Description
A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects the function verifyRoleAccess/verifyApiKeyRoleAccess of the component Role Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.15.4-s.4 mitigates this issue. The identifier of the patch is 5e37c4e85fae68e756be5019a28ca903b161fdd5. Upgrading the affected component is advised.
Published: 2026-02-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Access Control leading to potential unauthorized privileged action
Action: Apply Patch
AI Analysis

Impact

A vulnerability in the Role Handler of fosrl Pangolin software allows an attacker to manipulate the verifyRoleAccess and verifyApiKeyRoleAccess endpoints, resulting in improper access controls. By exploiting this flaw, a remote attacker can bypass intended permission checks and gain unauthorized access to privileged resources or actions. The weakness stems from a missing validation of role or API‑key permissions, mapping to CWE‑266 and CWE‑284.

Affected Systems

The flaw affects all releases of fosrl Pangolin up to and including version 1.15.4‑s.3. Systems running any affected build are at risk until the component is upgraded to 1.15.4‑s.4, the first release containing the fix identified by commit 5e37c4e85fae68e756be5019a28ca903b161fdd5.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, while the EPSS value below 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but remote exploitation is possible through the exposed API. Attackers would need network access to the Pangolin instance and the ability to craft requests to the role verification endpoints, after which they could elevate privileges or access restricted data.

Generated by OpenCVE AI on April 16, 2026 at 16:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to pangolin 1.15.4‑s.4 (commit 5e37c4e85fae68e756be5019a28ca903b161fdd5).
  • Verify that role and API‑key validation logic is enforced by inspecting configuration or running integration tests against the verifyRoleAccess endpoint.
  • Restrict network exposure of the Pangolin API or implement a firewall rule so that only trusted hosts can reach the role verification endpoints, and monitor logs for abnormal access patterns.

Generated by OpenCVE AI on April 16, 2026 at 16:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 08 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
References

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Fosrl
Fosrl pangolin
Vendors & Products Fosrl
Fosrl pangolin

Wed, 25 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects the function verifyRoleAccess/verifyApiKeyRoleAccess of the component Role Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.15.4-s.4 mitigates this issue. The identifier of the patch is 5e37c4e85fae68e756be5019a28ca903b161fdd5. Upgrading the affected component is advised.
Title fosrl Pangolin Role verifyApiKeyRoleAccess access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Fosrl Pangolin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-08T07:06:50.150Z

Reserved: 2026-02-25T16:40:11.724Z

Link: CVE-2026-3209

cve-icon Vulnrichment

Updated: 2026-02-26T16:44:20.702Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T23:16:21.920

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses