Common Weakness Enumeration

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVE-2026-44119 (GCVE-0-2026-44119)

Vulnerability from cvelistv5 – Published: 2026-06-08 15:17 – Updated: 2026-06-09 11:57
VLAI
Title
Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules
Summary
Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache HTTP Server Affected: 2.4.0 , ≤ 2.4.67 (semver)
Create a notification for this product.
Credits
Lucian Nitescu as3617 (@real_as3617) at ENKI Whitehat Zhang San Martin Petrák joaovicdev Rooting | Lucas Torres R4mbb of KRsecurity gggggggga@Xiaomi ShadowBlade Security Lab NikKrian of H3C Security Center(h3c.com) lokerxx
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-08T22:32:29.788Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/08/11"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-44119",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T11:57:06.913774Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T11:57:10.824Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.67",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lucian Nitescu"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "as3617 (@real_as3617) at ENKI Whitehat"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Zhang San"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Martin Petr\u00e1k"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "joaovicdev"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Rooting | Lucas Torres"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "R4mbb of KRsecurity"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "gggggggga@Xiaomi ShadowBlade Security Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "NikKrian of H3C Security Center(h3c.com)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "lokerxx"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from through 2.4.67.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.4.68, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\n\nThis issue affects Apache HTTP Server: from through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-08T15:17:31.939Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-05T12:00:00.000Z",
          "value": "reported"
        },
        {
          "lang": "en",
          "time": "2026-06-05T12:00:00.000Z",
          "value": "fixed in 2.4.x by r1935017"
        },
        {
          "lang": "eng",
          "time": "2026-06-08T12:00:00.000Z",
          "value": "2.4.68 released"
        }
      ],
      "title": "Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-44119",
    "datePublished": "2026-06-08T15:17:31.939Z",
    "dateReserved": "2026-05-05T11:34:53.172Z",
    "dateUpdated": "2026-06-09T11:57:10.824Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44218 (GCVE-0-2026-44218)

Vulnerability from cvelistv5 – Published: 2026-05-12 19:39 – Updated: 2026-05-14 12:30
VLAI
Title
ciguard: Container image runs as root (no USER directive)
Summary
ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
Jo-Jo98 ciguard Affected: >= 0.1.0, < 0.8.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44218",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T12:30:44.431094Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T12:30:51.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ciguard",
          "vendor": "Jo-Jo98",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.1.0, \u003c 0.8.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T19:39:16.632Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-jrm4-4pcf-4763",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-jrm4-4pcf-4763"
        }
      ],
      "source": {
        "advisory": "GHSA-jrm4-4pcf-4763",
        "discovery": "UNKNOWN"
      },
      "title": "ciguard: Container image runs as root (no USER directive)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44218",
    "datePublished": "2026-05-12T19:39:16.632Z",
    "dateReserved": "2026-05-05T15:42:40.517Z",
    "dateUpdated": "2026-05-14T12:30:51.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44224 (GCVE-0-2026-44224)

Vulnerability from cvelistv5 – Published: 2026-05-12 20:33 – Updated: 2026-05-13 14:22
VLAI
Title
Wiki.js: Privilege Escalation via Missing Group Validation in users.update
Summary
Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
requarks wiki Affected: < 2.5.313
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44224",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T14:21:48.952199Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T14:22:28.495Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wiki",
          "vendor": "requarks",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.5.313"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller\u0027s arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users \u2014 a permission typically delegated to wiki moderators for account management \u2014 can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T20:33:53.046Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/requarks/wiki/security/advisories/GHSA-cq3g-mwrg-v2rv"
        }
      ],
      "source": {
        "advisory": "GHSA-cq3g-mwrg-v2rv",
        "discovery": "UNKNOWN"
      },
      "title": "Wiki.js: Privilege Escalation via Missing Group Validation in users.update"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44224",
    "datePublished": "2026-05-12T20:33:53.046Z",
    "dateReserved": "2026-05-05T15:42:40.518Z",
    "dateUpdated": "2026-05-13T14:22:28.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44470 (GCVE-0-2026-44470)

Vulnerability from cvelistv5 – Published: 2026-05-13 15:41 – Updated: 2026-05-13 18:37
VLAI
Title
Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService
Summary
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the service to create a SYSTEM-owned file in an arbitrary directory. This could be leveraged for local privilege escalation. This vulnerability is fixed in 1.3834.0.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
anthropics claude-code Affected: < 1.3834.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44470",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T18:36:56.249906Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T18:37:19.139Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "claude-code",
          "vendor": "anthropics",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3834.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the service to create a SYSTEM-owned file in an arbitrary directory. This could be leveraged for local privilege escalation. This vulnerability is fixed in 1.3834.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T15:41:48.424Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-5p5x-5294-qhp3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-5p5x-5294-qhp3"
        }
      ],
      "source": {
        "advisory": "GHSA-5p5x-5294-qhp3",
        "discovery": "UNKNOWN"
      },
      "title": "Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44470",
    "datePublished": "2026-05-13T15:41:48.424Z",
    "dateReserved": "2026-05-06T17:18:51.782Z",
    "dateUpdated": "2026-05-13T18:37:19.139Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44543 (GCVE-0-2026-44543)

Vulnerability from cvelistv5 – Published: 2026-05-28 16:41 – Updated: 2026-05-30 01:59
VLAI
Title
Local Path Provisioner: HelperPod Template Injection
Summary
Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44543",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-30T01:59:44.054722Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-30T01:59:56.553Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "local-path-provisioner",
          "vendor": "rancher",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.0.36"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants\u0027 local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T16:41:35.596Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rancher/local-path-provisioner/security/advisories/GHSA-7fxv-8wr2-mfc4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rancher/local-path-provisioner/security/advisories/GHSA-7fxv-8wr2-mfc4"
        }
      ],
      "source": {
        "advisory": "GHSA-7fxv-8wr2-mfc4",
        "discovery": "UNKNOWN"
      },
      "title": "Local Path Provisioner: HelperPod Template Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44543",
    "datePublished": "2026-05-28T16:41:35.596Z",
    "dateReserved": "2026-05-06T19:38:10.567Z",
    "dateUpdated": "2026-05-30T01:59:56.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44987 (GCVE-0-2026-44987)

Vulnerability from cvelistv5 – Published: 2026-05-08 21:59 – Updated: 2026-05-12 18:31
VLAI
Title
SysReptor: Privilege Escalation from User Admin to Superuser
Summary
SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
Syslifters sysreptor Affected: < 2026.29
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44987",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T13:00:12.318338Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T18:31:48.576Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sysreptor",
          "vendor": "Syslifters",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2026.29"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with \"User Admin\" permissions can change the email addresses of users with \"Superuser\" permissions. If the SysReptor installation has the \"Forgot Password\" functionality enabled (non-default), they can reset the Superusers\u0027 passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves \"Project Admin\" permissions. This is intentional and by design. This issue has been patched in version 2026.29."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T21:59:12.204Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Syslifters/sysreptor/security/advisories/GHSA-6x8f-v3cf-cvr3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Syslifters/sysreptor/security/advisories/GHSA-6x8f-v3cf-cvr3"
        },
        {
          "name": "https://github.com/Syslifters/sysreptor/releases/tag/2026.29",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Syslifters/sysreptor/releases/tag/2026.29"
        }
      ],
      "source": {
        "advisory": "GHSA-6x8f-v3cf-cvr3",
        "discovery": "UNKNOWN"
      },
      "title": "SysReptor: Privilege Escalation from User Admin to Superuser"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44987",
    "datePublished": "2026-05-08T21:59:12.204Z",
    "dateReserved": "2026-05-08T16:23:33.265Z",
    "dateUpdated": "2026-05-12T18:31:48.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45043 (GCVE-0-2026-45043)

Vulnerability from cvelistv5 – Published: 2026-05-29 12:25 – Updated: 2026-06-02 01:08
VLAI
Title
RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root
Summary
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
rustfs rustfs Affected: < 1.0.0-beta.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45043",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-02T01:04:49.372716Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T01:08:47.243Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rustfs",
          "vendor": "rustfs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.0-beta.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-29T12:25:08.665Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8"
        }
      ],
      "source": {
        "advisory": "GHSA-566f-q62r-wcr8",
        "discovery": "UNKNOWN"
      },
      "title": "RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45043",
    "datePublished": "2026-05-29T12:25:08.665Z",
    "dateReserved": "2026-05-08T18:07:27.341Z",
    "dateUpdated": "2026-06-02T01:08:47.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45176 (GCVE-0-2026-45176)

Vulnerability from cvelistv5 – Published: 2026-06-11 18:49 – Updated: 2026-06-13 03:55
VLAI
Title
Idira Endpoint Privilege Manager Agent: Local Privilege Escalation via Internal Communication or File Operation Manipulation
Summary
Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism or file operation. Under specific circumstances, this could potentially allow the attacker to bypass permission restrictions and execute unauthorized local actions with elevated privileges. CyberArk Security Bulletin: CA26-19
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - [Discouraged] CWE-269: Improper Privilege Management
Assigner
Impacted products
Date Public
2026-06-11 17:10
Credits
Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45176",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-13T03:55:47.522Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "macOS",
            "Linux"
          ],
          "product": "Idira Endpoint Privilege Manager",
          "vendor": "CyberArk Software, a Palo Alto Networks Company",
          "versions": [
            {
              "changes": [
                {
                  "at": "26.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "26.5",
              "status": "affected",
              "version": "26.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:idira_endpoint_privilege_manager:*:*:windows:*:*:*:*:*",
                  "versionEndExcluding": "26.5",
                  "versionStartIncluding": "26.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:idira_endpoint_privilege_manager:*:*:macos:*:*:*:*:*",
                  "versionEndExcluding": "26.5",
                  "versionStartIncluding": "26.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:idira_endpoint_privilege_manager:*:*:linux:*:*:*:*:*",
                  "versionEndExcluding": "26.5",
                  "versionStartIncluding": "26.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue"
        }
      ],
      "datePublic": "2026-06-11T17:10:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism or file operation. Under specific circumstances, this could potentially allow the attacker to bypass permission restrictions and execute unauthorized local actions with elevated privileges. CyberArk Security Bulletin: CA26-19"
            }
          ],
          "value": "Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism or file operation. Under specific circumstances, this could potentially allow the attacker to bypass permission restrictions and execute unauthorized local actions with elevated privileges. CyberArk Security Bulletin: CA26-19"
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "[Discouraged] CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T18:49:00.712Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-os-windows.htm#Version2650"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-os-macos.htm#Version2650"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-os-linux.htm#Version2650"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-11T17:10:00.000Z",
          "value": "Initial publication."
        }
      ],
      "title": "Idira Endpoint Privilege Manager Agent: Local Privilege Escalation via Internal Communication or File Operation Manipulation",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2026-45176",
    "datePublished": "2026-06-11T18:49:00.712Z",
    "dateReserved": "2026-05-08T23:01:00.502Z",
    "dateUpdated": "2026-06-13T03:55:47.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45254 (GCVE-0-2026-45254)

Vulnerability from cvelistv5 – Published: 2026-05-21 09:34 – Updated: 2026-05-21 14:37
VLAI
Title
Incorrect libcap_net limitation list manipulation
Summary
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
FreeBSD FreeBSD Affected: 15.0-RELEASE , < p9 (release)
Affected: 14.4-RELEASE , < p5 (release)
Affected: 14.3-RELEASE , < p14 (release)
Create a notification for this product.
Date Public
2026-05-20 23:00
Credits
Joshua Rogers of AISLE Research Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-45254",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-21T14:35:55.800907Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-21T14:37:03.795Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "libcap_net"
          ],
          "product": "FreeBSD",
          "vendor": "FreeBSD",
          "versions": [
            {
              "lessThan": "p9",
              "status": "affected",
              "version": "15.0-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p5",
              "status": "affected",
              "version": "14.4-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p14",
              "status": "affected",
              "version": "14.3-RELEASE",
              "versionType": "release"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Joshua Rogers of AISLE Research Team"
        }
      ],
      "datePublic": "2026-05-20T23:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as \"allow any\" instead of being rejected.\n\nIn certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T09:34:37.541Z",
        "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
        "shortName": "freebsd"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:24.cap_net.asc"
        }
      ],
      "title": "Incorrect libcap_net limitation list manipulation",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
    "assignerShortName": "freebsd",
    "cveId": "CVE-2026-45254",
    "datePublished": "2026-05-21T09:34:37.541Z",
    "dateReserved": "2026-05-11T16:27:44.891Z",
    "dateUpdated": "2026-05-21T14:37:03.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45256 (GCVE-0-2026-45256)

Vulnerability from cvelistv5 – Published: 2026-06-26 14:43 – Updated: 2026-06-26 15:30
VLAI
Title
Missing permission check in thr_kill2(2)
Summary
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered. The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target. An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
FreeBSD FreeBSD Affected: 15.0-RELEASE , < p10 (release)
Affected: 14.4-RELEASE , < p6 (release)
Affected: 14.3-RELEASE , < p15 (release)
Create a notification for this product.
Date Public
2026-06-09 23:30
Credits
Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Igor Gabriel Sousa e Souza
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-45256",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T15:29:58.924156Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T15:30:02.071Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "thr"
          ],
          "product": "FreeBSD",
          "vendor": "FreeBSD",
          "versions": [
            {
              "lessThan": "p10",
              "status": "affected",
              "version": "15.0-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p6",
              "status": "affected",
              "version": "14.4-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p15",
              "status": "affected",
              "version": "14.3-RELEASE",
              "versionType": "release"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Igor Gabriel Sousa e Souza"
        }
      ],
      "datePublic": "2026-06-09T23:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal.  The signal was sent even when the permission check failed.  The system call returned the resulting error to the caller, but by then the signal had already been delivered.\n\nThe missing check allows an unprivileged local user who knows or can guess a target\u0027s process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root.  The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails.  Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.\n\nAn attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T14:43:22.674Z",
        "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
        "shortName": "freebsd"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:25.thr.asc"
        }
      ],
      "title": "Missing permission check in thr_kill2(2)",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
    "assignerShortName": "freebsd",
    "cveId": "CVE-2026-45256",
    "datePublished": "2026-06-26T14:43:22.674Z",
    "dateReserved": "2026-05-11T16:27:44.891Z",
    "dateUpdated": "2026-06-26T15:30:02.071Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation ID: MIT-1

Phases: Architecture and Design, Operation

Description:

  • Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation ID: MIT-48

Phase: Architecture and Design

Strategy: Separation of Privilege

Description:

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation ID: MIT-49

Phase: Architecture and Design

Strategy: Separation of Privilege

Description:

  • Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.

Back to CWE stats page