Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0.
Published: 2026-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass enabling unauthorized modification of roadmaps
Action: Immediate Patch
AI Analysis

Impact

A logic flaw in PEAR’s roadmap authorization check, triggered by operator precedence, allows authenticated users who are not lead maintainers to gain full control over roadmap creation, updates, and deletion. The vulnerability is a classic example of CWE‑783: insecure permissions or access control. An attacker with access to the application can therefore alter project plans, introduce erroneous information, or delete critical roadmap data, potentially leading to loss of integrity and availability for project stakeholders.

Affected Systems

The issue affects the PEAR framework and distribution system for reusable PHP components, specifically the pearweb product from vendor pear. Versions prior to 1.33.0 are vulnerable; all releases 1.33.0 and newer have the fix applied.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity vulnerability, but EPSS shows a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. However, the attack vector appears to be local to the web application; an authenticated non-lead user can execute the exploit simply by creating or manipulating a roadmap, as no additional conditions are required beyond legitimate credentials.

Generated by OpenCVE AI on April 18, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PEAR pearweb to version 1.33.0 or later to apply the official patch that fixes the operator precedence bug in the roadmap role check.
  • If an immediate upgrade is not possible, restrict roadmap creation, modification, and deletion privileges to lead maintainers only by reviewing and tightening role assignments in the application configuration.
  • Enable detailed logging for roadmap creation, update, and deletion actions to detect unauthorized modifications and trigger alerts.

Generated by OpenCVE AI on April 18, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pear:pearweb:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Pear
Pear pearweb
Vendors & Products Pear
Pear pearweb

Tue, 03 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0.
Title PEAR Has a Roadmap Authorization Bypass via Operator Precedence Bug
Weaknesses CWE-783
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pear Pearweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:14:41.218Z

Reserved: 2026-01-30T14:44:47.328Z

Link: CVE-2026-25233

cve-icon Vulnrichment

Updated: 2026-02-04T21:14:38.737Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:22.980

Modified: 2026-02-05T18:09:05.780

Link: CVE-2026-25233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses