CVE-2026-43510
Stored Cross-Site Scripting in manage.get.gov Domain Manager
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisagov | manage.get.gov | 1.176.0 |
| cisagov | manage.get.gov | to 1.176.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-43510 is an access control vulnerability in the manage.get.gov application, which is the .gov TLD registrar maintained by CISA. The issue allows organization administrators to assign domain manager privileges for domains outside their designated portfolio, violating intended access controls and portfolio isolation.
The root cause is missing validation in the domain assignment logic that fails to ensure the domain belongs to the administrator's portfolio before assigning privileges. This enables cross-organization privilege escalation by granting unauthorized domain management rights.
The vulnerability was fixed in version 1.176.0 by adding portfolio ownership validation to restrict domain assignments only within the administrator's portfolio.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized privilege escalation where an organization administrator can manage domains outside their authorized portfolio.
Such unauthorized domain management can break portfolio isolation boundaries, potentially allowing malicious or unintended changes to government domain configurations.
The impact includes compromised system availability and integrity due to improper access control, which could affect the security and administration of .gov domains.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper access control allowing organization administrators to assign domain manager privileges to domains outside their portfolio. Detection involves verifying domain assignments and portfolio ownership consistency.
A practical detection method is to audit the domain manager assignments in the system database or application logs to identify any cross-portfolio privilege assignments.
Since the vulnerability is in the manage.get.gov application, commands or queries should focus on checking the domain assignments against portfolio ownership. For example, querying the database for UserDomainRole entries where the domain's portfolio ID does not match the administrator's portfolio ID.
- Run a database query to find domain manager assignments where the domain portfolio differs from the administrator's portfolio.
- Check application logs for domain assignment actions performed by organization administrators and verify if any assignments violate portfolio boundaries.
- If you have access to the source code or API, test the domain assignment functionality by attempting to assign a domain from a different portfolio and observe if the system allows it.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the manage.get.gov application to version 1.176.0 or later, where the vulnerability has been fixed.
The fix includes validating that organization administrators can only assign domains within their own portfolio, preventing cross-portfolio privilege escalation.
- Apply the update to manage.get.gov version 1.176.0 or newer as soon as possible.
- Review and audit current domain manager assignments to identify and revoke any unauthorized cross-portfolio privileges.
- Implement monitoring to detect any future unauthorized domain assignments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-43510 involves an access control vulnerability in manage.get.gov that allows organization administrators to assign domain manager privileges across different portfolios improperly. This unauthorized privilege escalation and violation of portfolio isolation could lead to unauthorized access to sensitive government domain management functions.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the improper access control and cross-organization privilege escalation could potentially impact compliance with regulations that require strict access controls and data segregation, especially in government-related environments.
Since manage.get.gov manages .gov TLD domains, improper privilege assignments could undermine security controls expected under various regulatory frameworks that mandate protection of sensitive information and strict role-based access controls.