CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5550 vulnerabilities reference this CWE, most recent first.
GHSA-RM4P-54WJ-PX7W
Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-20 19:00It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1.
{
"affected": [],
"aliases": [
"CVE-2022-3330"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T16:15:00Z",
"severity": "MODERATE"
},
"details": "It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1.",
"id": "GHSA-rm4p-54wj-px7w",
"modified": "2022-10-20T19:00:35Z",
"published": "2022-10-17T19:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3330"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3330.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/365827"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RMP9-MC8W-MQF3
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-12-16 22:48Amazon EC2 Plugin provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use.
This functionality does not correctly check permissions in Amazon EC2 Plugin 1.50.1 and earlier, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Amazon EC2 Plugin 1.50.2 now requires Overall/Administer permission.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.50.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:ec2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.50.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2188"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-16T22:48:38Z",
"nvd_published_at": "2020-05-06T13:15:00Z",
"severity": "MODERATE"
},
"details": "Amazon EC2 Plugin provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use.\n\nThis functionality does not correctly check permissions in Amazon EC2 Plugin 1.50.1 and earlier, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.\n\nAn enumeration of credentials IDs in Amazon EC2 Plugin 1.50.2 now requires Overall/Administer permission.",
"id": "GHSA-rmp9-mc8w-mqf3",
"modified": "2022-12-16T22:48:38Z",
"published": "2022-05-24T17:17:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2188"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/ec2-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1844"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/05/06/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Users with Overall/Read access can enumerate credentials IDs in Amazon EC2 Plugin"
}
GHSA-RMXW-C48H-2VF5
Vulnerability from github – Published: 2023-11-07 23:03 – Updated: 2023-11-07 23:03Impact
In XWiki Platform, it's possible for a user to write a script in which any velocity content is executed with the right of any other document content author.
To reproduce:
As a user with script but not programming right, create a document with the following content:
{{velocity}}
#set($main = $xwiki.getDocument('AppWithinMinutes.DynamicMessageTool'))
$main.setTitle('$doc.getDocument().getContentAuthor()')
$main.getPlainTitle()
{{/velocity}}
Since this API require programming right and the user does not have it, the expected result is $doc.document.authors.contentAuthor (not executed script), unfortunately with the security vulnerability we get XWiki.superadmin which shows that the title was executed with the right of the unmodified document.
Patches
This has been patched in XWiki 14.10.7 and 15.2-RC-1.
Workarounds
There are no known workarounds for it.
References
- https://jira.xwiki.org/browse/XWIKI-20624
- https://github.com/xwiki/xwiki-platform/commit/11a9170dfe63e59f4066db67f84dbfce4ed619c6
- https://jira.xwiki.org/browse/XWIKI-20625
- https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-display-api"
},
"ranges": [
{
"events": [
{
"introduced": "3.2-milestone-3"
},
{
"fixed": "14.10.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-display-api"
},
"ranges": [
{
"events": [
{
"introduced": "15.0"
},
{
"fixed": "15.2-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46244"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-07T23:03:57Z",
"nvd_published_at": "2023-11-07T19:15:10Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nIn XWiki Platform, it\u0027s possible for a user to write a script in which any velocity content is executed with the right of any other document content author.\n\nTo reproduce:\n\nAs a user with script but not programming right, create a document with the following content:\n\n```\n{{velocity}}\n#set($main = $xwiki.getDocument(\u0027AppWithinMinutes.DynamicMessageTool\u0027))\n$main.setTitle(\u0027$doc.getDocument().getContentAuthor()\u0027)\n$main.getPlainTitle()\n{{/velocity}}\n```\n\nSince this API require programming right and the user does not have it, the expected result is `$doc.document.authors.contentAuthor` (not executed script), unfortunately with the security vulnerability we get `XWiki.superadmin` which shows that the title was executed with the right of the unmodified document.\n\n### Patches\n\nThis has been patched in XWiki 14.10.7 and 15.2-RC-1.\n\n### Workarounds\n\nThere are no known workarounds for it.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-20624\n* https://github.com/xwiki/xwiki-platform/commit/11a9170dfe63e59f4066db67f84dbfce4ed619c6\n* https://jira.xwiki.org/browse/XWIKI-20625\n* https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
