CVE-2026-7142
Received Received - Intake
Improper Authorization in Wooey API Endpoint Allows Remote Exploit

Publication date: 2026-04-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.13.3rc1 and 0.14.0 is sufficient to resolve this issue. This patch is called f7846fc0c323da8325422cab32623491757f1b88. The affected component should be upgraded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7142
EUVD
EUVD-2026-25893
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
wooey wooey to 0.13.3 (exc)
wooey wooey 0.13.3rc1
wooey wooey 0.14.0
wooey wooey to 0.13.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Wooey up to version 0.13.2 exists in the API endpoint function add_or_update_script. This function only checked if a user was authenticated but did not verify if the user had staff (administrator) privileges.

Because of this missing authorization check, any authenticated user could upload arbitrary Python scripts. These scripts would then be executed by Celery workers running under the Wooey service user, leading to a Remote Code Execution (RCE) vulnerability.

The vulnerability allows attackers to execute arbitrary code remotely by uploading malicious scripts, which can compromise the system running Wooey.

The issue was fixed by adding an explicit check for the is_staff attribute on the user object, ensuring only staff users can upload scripts. Unauthorized users now receive a 403 Forbidden JSON response.

Compliance Impact

The vulnerability in Wooey allows any authenticated user to upload arbitrary Python scripts, which are then executed by Celery workers, leading to a Remote Code Execution (RCE) risk. This broken access control could potentially lead to unauthorized access or manipulation of sensitive data or system resources.

Such unauthorized access and execution capabilities can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. The vulnerability could lead to data breaches or unauthorized data processing, violating these regulatory requirements.

The fix enforces staff-level authorization for script uploads, mitigating the risk by restricting this capability to administrators only, thereby helping to maintain compliance with security and data protection standards.

Impact Analysis

This vulnerability can have critical impacts because it allows any authenticated user to upload and execute arbitrary Python scripts on the server.

Since the scripts are executed by Celery workers running under the Wooey service user, an attacker can gain Remote Code Execution (RCE) with the privileges of that service user.

  • Execution of arbitrary commands on the server.
  • Potential access to sensitive files and database credentials.
  • Ability to establish reverse shells and move laterally within the network.
  • Compromise of the entire application environment due to read/write access of the service user.
Detection Guidance

This vulnerability involves unauthorized users being able to upload arbitrary Python scripts via the API endpoint `/api/scripts/v1/add-or-update/` without proper staff authorization.

To detect exploitation attempts or presence of this vulnerability on your system, you can monitor HTTP POST requests to the vulnerable API endpoint and check for unauthorized script uploads.

Suggested commands include using network monitoring or web server logs to identify POST requests to `/api/scripts/v1/add-or-update/` from non-staff users or unexpected sources.

  • Use `grep` on web server logs to find POST requests to the vulnerable endpoint, e.g.: `grep 'POST /api/scripts/v1/add-or-update/' /var/log/nginx/access.log`
  • Check for unusual or unexpected script files in the Wooey script storage directories.
  • If you have API access logs, filter for authenticated users who are not staff performing POST requests to the endpoint.
  • Use network monitoring tools like `tcpdump` or `Wireshark` to capture and analyze traffic targeting the API endpoint.
Mitigation Strategies

The primary mitigation step is to upgrade Wooey to version 0.13.3rc1 or later (including 0.14.0), where the vulnerability has been fixed by adding an authorization check for staff users.

This fix ensures that only users with the `is_staff` attribute set to true can upload scripts via the vulnerable API endpoint, preventing unauthorized script uploads and remote code execution.

If immediate upgrade is not possible, restrict access to the `/api/scripts/v1/add-or-update/` endpoint to trusted staff users only, for example by network-level controls or web server access restrictions.

Additionally, review and revoke API keys or credentials for non-staff users that may have been used to exploit this vulnerability.

Ensure that the configuration option `WOOEY_ALLOW_ANONYMOUS` is set to false to prevent anonymous users from executing scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7142. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart