
Title
ciguard: Container image runs as root (no USER directive)
Summary
ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
Jo-Jo98 ciguard Affected: >= 0.1.0, < 0.8.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44218",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T12:30:44.431094Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T12:30:51.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ciguard",
          "vendor": "Jo-Jo98",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.1.0, \u003c 0.8.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T19:39:16.632Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-jrm4-4pcf-4763",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-jrm4-4pcf-4763"
        }
      ],
      "source": {
        "advisory": "GHSA-jrm4-4pcf-4763",
        "discovery": "UNKNOWN"
      },
      "title": "ciguard: Container image runs as root (no USER directive)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44218",
    "datePublished": "2026-05-12T19:39:16.632Z",
    "dateReserved": "2026-05-05T15:42:40.517Z",
    "dateUpdated": "2026-05-14T12:30:51.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44119 (GCVE-0-2026-44119)

Vulnerability from cvelistv5 – Published: 2026-06-08 15:17 – Updated: 2026-06-09 11:57
VLAI
Title
Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules
Summary
Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache HTTP Server Affected: 2.4.0 , ≤ 2.4.67 (semver)
Create a notification for this product.
Credits
Lucian Nitescu as3617 (@real_as3617) at ENKI Whitehat Zhang San Martin Petrák joaovicdev Rooting | Lucas Torres R4mbb of KRsecurity gggggggga@Xiaomi ShadowBlade Security Lab NikKrian of H3C Security Center(h3c.com) lokerxx
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-08T22:32:29.788Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/08/11"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-44119",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T11:57:06.913774Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T11:57:10.824Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.67",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lucian Nitescu"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "as3617 (@real_as3617) at ENKI Whitehat"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Zhang San"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Martin Petr\u00e1k"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "joaovicdev"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Rooting | Lucas Torres"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "R4mbb of KRsecurity"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "gggggggga@Xiaomi ShadowBlade Security Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "NikKrian of H3C Security Center(h3c.com)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "lokerxx"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from through 2.4.67.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.4.68, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\n\nThis issue affects Apache HTTP Server: from through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-08T15:17:31.939Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-05T12:00:00.000Z",
          "value": "reported"
        },
        {
          "lang": "en",
          "time": "2026-06-05T12:00:00.000Z",
          "value": "fixed in 2.4.x by r1935017"
        },
        {
          "lang": "eng",
          "time": "2026-06-08T12:00:00.000Z",
          "value": "2.4.68 released"
        }
      ],
      "title": "Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-44119",
    "datePublished": "2026-06-08T15:17:31.939Z",
    "dateReserved": "2026-05-05T11:34:53.172Z",
    "dateUpdated": "2026-06-09T11:57:10.824Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43886 (GCVE-0-2026-43886)

Vulnerability from cvelistv5 – Published: 2026-05-11 21:06 – Updated: 2026-05-12 13:20
VLAI
Title
Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access
Summary
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
outline outline Affected: >= 0.84.0, < 1.7.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43886",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T13:20:31.669002Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T13:20:35.103Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/outline/outline/security/advisories/GHSA-7732-6qrg-wjf4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "outline",
          "vendor": "outline",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.84.0, \u003c 1.7.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:06:16.529Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/outline/outline/security/advisories/GHSA-7732-6qrg-wjf4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/outline/outline/security/advisories/GHSA-7732-6qrg-wjf4"
        }
      ],
      "source": {
        "advisory": "GHSA-7732-6qrg-wjf4",
        "discovery": "UNKNOWN"
      },
      "title": "Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-43886",
    "datePublished": "2026-05-11T21:06:16.529Z",
    "dateReserved": "2026-05-04T15:17:09.330Z",
    "dateUpdated": "2026-05-12T13:20:35.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42844 (GCVE-0-2026-42844)

Vulnerability from cvelistv5 – Published: 2026-05-12 21:43 – Updated: 2026-05-13 14:28
VLAI
Title
Grav: Low-privileged API users can create super-admin accounts via blueprint-upload
Summary
Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
getgrav grav Affected: 2.0.0-beta.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42844",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T14:28:07.384843Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T14:28:31.866Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grav",
          "vendor": "getgrav",
          "versions": [
            {
              "status": "affected",
              "version": "2.0.0-beta.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T21:43:18.259Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h"
        }
      ],
      "source": {
        "advisory": "GHSA-6xx2-m8wv-756h",
        "discovery": "UNKNOWN"
      },
      "title": "Grav: Low-privileged API users can create super-admin accounts via blueprint-upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42844",
    "datePublished": "2026-05-12T21:43:18.259Z",
    "dateReserved": "2026-04-30T16:44:48.376Z",
    "dateUpdated": "2026-05-13T14:28:31.866Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42609 (GCVE-0-2026-42609)

Vulnerability from cvelistv5 – Published: 2026-05-11 15:03 – Updated: 2026-05-14 17:56
VLAI
Title
Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
Summary
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
  • CWE-285 - Improper Authorization
  • CWE-639 - Authorization Bypass Through User-Controlled Key
  • CWE-837 - Improper Enforcement of a Single, Unique Action
Assigner
Impacted products
Vendor Product Version
getgrav grav Affected: < 2.0.0-beta.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42609",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T17:56:12.800871Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T17:56:41.506Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grav",
          "vendor": "getgrav",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.0.0-beta.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account\u0027s metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-837",
              "description": "CWE-837: Improper Enforcement of a Single, Unique Action",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T15:03:38.296Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8"
        },
        {
          "name": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
        },
        {
          "name": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47"
        },
        {
          "name": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632"
        }
      ],
      "source": {
        "advisory": "GHSA-rr73-568v-28f8",
        "discovery": "UNKNOWN"
      },
      "title": "Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42609",
    "datePublished": "2026-05-11T15:03:38.296Z",
    "dateReserved": "2026-04-29T00:31:15.725Z",
    "dateUpdated": "2026-05-14T17:56:41.506Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.