CVE-2026-15188
Deferred Deferred - Pending Action

Improper Access Control in django-job-portal Employee Dashboard

Vulnerability report for CVE-2026-15188, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulDB

Description

A weakness has been identified in manjurulhoque django-job-portal up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f. Affected by this vulnerability is the function EditEmployeeProfileAPIView of the file accounts/api/views.py of the component Employee Dashboard Endpoint. This manipulation of the argument role causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
manjurulhoque django-job-portal to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15188 is a privilege escalation vulnerability in the django-job-portal application. An authenticated user with a low-privilege employee role can escalate their privileges to the employer role by sending a request to the profile-update endpoint with the role field set to "employer".

The vulnerability exists because the serializer used by the endpoint allows the role field to be modified, even though it governs access control in the application. The authorization classes check the user's role to determine access, but the role field is not protected from modification.

This allows an attacker to change their role to "employer" and gain access to employer-only capabilities, such as viewing and altering applicant data, creating jobs, and accessing the employer dashboard.

The attack requires only a valid JWT token and does not need a CSRF token.

Impact Analysis

This vulnerability allows a low-privilege employee user to escalate their privileges to an employer role, which can lead to unauthorized access to sensitive employer-only functions.

  • Viewing and altering applicant data without authorization.
  • Creating job postings that should be restricted to employers.
  • Accessing the employer dashboard and other restricted endpoints.

Such unauthorized access can lead to data breaches, manipulation of job postings, and compromise of the integrity of the job portal system.

Detection Guidance

This vulnerability can be detected by attempting to exploit the privilege escalation flaw in the django-job-portal application. Specifically, an authenticated user with a low-privilege employee role can send a PUT request to the profile-update endpoint with the role field set to "employer" to check if the role change is accepted and persists.

A sample command to test this would be using curl with a valid JWT token to send the PUT request:

  • curl -X PUT https://<target-domain>/accounts/api/profile/ -H "Authorization: Bearer <valid_jwt_token>" -H "Content-Type: application/json" -d '{"role": "employer"}'

If the response indicates success and the user's role changes to employer, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting modification of the role field in the profile update endpoint to prevent unauthorized role changes.

Specifically, the application should ensure that the serializer used in the EditEmployeeProfileAPIView does not allow the role field to be updated by users, or that proper authorization checks are enforced before accepting changes to the role.

Additionally, monitoring and logging attempts to modify the role field can help detect exploitation attempts.

Since the project uses a rolling release model and has not yet responded to the issue, applying custom patches or temporarily disabling the profile update functionality for role changes may be necessary until an official fix is released.

Compliance Impact

The vulnerability allows an authenticated low-privilege employee to escalate their privileges to an employer role, granting unauthorized access to employer-only capabilities such as viewing and altering applicant data, creating jobs, and accessing the employer dashboard.

This improper access control and privilege escalation could lead to unauthorized access and potential misuse of personal and sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal information.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15188. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart