Executive Summary

CVE-2026-35182 is a high-severity privilege escalation vulnerability in BraveCMS versions prior to 2.0.6. It occurs because the POST route `/rights/update-role/{id}` in the application lacks an authorization check middleware called `checkUserPermissions:assign-user-roles`. This missing check allows any authenticated user, even those with low privileges, to change account roles and promote themselves to Super Admin.

An attacker can exploit this by intercepting a POST request to update a user role, modifying the role to Super Admin, and sending it without the system verifying if they have permission to do so. This flaw is due to CWE-862: Missing Authorization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with low privileges to remotely escalate their privileges to Super Admin without any user interaction. Once exploited, the attacker gains full control over the system, including the ability to read, modify, and delete data, manage users, and affect system availability.

The impact is severe as it compromises confidentiality, integrity, and availability of the system, potentially leading to data breaches, unauthorized data manipulation, and denial of service.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `/rights/update-role/{id}` where the role_id parameter is changed to a higher privilege level such as Super Admin (role_id=4).

One way to detect exploitation attempts is to intercept and analyze HTTP POST requests to `/dashboard/users/rights/update-role/{id}` using a web proxy or network monitoring tool.

Suggested commands or methods include:

• Use a network packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint, e.g., `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'` and look for POST requests to `/rights/update-role/`.
• Use a web application firewall (WAF) or intrusion detection system (IDS) to alert on POST requests to `/rights/update-role/{id}` with role_id parameters indicating privilege escalation.
• Review application logs for POST requests to `/rights/update-role/{id}` and check if any role changes were made by users without proper authorization.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade BraveCMS to version 2.0.6 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, apply the recommended patch by adding the missing authorization middleware `checkUserPermissions:assign-user-roles` to the POST route `/rights/update-role/{id}` in the routes/web.php file as follows:

• ```php Route::post('/rights/update-role/{id}', [UserRightsController::class, 'update_role']) ->name('update-role') ->middleware('checkUserPermissions:assign-user-roles'); ```

This ensures that only users with the appropriate permissions can assign roles, preventing unauthorized privilege escalation.

Additionally, review user roles and permissions to ensure no unauthorized privilege escalations have already occurred.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows any authenticated user to escalate their privileges to Super Admin, gaining full read, modification, and control over system data, users, content, and availability.

Such unauthorized privilege escalation can lead to unauthorized access and modification of sensitive data, which may result in violations of common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and sensitive information.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by failing to enforce proper authorization and exposing sensitive data to unauthorized users.

Useful 0 Not Useful 0