Description
WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin": true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database. When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for `IsAdmin`. As a result, whatever value the client sends for `IsAdmin` is written directly to the database. After the exploit, the attacker has full admin access to the WireGuard VPN management portal. The problem was fixed in v2.1.3. The docker images for the tag 'latest' built from the master branch also include the fix.
Published: 2026-02-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Administrator
Action: Patch Now
AI Analysis

Impact

The vulnerability allows an authenticated user who is not an administrator to gain full administrator rights. By sending a single authenticated PUT request to the user profile endpoint with "IsAdmin": true, the server fails to protect this field when persisting the profile. Consequently, the value is written directly to the database, elevating the user to an administrator. This results in unrestricted control over the WireGuard VPN management portal.

Affected Systems

The affected product is WireGuard Portal (wg-portal) from the vendor h44z. Versions older than 2.1.3 are vulnerable, including the docker images tagged 'latest' built from the master branch prior to the fix.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity of this issue. An exploit requires legitimate authentication to the portal, which the user already possesses, making the attack path straightforward once the user has credentials. While the EPSS score is below 1%, suggesting a low probability of widespread exploitation at the time of analysis, the potential impact of full administrative takeover warrants urgent attention. The vulnerability is not listed in the CISA KEV catalog. Attackers can simply send the crafted request to their own user profile endpoint to achieve escalation.

Generated by OpenCVE AI on April 18, 2026 at 10:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to wg-portal version 2.1.3 or later or use the patched docker image. This fixes the code that improperly writes the IsAdmin field.
  • Modify the user update logic to reject or reset the IsAdmin field unless the requester already has administrator privileges. This will prevent privilege escalation through valid update requests.
  • If upgrading immediately is not possible, temporarily disable non‑admin users’ ability to modify their own profile or restrict their access to the user update endpoint until the fix is applied.

Generated by OpenCVE AI on April 18, 2026 at 10:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5rmx-256w-8mj9 WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level
History

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Wgportal
Wgportal wireguard Portal
CPEs cpe:2.3:a:wgportal:wireguard_portal:*:*:*:*:*:*:*:*
Vendors & Products Wgportal
Wgportal wireguard Portal

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared H44z
H44z wg-portal
Vendors & Products H44z
H44z wg-portal

Thu, 26 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin": true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database. When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for `IsAdmin`. As a result, whatever value the client sends for `IsAdmin` is written directly to the database. After the exploit, the attacker has full admin access to the WireGuard VPN management portal. The problem was fixed in v2.1.3. The docker images for the tag 'latest' built from the master branch also include the fix.
Title WireGuard Portal Vulnerable to Privilege Escalation to Admin via User Self-Update
Weaknesses CWE-269
CWE-863
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

H44z Wg-portal
Wgportal Wireguard Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:02:52.876Z

Reserved: 2026-02-24T15:19:29.717Z

Link: CVE-2026-27899

cve-icon Vulnrichment

Updated: 2026-02-26T16:02:47.000Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:20.557

Modified: 2026-03-02T18:52:39.390

Link: CVE-2026-27899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses