CVE-2026-43510
Awaiting Analysis Awaiting Analysis - Queue
Stored Cross-Site Scripting in manage.get.gov Domain Manager

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43510
EUVD
EUVD-2026-28434
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cisagov manage.get.gov 1.176.0
cisagov manage.get.gov to 1.176.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43510 is an access control vulnerability in the manage.get.gov application, which is the .gov TLD registrar maintained by CISA. The issue allows organization administrators to assign domain manager privileges for domains outside their designated portfolio, violating intended access controls and portfolio isolation.

The root cause is missing validation in the domain assignment logic that fails to ensure the domain belongs to the administrator's portfolio before assigning privileges. This enables cross-organization privilege escalation by granting unauthorized domain management rights.

The vulnerability was fixed in version 1.176.0 by adding portfolio ownership validation to restrict domain assignments only within the administrator's portfolio.

Impact Analysis

This vulnerability can lead to unauthorized privilege escalation where an organization administrator can manage domains outside their authorized portfolio.

Such unauthorized domain management can break portfolio isolation boundaries, potentially allowing malicious or unintended changes to government domain configurations.

The impact includes compromised system availability and integrity due to improper access control, which could affect the security and administration of .gov domains.

Detection Guidance

This vulnerability involves improper access control allowing organization administrators to assign domain manager privileges to domains outside their portfolio. Detection involves verifying domain assignments and portfolio ownership consistency.

A practical detection method is to audit the domain manager assignments in the system database or application logs to identify any cross-portfolio privilege assignments.

Since the vulnerability is in the manage.get.gov application, commands or queries should focus on checking the domain assignments against portfolio ownership. For example, querying the database for UserDomainRole entries where the domain's portfolio ID does not match the administrator's portfolio ID.

  • Run a database query to find domain manager assignments where the domain portfolio differs from the administrator's portfolio.
  • Check application logs for domain assignment actions performed by organization administrators and verify if any assignments violate portfolio boundaries.
  • If you have access to the source code or API, test the domain assignment functionality by attempting to assign a domain from a different portfolio and observe if the system allows it.
Mitigation Strategies

The primary mitigation step is to upgrade the manage.get.gov application to version 1.176.0 or later, where the vulnerability has been fixed.

The fix includes validating that organization administrators can only assign domains within their own portfolio, preventing cross-portfolio privilege escalation.

  • Apply the update to manage.get.gov version 1.176.0 or newer as soon as possible.
  • Review and audit current domain manager assignments to identify and revoke any unauthorized cross-portfolio privileges.
  • Implement monitoring to detect any future unauthorized domain assignments.
Compliance Impact

CVE-2026-43510 involves an access control vulnerability in manage.get.gov that allows organization administrators to assign domain manager privileges across different portfolios improperly. This unauthorized privilege escalation and violation of portfolio isolation could lead to unauthorized access to sensitive government domain management functions.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the improper access control and cross-organization privilege escalation could potentially impact compliance with regulations that require strict access controls and data segregation, especially in government-related environments.

Since manage.get.gov manages .gov TLD domains, improper privilege assignments could undermine security controls expected under various regulatory frameworks that mandate protection of sensitive information and strict role-based access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43510. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart