CVE-2026-29789
Authorization Bypass in Vito Allows Cross-Project Site Management
Publication date: 2026-03-06
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vitodeploy | vito | to 3.20.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29789 is a critical security vulnerability in the Vito web application, which manages servers and deploys PHP applications. The flaw is due to a missing authorization check in the workflow site-creation actions prior to version 3.20.3. This allows an authenticated attacker who has workflow write access in one project to create and manage sites on servers belonging to other projects by supplying a foreign server_id.
Technically, the workflow execution trusts inputs from the workflow payload and executes the site creation action without verifying if the user has access rights to the target server or project. This missing check enables unauthorized cross-project actions.
How can this vulnerability impact me? :
This vulnerability allows an attacker with limited privileges in one project to escalate their privileges across projects by creating sites on servers they do not own or manage. The attacker can trigger deployment and installation jobs on these unauthorized servers, modify remote server configurations, and potentially execute deployment-related commands.
The impact includes unauthorized changes to the integrity of victim servers, possible breaches of confidentiality, and availability issues on the affected infrastructure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized creation and management of sites on servers belonging to other projects by exploiting missing authorization checks in workflow site-creation actions. Detection would involve monitoring for unexpected workflow executions that create sites linked to foreign server_ids or unusual deployment jobs triggered on servers from other projects.'}, {'type': 'paragraph', 'content': "Since the vulnerability is exploited via workflows that use the handler App\\WorkflowActions\\Site\\CreateLoadBalancerSite with inputs specifying server_ids outside the attacker's project, detection can focus on auditing workflow creation and execution logs for such suspicious activity."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources. However, general detection steps could include:'}, {'type': 'list_item', 'content': 'Review workflow execution logs for actions invoking site creation with server_ids not belonging to the project.'}, {'type': 'list_item', 'content': 'Audit SSH connection logs on servers for unexpected configuration or deployment jobs triggered remotely.'}, {'type': 'list_item', 'content': 'Check for creation of new site records linked to servers outside the expected project scope.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Vito application to version 3.20.3 or later, where the missing authorization check in workflow site-creation actions has been fixed.
Until the upgrade is applied, restrict workflow write access to trusted users only, as the vulnerability requires authenticated users with workflow write privileges.
Additionally, monitor and audit workflow site creation activities and server deployment jobs to detect any unauthorized actions.