Description
Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.
Published: 2026-05-09
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pelican contains a privilege escalation flaw in its Web User Interface that allows a user authenticated through OAuth to acquire administrator privileges when the platform is configured in specific ways. The vulnerability is classified as CWE‑863 and carries a CVSS score of 9, indicating a severe security issue.

Affected Systems

Affected versions are 7.21.0 through 7.21.4, 7.22.0 through 7.22.2, 7.23.0 through 7.23.2, and 7.24.0 through 7.24.1 of the Pelican platform. Any deployment using these releases without the subsequent patch releases—7.21.5, 7.22.3, 7.23.3, or 7.24.2—faces the risk.

Risk and Exploitability

The flaw provides a direct route for an authenticated OAuth user to gain elevated account privileges; the attack vector is thus inbound through the WebUI. Because EPSS information is not available, the exploitation likelihood cannot be quantified, but the CVSS score of 9 reflects a high severity. The vulnerability is not listed in CISA's KEV catalog, yet it remains a critical risk for any systems using the vulnerable releases.

Generated by OpenCVE AI on May 9, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Pelican release (7.21.5 or newer) to replace the vulnerable code.
  • Reevaluate OAuth scopes and enforce least privilege so that only trusted users retain admin-level permissions.
  • Audit custom WebUI configurations and temporarily restrict or remove paths that grant admin rights to authenticated users until an official patch is deployed.

Generated by OpenCVE AI on May 9, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rpfr-x88x-xwcw Pelican Web UI Affected by a Privilege Escalation Attack
History

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.
Title Privilege Escalation Attack affecting Pelican Web UI
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:19:36.522Z

Reserved: 2026-04-28T17:26:12.084Z

Link: CVE-2026-42571

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:29.277

Modified: 2026-05-09T20:16:29.277

Link: CVE-2026-42571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T20:30:41Z

Weaknesses