Executive Summary

CVE-2026-29002 is a privilege escalation vulnerability in CouchCMS that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation HTTP requests.

Normally, the application restricts the creation of SuperAdmin accounts to prevent unauthorized privilege escalation. However, by modifying the f_k_levels_list parameter value from 4 (normal Admin) to 10 (SuperAdmin) in the HTTP request body, an attacker can bypass these restrictions and gain full application control.

This vulnerability arises due to improper authorization validation and is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated Admin user to escalate their privileges to SuperAdmin by manipulating the user creation request.

• By creating SuperAdmin accounts, attackers gain full control over the CouchCMS application.
• This full control includes the ability to modify, delete, or access any data within the application.
• It compromises the security model of the application, potentially leading to data breaches, unauthorized changes, and disruption of service.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests related to user creation in CouchCMS. Specifically, look for requests where the parameter `f_k_levels_list` is set to a value of 10, which indicates an attempt to create a SuperAdmin account by tampering.

To detect exploitation attempts, you can capture and inspect HTTP traffic using tools like Burp Suite or network packet analyzers such as Wireshark.

Example commands or approaches include:

• Use a network packet capture tool (e.g., tcpdump) to capture HTTP POST requests to the user creation endpoint:
• tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'f_k_levels_list=10'
• Alternatively, use a web application firewall (WAF) or intrusion detection system (IDS) to alert on HTTP requests containing `f_k_levels_list=10` in the request body.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Restrict Admin-level user permissions to prevent unauthorized creation or modification of user roles.
• Implement input validation and authorization checks on the server side to ensure the `f_k_levels_list` parameter cannot be tampered with to escalate privileges.
• Monitor and audit user creation requests for suspicious parameter values, especially `f_k_levels_list=10`.
• Apply any available patches or updates from CouchCMS that address this vulnerability.
• If patching is not immediately possible, consider temporarily disabling Admin-level user creation or restricting access to trusted personnel only.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated Admin user to escalate privileges to SuperAdmin by bypassing authorization controls, resulting in full application control. Such unauthorized privilege escalation can lead to unauthorized access, modification, or deletion of sensitive data.

Because the vulnerability impacts confidentiality, integrity, and availability of data within CouchCMS, it can negatively affect compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Organizations using CouchCMS without mitigating this vulnerability may face increased risk of data breaches or unauthorized data manipulation, potentially leading to non-compliance with these regulations.

Useful 0 Not Useful 0