CVE-2026-5599
Privilege Escalation in Venueless API Allows Cross-World User Deletion
Publication date: 2026-04-05
Last updated on: 2026-04-05
Assigner: rami.io
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| venueless | venueless | to 02b9cbe5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-653 | The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5599 is a high-severity vulnerability in the venueless platform that allows a user who has API access and the "manage users" permission in one venueless instance (referred to as a "world") to delete user accounts in other, separate venueless instances.
This means that a user with limited privileges in one instance can perform unauthorized deletion of user accounts across different instances, which poses a significant risk to data integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network indicators provided for this vulnerability in the available information.
Detection would likely involve auditing API access logs for unusual or unauthorized user deletion requests originating from users with "manage users" permission in one venueless instance affecting other instances.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves restricting the "manage users" permission to only trusted users to prevent unauthorized cross-instance user deletions.
Additionally, updating the venueless platform to a version including the patch after commit 02b9cbe5 will fix the issue.
No other workarounds are available.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized deletion of user accounts in venueless instances other than the one where the attacker has permissions.
- Compromise of data integrity across multiple instances.
- Potential high impact on the integrity and availability of user data in affected instances.
- Since the attack can be performed remotely with low complexity and no user interaction, it poses a critical risk especially in multi-instance deployments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a user with limited privileges in one venueless instance to delete user accounts in other instances without authorization. Such unauthorized deletion of user accounts compromises data integrity and availability across multiple instances.
Given the high impact on data integrity and availability, this vulnerability could negatively affect compliance with standards and regulations like GDPR and HIPAA, which require strict controls over user data protection, integrity, and availability.
Specifically, unauthorized deletion of user accounts may lead to violations of data protection principles, including data minimization, integrity, and availability, potentially resulting in non-compliance with regulatory requirements.