Executive Summary

CVE-2026-29789 is a critical security vulnerability in the Vito web application, which manages servers and deploys PHP applications. The flaw is due to a missing authorization check in the workflow site-creation actions prior to version 3.20.3. This allows an authenticated attacker who has workflow write access in one project to create and manage sites on servers belonging to other projects by supplying a foreign server_id.

Technically, the workflow execution trusts inputs from the workflow payload and executes the site creation action without verifying if the user has access rights to the target server or project. This missing check enables unauthorized cross-project actions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with limited privileges in one project to escalate their privileges across projects by creating sites on servers they do not own or manage. The attacker can trigger deployment and installation jobs on these unauthorized servers, modify remote server configurations, and potentially execute deployment-related commands.

The impact includes unauthorized changes to the integrity of victim servers, possible breaches of confidentiality, and availability issues on the affected infrastructure.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized creation and management of sites on servers belonging to other projects by exploiting missing authorization checks in workflow site-creation actions. Detection would involve monitoring for unexpected workflow executions that create sites linked to foreign server_ids or unusual deployment jobs triggered on servers from other projects.'}, {'type': 'paragraph', 'content': "Since the vulnerability is exploited via workflows that use the handler App\\WorkflowActions\\Site\\CreateLoadBalancerSite with inputs specifying server_ids outside the attacker's project, detection can focus on auditing workflow creation and execution logs for such suspicious activity."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources. However, general detection steps could include:'}, {'type': 'list_item', 'content': 'Review workflow execution logs for actions invoking site creation with server_ids not belonging to the project.'}, {'type': 'list_item', 'content': 'Audit SSH connection logs on servers for unexpected configuration or deployment jobs triggered remotely.'}, {'type': 'list_item', 'content': 'Check for creation of new site records linked to servers outside the expected project scope.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Vito application to version 3.20.3 or later, where the missing authorization check in workflow site-creation actions has been fixed.

Until the upgrade is applied, restrict workflow write access to trusted users only, as the vulnerability requires authenticated users with workflow write privileges.

Additionally, monitor and audit workflow site creation activities and server deployment jobs to detect any unauthorized actions.

Useful 0 Not Useful 0