Description
Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privilege escalation to high-privileged roles.
Published: 2026-04-20
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: Privilege escalation via improper access control
Action: Apply patch
AI Analysis

Impact

Improper access control in Doorman allows any authenticated user to change the role field of their own account via the /platform/user/{username} endpoint. The update model accepts the role property without checking for manage_users permission on self‑updates, permitting escalation to high‑privileged roles. This yields full administrative capabilities for the user, potentially leading to uncontrolled system changes and data exposure.

Affected Systems

Doorman versions 0.1.0 and 1.0.2 are vulnerable. The product is an open‑source access control service. The problem exists in the user account management API endpoint /platform/user/{username}.

Risk and Exploitability

The vulnerability requires authentication and access to the REST API; an attacker with a legitimate session can identify their username and send a patch request to elevate their role. No publicly disclosed exploits or patch notes are available, and the EPSS score is unknown while KEV indicates the vulnerability is not yet exploited. The lack of a permission check means the flaw can be leveraged by any authenticated user, making the risk high within a compromised user base or after a credential compromise.

Generated by OpenCVE AI on April 20, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Doorman to a version that implements a permission check for role changes.
  • If an upgrade is not yet possible, modify the API to enforce a manage_users permission check even for self‑updates or remove the ability to edit the role field via this endpoint.
  • Restrict access to the /platform/user/{username} endpoint so that only users with explicit role‑management privileges can invoke it.
  • Apply least privilege principles to default accounts and implement mandatory password rotation to minimize the impact of compromised credentials.

Generated by OpenCVE AI on April 20, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title Privilege escalation in Doorman via improper role update
Weaknesses CWE-284

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privilege escalation to high-privileged roles.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-20T18:23:39.346Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30269

cve-icon Vulnrichment

Updated: 2026-04-20T18:20:34.471Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T17:16:33.483

Modified: 2026-04-20T19:16:10.383

Link: CVE-2026-30269

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses