CVE-2026-31836
Mass Assignment Vulnerability in Checkmate Allows Privilege Escalation
Publication date: 2026-03-20
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bluewavelabs | checkmate | to 3.5.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31836 is a critical mass assignment vulnerability in the Checkmate tool, affecting versions up to 3.5.1. It occurs in the user profile update endpoint where the application fails to properly validate and sanitize user input. Although a schema validation is performed to strip unauthorized fields like the user role, the sanitized data is ignored and the raw input is used instead. This allows any authenticated user to modify their role to superadmin, bypassing all role-based access controls.
As a result, an attacker with a low-privilege account can escalate their privileges to full administrative access by sending a crafted PATCH request including the role field set to superadmin.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to gain complete administrative control over the Checkmate application.
- View all users in the system
- Modify critical configurations
- Access sensitive system data
Since the attacker only needs a valid low-privilege authenticated account and no user interaction, the risk of exploitation is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious PATCH requests to the endpoint `/api/v1/auth/user` that include the `role` field in the request body, which should normally be stripped out.'}, {'type': 'paragraph', 'content': 'A practical detection method is to inspect logs or capture network traffic for authenticated users sending PATCH requests with a JSON body containing `"role":"superadmin"` or any unauthorized role changes.'}, {'type': 'paragraph', 'content': 'Example command using curl to test if the vulnerability exists (requires valid low-privilege user credentials):'}, {'type': 'list_item', 'content': 'curl -X PATCH https://your-checkmate-server/api/v1/auth/user -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d \'{"role":"superadmin"}\''}, {'type': 'paragraph', 'content': 'If the response indicates the role was updated or if the user gains superadmin privileges, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Since no patches are currently available, immediate mitigation steps include:
- Restrict access to the Checkmate application to trusted users only, minimizing the number of authenticated users.
- Monitor and log all PATCH requests to `/api/v1/auth/user` endpoint, especially those attempting to modify the `role` field.
- Implement network-level controls such as firewall rules or API gateways to block or alert on suspicious requests containing the `role` field.
- Consider temporarily disabling user profile updates if feasible until a patch or fix is released.
Long term, update the application code to properly use the sanitized input from the validation schema and reject any unauthorized fields before updating the database.