CVE-2026-27198
Privilege Escalation in Formwork CMS via Role Authorization Bypass
Publication date: 2026-02-21
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| formwork_project | formwork | From 2.0.0 (inc) to 2.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27198 is an Improper Privilege Management vulnerability in the Formwork CMS versions 2.0.0 through 2.3.3. The vulnerability occurs during user account creation, where the system checks if a specified role exists but does not verify whether the current user has the privilege to assign high-level roles such as admin.
As a result, an authenticated user with the editor role can create new accounts with administrative privileges, gaining full administrative control over the CMS.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with low privileges (editor role) to escalate their privileges by creating new accounts with administrative rights.
- Complete administrative access to the CMS.
- Access to all site data and user information.
- Ability to modify system configurations and security settings.
- Capability to create, modify, or delete any user account, including legitimate administrators.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves an authenticated user with editor privileges creating new accounts with administrative roles due to improper privilege checks during account creation.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, monitor user account creation logs for any new accounts assigned the admin role that were created by users without administrative privileges.'}, {'type': 'paragraph', 'content': 'Since the issue is related to role assignment during user creation, you can audit the CMS user database or configuration files for recently created users with elevated roles.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but examples include:'}, {'type': 'list_item', 'content': 'Query the CMS user database or flat files for users with admin roles created by non-admin users.'}, {'type': 'list_item', 'content': 'Check web server or application logs for POST requests to the user creation endpoint originating from editor accounts.'}, {'type': 'list_item', 'content': 'Example command to search logs for user creation attempts (adjust path and log format accordingly):'}, {'type': 'list_item', 'content': "grep -i 'create user' /path/to/formwork/logs/access.log | grep 'role=admin'"}, {'type': 'list_item', 'content': 'Review the CMS user configuration files or database entries for suspicious role assignments.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Formwork CMS to version 2.3.4 or later, where the vulnerability has been fixed by enforcing proper role assignment checks during user creation.
Until the upgrade can be applied, restrict user permissions to prevent editor role users from creating new accounts or assigning roles.
Additionally, review and monitor user account creation activities to detect and respond to any unauthorized privilege escalations.
If possible, temporarily disable user creation functionality for non-administrative users.