{"uuid": "f252bd98-0dc8-41d7-8f98-5bea0d723618", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50881", "type": "seen", "source": "https://gist.github.com/pyuysig/68754e4c40161ea27fcf80be46c59e7c", "content": "# Vulnerability Report: CVE-2026-50881 - Bonsai - Editor role can access administrator operations\n\n## Vulnerability Summary\nimpworks Bonsai 6.0 contains an incorrect access control issue in shared admin authorization handling. An authenticated user with the Editor role can send direct requests to hidden administrator routes, allowing unauthorized account, password, and configuration changes.\n\n## Affected Product\n- **Vendor**: impworks\n- **Product**: Bonsai\n- **Version**: 6.0\n- **Vulnerable Component**: AdminAuthHandler, AdminControllerBase, UsersController, UsersManagerService, DynamicConfigController\n\n## Vulnerability Details\n- **Vulnerability Type**: Incorrect Access Control\n- **Weakness**: CWE-863\n- **Attack Conditions**: Remote authenticated Editor sends direct HTTP requests to hidden admin routes such as /admin/users/create, /admin/users/update, /admin/users/reset-password, or /admin/config.\n\n## Report Body\n\n### Summary\nimpworks Bonsai 6.0 contains an incorrect access control issue in shared admin authorization handling. An authenticated user with the Editor role can send direct requests to hidden administrator routes, allowing unauthorized account, password, and configuration changes.\n\n### Details\nAdministrator routes rely on shared authorization behavior that does not correctly exclude Editor-role users from sensitive account and configuration actions.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50881.\n3. Confirm the security result: An Editor-role user can access direct admin endpoints and perform administrative changes despite not being an administrator.\n\n### Impact\nPrivilege escalation from Editor to administrator-level operations.\n\n## Remediation\nRequire explicit administrator role checks on all administrator routes and add tests for each sensitive route.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:50.000000Z"}