Executive Summary

CVE-2026-42571 is a critical privilege escalation vulnerability in the Pelican platform's Web User Interface (WebUI). It affects versions from 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2.

The vulnerability allows any user authenticated via OAuth to the WebUI to gain admin privileges under certain server configurations, such as when specific admin user or group settings are enabled but those admins or groups have not logged in before.

An attacker can exploit this flaw by creating database records that grant themselves admin rights, enabling them to modify server configurations, create persistent API tokens, and change admin passwords.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated user to escalate their privileges to admin level.

• Modification of server configurations by unauthorized users.
• Creation of persistent API tokens that could be used for further unauthorized access.
• Changing admin passwords, potentially locking out legitimate administrators.

Overall, it compromises the confidentiality, integrity, and availability of the affected system and potentially other connected systems.

Useful 0 Not Useful 0

Detection Guidance

To detect this vulnerability on your system, you should audit the Pelican database for signs of exploitation. The Pelican security advisory mentions using a provided script to check for unauthorized privilege escalations where users have gained admin rights improperly.

Since the vulnerability involves OAuth-authenticated users gaining admin privileges by creating database records, inspecting the database for unexpected admin users or groups is critical.

Specific commands are not detailed in the provided resources, but typical detection steps would include querying the Pelican database for admin user entries and reviewing server configuration settings such as `Server.UIAdminUsers` and `Server.AdminGroups`.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Pelican to one of the patched versions: 7.21.5, 7.22.3, 7.23.3, or 7.24.2.

If upgrading is not immediately possible, you should disable the vulnerable configurations such as `Server.UIAdminUsers` and `Server.AdminGroups` to prevent exploitation.

Additionally, audit the database for signs of exploitation using the provided script to identify any unauthorized privilege escalations.

Useful 0 Not Useful 0

Compliance Impact

The privilege escalation vulnerability in Pelican's Web UI allows any authenticated user via OAuth to gain admin privileges under certain configurations. This can lead to unauthorized modification of server configurations, creation of persistent API tokens, and changes to admin passwords, which significantly impacts confidentiality, integrity, and availability of the system.

Such unauthorized access and control could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. The ability for an attacker to escalate privileges and potentially access or alter sensitive information undermines these compliance requirements.

Immediate mitigation steps include auditing for exploitation, upgrading to patched versions, or disabling vulnerable configurations, which are critical to restoring compliance and reducing risk.

Useful 0 Not Useful 0