CVE-2026-33549
Privilege Escalation in SPIP Author Editing via STATUT Mishandling
Publication date: 2026-03-22
Last updated on: 2026-04-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spip | spip | From 4.4.10 (inc) to 4.4.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-688 | The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in SPIP versions 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment of administrator privileges during the editing of an author data structure. This happens because of improper handling of the author's status (STATUT), which can lead to user accounts such as editors or visitors being promoted to administrators unintentionally."}] [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized elevation of privileges within your SPIP content management system. Specifically, user accounts that should have limited roles like editors or visitors could be promoted to administrator roles without proper authorization. This could lead to unauthorized access to administrative functions, potentially compromising the security and integrity of your website or system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unintended privilege assignment during the editing of author data in SPIP versions 4.4.10 through 4.4.12. Detection would primarily involve checking for unauthorized administrator privilege assignments, especially promotions of non-administrator accounts such as "rΓ©dacteurs" or "visiteurs" to administrator roles.'}, {'type': 'paragraph', 'content': 'It is recommended to verify the list of administrators in the SPIP backend to detect any unexpected privilege escalations.'}, {'type': 'paragraph', 'content': 'No specific network or system commands are provided in the available resources to detect this vulnerability automatically.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update SPIP to version 4.4.13 or later, which contains the fix for this vulnerability.
The update can be performed using the spip_loader tool (version 6.2.1), a phar script available at https://get.spip.net/.
After updating, it is recommended to review the list of administrators in the backend to identify and correct any unintended privilege promotions that may have occurred before the update.