CVE-2026-27198
HIGH8.8EPSS 0.02%Formwork Improperly Managed Privileges in User creation
描述
### Summary The application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. ### Impact Successful exploitation allows an attacker to: - Gain full administrative control over the CMS. - Access all site data and user information. - Modify system configuration and security settings. - Create, modify, or delete any user account, including legitimate administrators. ### Patches [Formwork 2.3.4](https://github.com/getformwork/formwork/releases/tag/2.3.4) properly assigns roles on user creation.
受影響套件(1)
- Packagist/getformwork/formwork>= 2.0.0, < 2.3.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-27198
- PATCHhttps://github.com/getformwork/formwork
- WEBhttps://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd
- WEBhttps://github.com/getformwork/formwork/releases/tag/2.3.4
- WEBhttps://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2