Description
Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but fails to inspect the is_admin flag. Attackers can send requests to any endpoint under the /api/users path to create new administrator accounts or reset administrator passwords, thereby gaining full control of the server and the ability to modify boot menus and installation scripts served to PXE clients.
Published: 2026-06-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bootimus through 0.1.70 contains a broken access control flaw that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function, which validates JWT tokens and account status but fails to inspect the is_admin flag. Attackers can send requests to any endpoint under the /api/users path to create new administrator accounts or reset administrator passwords, thereby gaining full control of the server and the ability to modify boot menus and installation scripts served to PXE clients. This vulnerability represents a high-risk privilege escalation that can compromise the entire system.

Affected Systems

The security issue affects the Bootimus application from garybowers, specifically releases up to and including version 0.1.70. Users running these versions should verify their installation for the presence of this flaw.

Risk and Exploitability

The CVSS score of 8.7 classifies this flaw as high severity and the EPSS score of less than 1% indicates low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate as a low-privileged user; from there they can construct API requests that the JWT middleware mistakenly authorizes, enabling the creation of admin accounts and password resets. The exploit path requires access to the /api/users endpoints, so proper network segmentation and hardening of the API surface reduce exposure.

Generated by OpenCVE AI on June 25, 2026 at 18:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Bootimus update that includes the JWTMiddleware fix or upgrade to a version newer than 0.1.70.
  • Modify the JWTMiddleware to enforce the is_admin flag or remove the flag check entirely from the authorization logic.
  • Restrict the /api/users endpoints so that only authenticated administrators can access them, or disable administrative account creation and password reset functionality if not needed.

Generated by OpenCVE AI on June 25, 2026 at 18:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory. Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but fails to inspect the is_admin flag. Attackers can send requests to any endpoint under the /api/users path to create new administrator accounts or reset administrator passwords, thereby gaining full control of the server and the ability to modify boot menus and installation scripts served to PXE clients.
Title dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage() Bootimus 0.1.70 Broken Access Control via JWTMiddleware Authorization Bypass
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Networkconfiguration
Networkconfiguration dhcpcd
Vendors & Products Networkconfiguration
Networkconfiguration dhcpcd

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
Title dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage()
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Networkconfiguration Dhcpcd
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T15:57:36.412Z

Reserved: 2026-06-18T19:15:10.650Z

Link: CVE-2026-56115

cve-icon Vulnrichment

Updated: 2026-06-23T17:08:36.867Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T16:08:55Z

Links: CVE-2026-56115 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T18:30:14Z

Weaknesses