"id": "GHSA-rmxw-c48h-2vf5",
"modified": "2023-11-07T23:03:57Z",
"published": "2023-11-07T23:03:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmxw-c48h-2vf5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46244"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/11a9170dfe63e59f4066db67f84dbfce4ed619c6"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20624"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20625"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XWiki Platform privilege escalation from script right to programming right through title displayer"
}
GHSA-RP3C-5XMM-FM73
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Insufficient access control in the firmware for the Intel(R) 722 Ethernet Controllers before version 1.4.3 may allow a privileged user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2020-24494"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-17T14:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient access control in the firmware for the Intel(R) 722 Ethernet Controllers before version 1.4.3 may allow a privileged user to potentially enable denial of service via local access.",
"id": "GHSA-rp3c-5xmm-fm73",
"modified": "2022-05-24T17:42:29Z",
"published": "2022-05-24T17:42:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24494"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00456.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RP5M-XQ4P-5F64
Vulnerability from github – Published: 2023-07-06 21:15 – Updated: 2024-04-04 05:49Palantir discovered a software bug in a recently released version of Foundry’s Lime2 service, one of the services backing the Ontology. The software bug has been fixed and the fix has been deployed to your hosted Foundry environment. The vulnerability allowed authenticated users within a Foundry organization to potentially bypass discretionary or mandatory access controls under certain circumstances.
{
"affected": [],
"aliases": [
"CVE-2023-22833"
],
"database_specific": {
"cwe_ids": [
"CWE-304",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T19:15:10Z",
"severity": "MODERATE"
},
"details": "Palantir discovered a software bug in a recently released version of Foundry\u2019s Lime2 service, one of the services backing the Ontology. The software bug has been fixed and the fix has been deployed to your hosted Foundry environment. The vulnerability allowed authenticated users within a Foundry organization to potentially bypass discretionary or mandatory access controls under certain circumstances.",
"id": "GHSA-rp5m-xq4p-5f64",
"modified": "2024-04-04T05:49:07Z",
"published": "2023-07-06T21:15:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22833"
},
{
"type": "WEB",
"url": "https://palantir.safebase.us/?tcuUid=7f1fd834-805d-4679-85d0-9d779fa064ae"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RP65-JPC7-8H8P
Vulnerability from github – Published: 2023-09-29 12:30 – Updated: 2023-10-03 21:17Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "8.1.0"
},
{
"fixed": "8.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.1.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.8.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-5159"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-29T20:41:31Z",
"nvd_published_at": "2023-09-29T10:15:10Z",
"severity": "LOW"
},
"details": "Mattermost fails to properly verify the permissions when managing/updating a bot allowing a\u00a0User Manager role with user edit permissions to manage/update bots.\n\n",
"id": "GHSA-rp65-jpc7-8h8p",
"modified": "2023-10-03T21:17:01Z",
"published": "2023-09-29T12:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5159"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Incorrect Authorization vulnerability"
}
GHSA-RP74-X43M-CPW3
Vulnerability from github – Published: 2025-03-21 09:30 – Updated: 2025-03-21 21:06Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.4.0"
},
{
"fixed": "10.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.11.0"
},
{
"fixed": "9.11.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.5.0"
},
{
"fixed": "10.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"10.5.0"
]
}
],
"aliases": [
"CVE-2025-24920"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T21:06:31Z",
"nvd_published_at": "2025-03-21T09:15:12Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 10.4.x \u003c= 10.4.2, 10.3.x \u003c= 10.3.3, 9.11.x \u003c= 9.11.8, 10.5.x \u003c= 10.5.0\u00a0fail to restrict bookmark creation and updates in archived channels, which allows authenticated users created or update bookmarked in archived channels",
"id": "GHSA-rp74-x43m-cpw3",
"modified": "2025-03-21T21:06:31Z",
"published": "2025-03-21T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24920"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels"
}
GHSA-RP94-RVC6-9PPW
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.
{
"affected": [],
"aliases": [
"CVE-2026-54803"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:51Z",
"severity": "CRITICAL"
},
"details": "Subscriber Privilege Escalation in SMS Alert Order Notifications \u003c= 3.9.4 versions.",
"id": "GHSA-rp94-rvc6-9ppw",
"modified": "2026-06-17T18:35:52Z",
"published": "2026-06-17T18:35:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54803"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-9-4-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RPC7-GF58-V3X2
Vulnerability from github – Published: 2023-10-13 09:30 – Updated: 2025-03-04 18:23Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the V1/customers/me endpoint to achieve information exposure and privilege escalation.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.7-beta1"
},
{
"fixed": "2.4.7-beta2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.4.7-beta1"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.6"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.5"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.4"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.6-p1"
},
{
"fixed": "2.4.6-p3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.5-p1"
},
{
"fixed": "2.4.5-p5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.4-p1"
},
{
"fixed": "2.4.4-p6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38218"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-04T18:23:33Z",
"nvd_published_at": "2023-10-13T07:15:40Z",
"severity": "MODERATE"
},
"details": "Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.",
"id": "GHSA-rpc7-gf58-v3x2",
"modified": "2025-03-04T18:23:33Z",
"published": "2023-10-13T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38218"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Magento Open Source allows Incorrect Authorization"
}
GHSA-RPFR-X88X-XWCW
Vulnerability from github – Published: 2026-05-04 21:24 – Updated: 2026-05-13 13:42Background
On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI) for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. These may include servers with the following configuration variables enabled:
- Server.UIAdminUsers: Affected if any of the listed admin users or the default admin account have not previously logged in to the server.
- Server.AdminGroups: Affected if
Issuer.GroupSourceis set tointernaland an admin of the group has not previously logged in to the server.
The OSDF operations team has mitigated these for core services, origins, and caches operated by the PATh project. However, mitigation may be needed for caches and origins not centrally operated.
Pelican Command Line has not currently identified any evidence this attack has been exploited in the services managed by OSDF operators.
Severity and Impact
When leveraged, an attacker with any kind of authenticated session on the server can create database records that cause the server to grant them admin privileges on subsequent login. Critically, admin access enables modifying the server's configuration, creating persistent API tokens, and changing admin passwords. The table below summarizes potential implications of this exploit.
| Service | Data exposure risk | Data tampering risk | Federation-wide impact |
|---|---|---|---|
| Director | Low (no data stored) | High — can modify configuration to point to a different Registry | High — can modify configuration to add GeoIP overrides to steer federation. Denial of service on the federation |
| Registry | Low | High — can modify existing or create malicious namespaces that impersonate trusted paths | High — federation-wide namespace poisoning. Denial of service on the federation |
| Origin | High — can expose protected paths via config or export object store/filesystem paths into a namespace | High — can potentially enable writes + change export paths | Medium — scoped to that origin's namespaces |
| Cache | Medium — can expose cached protected data via config changes | Low — caches don't originate data | Low — scoped to that cache |
Attack Preconditions
Both attacks share the same prerequisites:
1. The server's OIDC logins must be enabled.
2. The attacker must have some form of authenticated session on the server, typically from an OIDC login.
3. The attacker must know or guess a relevant admin identifier (a Server.UIAdminUsers username or a Server.AdminGroups group name) for an admin who has not previously logged into the WebUI.
Immediate Mitigation Steps
1. Audit the consuming service's database
Before upgrading, Pelican Command Line recommends auditing the service's database to see if it has already been exploited and to block further exploitation. Upgrading an exploited server is insufficient to prevent future unauthorized access if the exploit has already occurred.
Pelican Command Line is providing a script mitigate-user-escalation.sh that:
- Displays all user records and group memberships for manual review, highlighting any that show fingerprints of the attack with
[!]for explicit review — administrators should verify all entries, but especially those with this syntax highlighting. The highlighted changes do not guarantee an exploit occurred but that further examination is needed. - Creates database records mitigating the attack vector.
- Displays all API tokens, which may have been created by an attacker for persistent access, for administrator review. Suspicious tokens should be deleted using the provided SQLite commands.
- Provides additional guidance about rotating secrets on the server.
This script is available as a github gist: https://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9
To run the script:
# Run as the same user that runs the Pelican server (e.g., pelican):
$ sudo bash mitigate-user-escalation.sh
# If using a non-standard config file:
$ sudo bash mitigate-user-escalation.sh --config /path/to/pelican.yaml
# If the database is in a non-standard location:
$ sudo bash mitigate-user-escalation.sh --db-path /path/to/pelican.sqlite
2. Upgrade to a patched version
Administrators for Pelican servers running an affected version should upgrade to a patched release. Within each minor release series, these versions include:
- >=v7.21.5
- >=v7.22.3
- >=v7.23.3
- >=v7.24.2
Administrators can check their server's version by invoking pelican with the --version flag, or by inspecting the WebUI's ? icon displayed in the lower left corner.
3. Disable vulnerable configuration if not upgrading immediately
If administrators are unable to upgrade to a patched version, disable the vulnerable configuration by commenting or removing the relevant settings from the service's pelican.yaml:
Server:
# Comment or remove these lines:
# UIAdminUsers:
# - user1
# - user2
# AdminGroups:
# - admin-group
Note: Disabling
Server.UIAdminUsersremoves OIDC-based admin access entirely, leaving only password-based login for admin access. Ensure the project has a working admin password before making this change.
If a server doesn't currently configure Server.UIAdminUsers or Server.AdminGroups, do not populate these settings until the administrator has upgraded to a patched version. If their project doesn't currently have these configured but have in the past, they should still audit the records using the provided mitigation script.
Long-Term Fixes
In addition to closing the immediate vulnerabilities, the Pelican development team is working toward several defense-in-depth solutions to minimize the risk of similar vulnerabilities in the future. These include: - Reviewing all code in the vicinity of these vulnerabilities for other attack vectors. - Changing internal frameworks so security implications of new APIs are more visible to code reviewers. - Automating security scanning using coding agents like the one that discovered this class of vulnerabilities.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/pelicanplatform/pelican"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260408120501-7f73b9c3e677"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42571"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T21:24:50Z",
"nvd_published_at": "2026-05-09T20:16:29Z",
"severity": "CRITICAL"
},
"details": "## Background\n\nOn April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican\u0027s Web User Interface (WebUI) for various versions between `v7.21` and `v7.24`. Upon further investigation, the Pelican team discovered this attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. These may include servers with the following configuration variables enabled:\n\n- **Server.UIAdminUsers**: Affected if any of the listed admin users or the default admin account have not previously logged in to the server.\n- **Server.AdminGroups**: Affected if `Issuer.GroupSource` is set to `internal` and an admin of the group has not previously logged in to the server.\n\nThe OSDF operations team has mitigated these for core services, origins, and caches operated by the PATh project. However, mitigation may be needed for caches and origins not centrally operated.\n\n**Pelican Command Line has not currently identified any evidence this attack has been exploited in the services managed by OSDF operators.**\n\n## Severity and Impact\n\nWhen leveraged, an attacker with any kind of authenticated session on the server can create database records that cause the server to grant them admin privileges on subsequent login. Critically, admin access enables modifying the server\u0027s configuration, creating persistent API tokens, and changing admin passwords. The table below summarizes potential implications of this exploit.\n\n| Service | Data exposure risk | Data tampering risk | Federation-wide impact |\n|---------|-------------------|---------------------|----------------------|\n| **Director** | Low (no data stored) | **High** \u2014 can modify configuration to point to a different Registry | **High** \u2014 can modify configuration to add GeoIP overrides to steer federation. Denial of service on the federation |\n| **Registry** | Low | **High** \u2014 can modify existing or create malicious namespaces that impersonate trusted paths | **High** \u2014 federation-wide namespace poisoning. Denial of service on the federation |\n| **Origin** | **High** \u2014 can expose protected paths via config or export object store/filesystem paths into a namespace | **High** \u2014 can potentially enable writes + change export paths | Medium \u2014 scoped to that origin\u0027s namespaces |\n| **Cache** | **Medium** \u2014 can expose cached protected data via config changes | Low \u2014 caches don\u0027t originate data | Low \u2014 scoped to that cache |\n\n## Attack Preconditions\n\nBoth attacks share the same prerequisites:\n1. The server\u0027s OIDC logins must be enabled.\n2. The attacker must have some form of authenticated session on the server, typically from an OIDC login.\n3. The attacker must know or guess a relevant admin identifier (a `Server.UIAdminUsers` username or a `Server.AdminGroups` group name) for an admin who has not previously logged into the WebUI.\n\n## Immediate Mitigation Steps\n\n### 1. Audit the consuming service\u0027s database\n\nBefore upgrading, Pelican Command Line recommends auditing the service\u0027s database to see if it has already been exploited and to block further exploitation. **Upgrading an exploited server is insufficient to prevent future unauthorized access if the exploit has already occurred.**\n\nPelican Command Line is providing a script `mitigate-user-escalation.sh` that:\n\n- Displays all user records and group memberships for manual review, highlighting any that show fingerprints of the attack with `[!]` for explicit review \u2014 **administrators should verify all entries, but especially those with this syntax highlighting**. The highlighted changes do not guarantee an exploit occurred but that further examination is needed.\n- Creates database records mitigating the attack vector.\n- Displays all API tokens, which may have been created by an attacker for persistent access, for administrator review. Suspicious tokens should be deleted using the provided SQLite commands.\n- Provides additional guidance about rotating secrets on the server.\n\nThis script is available as a github gist: https://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9\n\nTo run the script:\n```bash\n# Run as the same user that runs the Pelican server (e.g., pelican):\n$ sudo bash mitigate-user-escalation.sh\n\n# If using a non-standard config file:\n$ sudo bash mitigate-user-escalation.sh --config /path/to/pelican.yaml\n\n# If the database is in a non-standard location:\n$ sudo bash mitigate-user-escalation.sh --db-path /path/to/pelican.sqlite\n```\n\n### 2. Upgrade to a patched version\n\nAdministrators for Pelican servers running an affected version should upgrade to a patched release. Within each minor release series, these versions include:\n- `\u003e=v7.21.5`\n- `\u003e=v7.22.3`\n- `\u003e=v7.23.3`\n- `\u003e=v7.24.2`\n\nAdministrators can check their server\u0027s version by invoking pelican with the `--version` flag, or by inspecting the WebUI\u0027s `?` icon displayed in the lower left corner.\n\n### 3. Disable vulnerable configuration if not upgrading immediately\n\nIf administrators are unable to upgrade to a patched version, disable the vulnerable configuration by commenting or removing the relevant settings from the service\u0027s `pelican.yaml`:\n\n```yaml\nServer:\n # Comment or remove these lines:\n # UIAdminUsers:\n # - user1\n # - user2\n # AdminGroups:\n # - admin-group\n```\n\n\u003e **Note:** Disabling `Server.UIAdminUsers` removes OIDC-based admin access entirely, leaving only password-based login for admin access. Ensure the project has a working admin password before making this change.\n\nIf a server doesn\u0027t currently configure `Server.UIAdminUsers` or `Server.AdminGroups`, ***do not populate these settings until the administrator has upgraded to a patched version.*** If their project doesn\u0027t currently have these configured but have in the past, they should still audit the records using the provided mitigation script.\n\n## Long-Term Fixes\n\nIn addition to closing the immediate vulnerabilities, the Pelican development team is working toward several defense-in-depth solutions to minimize the risk of similar vulnerabilities in the future. These include:\n- Reviewing all code in the vicinity of these vulnerabilities for other attack vectors.\n- Changing internal frameworks so security implications of new APIs are more visible to code reviewers.\n- Automating security scanning using coding agents like the one that discovered this class of vulnerabilities.",
"id": "GHSA-rpfr-x88x-xwcw",
"modified": "2026-05-13T13:42:30Z",
"published": "2026-05-04T21:24:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42571"
},
{
"type": "WEB",
"url": "https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854"
},
{
"type": "PACKAGE",
"url": "https://github.com/PelicanPlatform/pelican"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Pelican Web UI Affected by a Privilege Escalation Attack"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.