Description
manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.
Published: 2026-05-07
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in CISA's manage.get.gov arises from the ability of an organization administrator to assign domain manager privileges to domains that are not already owned by another organization. This flaw allows an attacker with administrator permissions to grant themselves, or another account, full control over additional domains, effectively escalating privileges and compromising domain management integrity. The weakness falls under privilege management failure, identified as CWE‑266, and could lead to unauthorized control of critical .gov domain registrations and related services.

Affected Systems

The affected system is the manage.get.gov platform operated by CISA. All releases prior to version 1.176.0 are vulnerable. Administrators of any organization within the platform could exploit the flaw to elevate privileges on domains within that organization.

Risk and Exploitability

The CVSS score of 7 indicates a high severity. Because the attacker must first be an organization administrator to use the function, the risk largely depends on internal threat actors or compromised administrator accounts. The vulnerability is not listed in the CISA KEV catalog and no public exploit has been reported, but unauthorized privilege escalation can have significant impact on domain management and should be addressed promptly.

Generated by OpenCVE AI on May 7, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to manage.get.gov version 1.176.0 or later.
  • Enforce least‑privilege roles so that only trusted administrators can assign domain manager privileges, and verify that the assignment function is restricted to verified domains only.
  • Monitor audit logs for unexpected domain manager assignment activity and investigate anomalies promptly.

Generated by OpenCVE AI on May 7, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Cisa
Cisa manage.get.gov
Vendors & Products Cisa
Cisa manage.get.gov

Thu, 07 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.
Title CISA manage.get.gov insecure portfolio administrative privileges
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cisa Manage.get.gov
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-05-07T18:50:56.944Z

Reserved: 2026-05-01T15:27:56.173Z

Link: CVE-2026-43510

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:44.753

Modified: 2026-05-07T20:32:03.640

Link: CVE-2026-43510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:25Z

Weaknesses