CVE-2026-27198 - Vulnerability Details

- Formwork Improperly Manages Privileges During User Creation

Description

Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

Published: 2026-02-21

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an authenticated user with a low privilege role, such as editor, to create new user accounts and assign the highly privileged admin role. As a result, the attacker can gain full administrative control over the CMS, compromising confidentiality, integrity, and availability of the site.

Affected Systems

Formwork CMS versions 2.0.0 through 2.3.3 are affected. The issue is fixed in version 2.3.4 and later releases.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. The EPSS score is less than 1 percent, suggesting limited exploitation probability at present. The vulnerability has not been listed in the CISA KEV catalog. Attackers only need to be authenticated with an editor role; the flaw lies in missing privilege checks during account creation, and no additional conditions are required to exploit it.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

getformwork

formwork

affected

Version	Status	Constraints
`>= 2.0.0, < 2.3.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:formwork_project:formwork:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Getformwork

Formwork

100%

Version	Status	Scheme	Platform
`[2.0.0,2.3.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor-provided patch or upgrade to Formwork 2.3.4 or later.
Audit the CMS configuration to ensure that only users with sufficient privileges can assign high-level roles during account creation.
Implement monitoring and log review to detect and respond to unauthorized role assignment attempts.

Generated by OpenCVE AI on April 17, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-34p4-7w83-35g2	Formwork Improperly Managed Privileges in User creation

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd
https://github.com/getformwork/formwork/releases/tag/2.3.4
https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2

History

Tue, 03 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Formwork Project Formwork Project formwork
CPEs		cpe:2.3:a:formwork_project:formwork::::::::
Vendors & Products		Formwork Project Formwork Project formwork

Wed, 25 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Getformwork Getformwork formwork
Vendors & Products		Getformwork Getformwork formwork

Sat, 21 Feb 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
Title		Formwork Improperly Manages Privileges During User Creation
Weaknesses		CWE-269
References		https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd https://github.com/getformwork/formwork/releases/tag/2.3.4 https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Formwork Project Formwork

Getformwork Formwork

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-21T05:11:42.535Z

Updated: 2026-02-24T19:01:22.284Z

Reserved: 2026-02-18T19:47:02.155Z

Link: CVE-2026-27198

Vulnrichment

Updated: 2026-02-24T19:01:15.608Z

NVD

Status : Analyzed

Published: 2026-02-21T06:17:00.543

Modified: 2026-03-03T17:33:54.540

Link: CVE-2026-27198

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object