Search

Find a vulnerability

Search criteria

    2 vulnerabilities by PelicanPlatform

    CVE-2026-42571 (GCVE-0-2026-42571)

    Vulnerability from nvd – Published: 2026-05-09 19:19 – Updated: 2026-05-12 02:27
    VLAI
    Title
    Privilege Escalation Attack affecting Pelican Web UI
    Summary
    Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    PelicanPlatform pelican Affected: >= 7.21.0, < 7.21.5
    Affected: >= 7.22.0, < 7.22.3
    Affected: >= 7.23.0, < 7.23.3
    Affected: >= 7.24.0, < 7.24.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42571",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T02:26:46.722258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T02:27:16.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pelican",
              "vendor": "PelicanPlatform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.21.0, \u003c 7.21.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.22.0, \u003c 7.22.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.23.0, \u003c 7.23.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.24.0, \u003c 7.24.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican\u0027s Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-09T19:19:36.522Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw"
            },
            {
              "name": "https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854"
            }
          ],
          "source": {
            "advisory": "GHSA-rpfr-x88x-xwcw",
            "discovery": "UNKNOWN"
          },
          "title": "Privilege Escalation Attack affecting Pelican Web UI"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42571",
        "datePublished": "2026-05-09T19:19:36.522Z",
        "dateReserved": "2026-04-28T17:26:12.084Z",
        "dateUpdated": "2026-05-12T02:27:16.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42571 (GCVE-0-2026-42571)

    Vulnerability from cvelistv5 – Published: 2026-05-09 19:19 – Updated: 2026-05-12 02:27
    VLAI
    Title
    Privilege Escalation Attack affecting Pelican Web UI
    Summary
    Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    PelicanPlatform pelican Affected: >= 7.21.0, < 7.21.5
    Affected: >= 7.22.0, < 7.22.3
    Affected: >= 7.23.0, < 7.23.3
    Affected: >= 7.24.0, < 7.24.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42571",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T02:26:46.722258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T02:27:16.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pelican",
              "vendor": "PelicanPlatform",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.21.0, \u003c 7.21.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.22.0, \u003c 7.22.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.23.0, \u003c 7.23.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.24.0, \u003c 7.24.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican\u0027s Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-09T19:19:36.522Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw"
            },
            {
              "name": "https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854"
            }
          ],
          "source": {
            "advisory": "GHSA-rpfr-x88x-xwcw",
            "discovery": "UNKNOWN"
          },
          "title": "Privilege Escalation Attack affecting Pelican Web UI"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42571",
        "datePublished": "2026-05-09T19:19:36.522Z",
        "dateReserved": "2026-04-28T17:26:12.084Z",
        "dateUpdated": "2026-05-12T02:27:16.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }