CVE-2026-30269
Received Received - Intake
Improper Access Control in Doorman Enables Role Escalation

Publication date: 2026-04-20

Last updated on: 2026-04-27

Assigner: MITRE

Description
Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privilege escalation to high-privileged roles.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30269
EUVD
EUVD-2026-23902
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
doorman doorman 0.1.0
doorman doorman 1.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30269 is an improper access control vulnerability in Doorman versions 0.1.0 and 1.0.2. It allows any authenticated user to update their own account role to a higher privileged non-admin role via the /platform/user/{username} endpoint. This happens because the system accepts the 'role' field in the update request without verifying if the user has the required manage_users permission for self-updates, enabling privilege escalation.

The root cause is that the backend code permits self-updates without checking for manage_users permission and directly persists any non-null fields including the role, allowing users to elevate their privileges.

Impact Analysis

This vulnerability can allow a low-privileged authenticated user to escalate their privileges to a higher privileged non-admin role without proper authorization.

As a result, an attacker could gain access to features or data that should be restricted, potentially compromising the security and integrity of the system.

Detection Guidance

This vulnerability can be detected by attempting to update the role of an authenticated user via the PUT /platform/user/{username} endpoint without having the manage_users permission.

A minimal proof of concept involves sending a PUT request with an Authorization Bearer token and a JSON body specifying a higher privileged non-admin role.

For example, you can use the following curl command to test if the vulnerability exists:

  • curl -X PUT https://your-doorman-instance/platform/user/alice -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"role": "high_privileged_role"}'

If the role is updated successfully without the user having manage_users permission, the system is vulnerable.

Mitigation Strategies

Immediate mitigation involves applying the upstream fix that adds field-level authorization checks to prevent users from updating restricted fields such as role, groups, active, and username during self-updates unless they have the manage_users permission.

Specifically, update your Doorman installation to a version that includes the fix committed in commit 0c8791cca8501bb6be45b172db934ac72ac03c84 or later.

If an immediate upgrade is not possible, consider restricting access to the PUT /platform/user/{username} endpoint or monitoring and blocking suspicious requests attempting to change roles.

Review and enforce strict permission checks on user role updates to ensure only authorized users can perform such actions.

Compliance Impact

The provided context and resources do not explicitly discuss the impact of CVE-2026-30269 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30269. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart