CVE-2026-27198 | THREATINT

Description

Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

PUBLISHED Reserved 2026-02-18 | Published 2026-02-21 | Updated 2026-02-24 | Assigner GitHub_M

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-269: Improper Privilege Management

Product status

>= 2.0.0, < 2.3.4

affected

References

github.com/...rmwork/security/advisories/GHSA-34p4-7w83-35g2

github.com/...ommit/19390a0b408e084bdef86f3581e050f3ee51e7cd

github.com/getformwork/formwork/releases/tag/2.3.4

cve.org (CVE-2026-27198)

nvd.nist.gov (CVE-2026-27198)

Download JSON