Vito is a self‑hosted web application that manages servers and deploys PHP applications. The vulnerability is a missing authorization check in the workflow site‑creation actions. An authenticated attacker who has workflow write access in one project can supply a foreign server_id to create or modify sites on servers that belong to other projects, thereby gaining unauthorized control over those servers. This flaw is a clear breach of access control and could be exploited to deploy malicious code, alter production environments, or disrupt services the affected user cannot otherwise reach. The weakness is identified as CWE‑862 (Unauthorized Access).

The issue affects installations of vitodeploy’s Vito, specifically any version prior to 3.20.3. Users running Vito in environments where multiple projects share the same instance and where workflow write permissions are granted to staff must verify that their version is less than 3.20.3.

The flaw carries a CVSS score of 10, indicating critical severity. The EPSS score is less than 1 percent, suggesting that exploitation is currently rare but possible. The vulnerability is not listed in the CISA KEV catalog. The likely attack path requires the attacker to be authenticated and hold workflow write permission in at least one project; based on the description, it is inferred that the vulnerability is relevant in multi‑project deployments. Once those prerequisites are met, the attacker can craft a request with a foreign server_id, leading to cross‑project privilege escalation and unauthorized server modification.