CVE-2026-30269
Improper Access Control in Doorman Enables Role Escalation
Publication date: 2026-04-20
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| doorman | doorman | 0.1.0 |
| doorman | doorman | 1.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30269 is an improper access control vulnerability in Doorman versions 0.1.0 and 1.0.2. It allows any authenticated user to update their own account role to a higher privileged non-admin role via the /platform/user/{username} endpoint. This happens because the system accepts the 'role' field in the update request without verifying if the user has the required manage_users permission for self-updates, enabling privilege escalation.
The root cause is that the backend code permits self-updates without checking for manage_users permission and directly persists any non-null fields including the role, allowing users to elevate their privileges.
How can this vulnerability impact me? :
This vulnerability can allow a low-privileged authenticated user to escalate their privileges to a higher privileged non-admin role without proper authorization.
As a result, an attacker could gain access to features or data that should be restricted, potentially compromising the security and integrity of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to update the role of an authenticated user via the PUT /platform/user/{username} endpoint without having the manage_users permission.
A minimal proof of concept involves sending a PUT request with an Authorization Bearer token and a JSON body specifying a higher privileged non-admin role.
For example, you can use the following curl command to test if the vulnerability exists:
- curl -X PUT https://your-doorman-instance/platform/user/alice -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"role": "high_privileged_role"}'
If the role is updated successfully without the user having manage_users permission, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the upstream fix that adds field-level authorization checks to prevent users from updating restricted fields such as role, groups, active, and username during self-updates unless they have the manage_users permission.
Specifically, update your Doorman installation to a version that includes the fix committed in commit 0c8791cca8501bb6be45b172db934ac72ac03c84 or later.
If an immediate upgrade is not possible, consider restricting access to the PUT /platform/user/{username} endpoint or monitoring and blocking suspicious requests attempting to change roles.
Review and enforce strict permission checks on user role updates to ensure only authorized users can perform such actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not explicitly discuss the impact of CVE-2026-30269 on compliance with common standards and regulations such as GDPR or HIPAA.