Search criteria

1 vulnerability by PelicanPlatform

CVE-2026-42571 (GCVE-0-2026-42571)

Vulnerability from cvelistv5 – Published: 2026-05-09 19:19 – Updated: 2026-05-12 02:27
VLAI?
Title
Privilege Escalation Attack affecting Pelican Web UI
Summary
Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.
Severity ?
9 (Critical)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE
  • CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Vendor Product Version
PelicanPlatform pelican Affected: >= 7.21.0, < 7.21.5
Affected: >= 7.22.0, < 7.22.3
Affected: >= 7.23.0, < 7.23.3
Affected: >= 7.24.0, < 7.24.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42571",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T02:26:46.722258Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T02:27:16.826Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pelican",
          "vendor": "PelicanPlatform",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.21.0, \u003c 7.21.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.22.0, \u003c 7.22.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.23.0, \u003c 7.23.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.24.0, \u003c 7.24.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican\u0027s Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-09T19:19:36.522Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw"
        },
        {
          "name": "https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854"
        }
      ],
      "source": {
        "advisory": "GHSA-rpfr-x88x-xwcw",
        "discovery": "UNKNOWN"
      },
      "title": "Privilege Escalation Attack affecting Pelican Web UI"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42571",
    "datePublished": "2026-05-09T19:19:36.522Z",
    "dateReserved": "2026-04-28T17:26:12.084Z",
    "dateUpdated": "2026-05-12T02:27:16.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}