Formwork Improperly Managed Privileges in User creation
Description
Summary
The application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS.
Impact
Successful exploitation allows an attacker to:
- Gain full administrative control over the CMS.
- Access all site data and user information.
- Modify system configuration and security settings.
- Create, modify, or delete any user account, including legitimate administrators.
Patches
Formwork 2.3.4 properly assigns roles on user creation.
References
Published to the GitHub Advisory Database
Reviewed
Published by the National Vulnerability Database
Last updated
Severity
High
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS score
(33rd percentile)
Weaknesses
CVE ID
CVE-2026-27198
GHSA ID
GHSA-34p4-7w83-35g2
Source code
See something to contribute?
Suggest improvements for this vulnerability.