CVE-2026-5599
Received Received - Intake
Privilege Escalation in Venueless API Allows Cross-World User Deletion

Publication date: 2026-04-05

Last updated on: 2026-04-05

Assigner: rami.io

Description
A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-05
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5599
EUVD
EUVD-2026-19085
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
venueless venueless to 02b9cbe5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-653 The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

There are no specific detection commands or network indicators provided for this vulnerability in the available information.

Detection would likely involve auditing API access logs for unusual or unauthorized user deletion requests originating from users with "manage users" permission in one venueless instance affecting other instances.

Mitigation Strategies

Immediate mitigation involves restricting the "manage users" permission to only trusted users to prevent unauthorized cross-instance user deletions.

Additionally, updating the venueless platform to a version including the patch after commit 02b9cbe5 will fix the issue.

No other workarounds are available.

Executive Summary

CVE-2026-5599 is a high-severity vulnerability in the venueless platform that allows a user who has API access and the "manage users" permission in one venueless instance (referred to as a "world") to delete user accounts in other, separate venueless instances.

This means that a user with limited privileges in one instance can perform unauthorized deletion of user accounts across different instances, which poses a significant risk to data integrity.

Impact Analysis

The vulnerability can lead to unauthorized deletion of user accounts in venueless instances other than the one where the attacker has permissions.

  • Compromise of data integrity across multiple instances.
  • Potential high impact on the integrity and availability of user data in affected instances.
  • Since the attack can be performed remotely with low complexity and no user interaction, it poses a critical risk especially in multi-instance deployments.
Compliance Impact

This vulnerability allows a user with limited privileges in one venueless instance to delete user accounts in other instances without authorization. Such unauthorized deletion of user accounts compromises data integrity and availability across multiple instances.

Given the high impact on data integrity and availability, this vulnerability could negatively affect compliance with standards and regulations like GDPR and HIPAA, which require strict controls over user data protection, integrity, and availability.

Specifically, unauthorized deletion of user accounts may lead to violations of data protection principles, including data minimization, integrity, and availability, potentially resulting in non-compliance with regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5599. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart