578 matches found
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access Affected Component Socket.IO session state and role-check callsites: - backend/openwebui/socket/main.py lines 330-351, connect handler — role snapshotted into SESSIONPOOL - backend/openwebui/socket/main.py lin...
GHSA-45M8-CPM2-3V65 Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access Affected Component Socket.IO session state and role-check callsites: - backend/openwebui/socket/main.py lines 330-351, connect handler — role snapshotted into SESSIONPOOL - backend/openwebui/socket/main.py lin...
PT-2026-39270
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description Administrative role changes and user deletions do not invalidate the SESSION POOL in-memory dictionary. When a user connects via Socket.IO, their role is snapshotted into this pool. Because the...
Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users
Summary Multiple classes evaluate Spring Expression Language SpEL expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential...
Server-side Request Forgery (SSRF)
Overview edx-enterprise is a Your project description goes here Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the syncproviderdata function. An attacker can cause the server to make arbitrary HTTP requests to internal or external resources by supplying a...
CVE-2026-41133
The CVE concerns pyLoad (Python download manager). Affected: versions up to 0.5.0b3.dev97. Root cause: the session cache stores user role/permissions at login and continues to authorize requests using these cached values even after an admin changes the user’s role/permissions in the database. Thi...
CVE-2026-20203 Improper Access Control in Data Model Acceleration in Splunk Enterprise
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the admin or power Splunk roles, has write permission on...
CVE-2026-20203
CVE-2026-20203 describes improper access control in Data Model Acceleration for Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. A low-privilege user ...
PT-2026-33065
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the admin or power Splunk roles, has write permission on...
PT-2026-33067
Name of the Vulnerable Software and Affected Versions Splunk MCP Server app versions prior to 1.0.3 Description A user with a role that has access to the Splunk internal index or the high-privilege capability mcp tool admin can view user session and authorization tokens in clear text. This issue...
CVE-2026-40291 Chamilo LMS has Privilege Escalation via API User Role Modification
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/id endpoint allows any authenticated user with ROLESTUDENT to escalate their privileges to ROLEADMIN by modifying the roles field o...
CVE-2026-40291
Chamilo LMS exposes an insecure direct object modification in PUT /api/users/{id} prior to version 2.0.0-RC.3, allowing any authenticated user with ROLE_STUDENT to escalate to ROLE_ADMIN by modifying their own roles field. The API Platform check is_granted('EDIT', object) only verifies ownership,...
PT-2026-41203
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description LDAP and OAuth authentication flows use a Time-of-Check-Time-of-Use TOCTOU pattern—a race condition where a system checks a condition and then uses the result of that check, but the condition...
SUSE CVE-2026-34389
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...
GHSA-53MR-6C8Q-9789 LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint
Impact The /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to do the following: - Modify proxy configuration and environment variables - Register custom pass-through endpoint handlers pointing to...
CVE-2026-33950
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...
PT-2026-30278
Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.0 Description LiteLLM is a proxy server for LLM APIs. The /config/update API endpoint did not enforce admin role authorization, allowing authenticated users to modify proxy configurations and environment variable...
CVE-2026-33950
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...
CVE-2026-33950
SignalK server (signalk-server) is affected. Before version 2.24.0-beta.4, there is a privilege escalation via Admin Role Injection through /enableSecurity. An unauthenticated attacker can gain full Administrator access to the server, potentially modifying vessel routing data, server configuratio...
CVE-2026-33950
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...