CVE-2026-21429
Unknown Unknown - Not Provided
Permission Bypass in Emlog 2.5.23 Restricts Article Editing

Publication date: 2026-01-02

Last updated on: 2026-04-29

Assigner: GitHub, Inc.

Description
Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21429
EUVD
EUVD-2026-0752
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emlog emlog 2.5.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21429 is a Broken Access Control vulnerability in emlog version 2.5.23. Although the admin can set controls to prevent users from editing or deleting their articles after publishing, a registered user can bypass these restrictions by intercepting and modifying the HTTP request used to update an article. This allows unauthorized editing of article content despite the admin's settings. [1]

Impact Analysis

This vulnerability allows registered users to bypass restrictions and modify their published articles without authorization. This can lead to unauthorized content changes, potentially undermining content integrity and trustworthiness on the website. [1]

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests related to article editing in emlog version 2.5.23. Specifically, intercept and analyze HTTP requests from registered users attempting to edit or delete published articles. Tools like Burp Suite can be used to intercept and modify these requests to test if unauthorized edits are possible despite admin restrictions. There are no specific commands provided, but using an HTTP proxy/interceptor tool to capture and modify requests is the suggested approach. [1]

Mitigation Strategies

Since no patched versions are available, immediate mitigation steps include restricting registered user permissions carefully, monitoring and logging article edit requests for suspicious activity, and possibly disabling article editing features for registered users until a fix is released. Additionally, using web application firewalls (WAF) to detect and block tampered HTTP requests may help reduce exploitation risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart