Description
A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.13.3rc1 and 0.14.0 is sufficient to resolve this issue. This patch is called f7846fc0c323da8325422cab32623491757f1b88. The affected component should be upgraded.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Improper authorization allowing unauthorized script creation or update via Wooey API
Action: Patch
AI Analysis

Impact

A flaw in Wooey’s add_or_update_script function inside wooey/api/scripts.py allows an attacker to bypass authorization controls when adding or updating scripts. Because the endpoint does not require sufficient privileges, a malicious user can create or modify scripts on the system, potentially leading to privilege escalation or unauthorized execution. The vulnerability is identified as a classic authorization failure (CWE-266 and CWE-285) and can be exploited remotely through the public API.

Affected Systems

Wooey, versions up to 0.13.2, including the 0.13.3rc1 release and 0.14.0. Upgrading to 0.13.3rc1 or newer resolves the issue. The affected component is the API Endpoint in the script handling module.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that no large‑scale exploitation has been observed. Nevertheless, the flaw can be reached remotely via the API, and the public exploit has been disclosed, so any exposed instance is at risk. Administrators should treat the vulnerability as significant enough to warrant prompt remediation.

Generated by OpenCVE AI on April 28, 2026 at 04:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Wooey to version 0.13.3rc1 or any newer release such as 0.14.0, which contains the fix identified by commit f7846fc0c323da8325422cab32623491757f1b88
  • If an immediate upgrade is not possible, restrict network access to the /scripts API endpoint to authorized users only, applying firewall rules or authentication checks to block unauthenticated requests
  • During the upgrade process, verify that the authorization logic for add_or_update_script is in place and that only users with the appropriate permissions can execute this function

Generated by OpenCVE AI on April 28, 2026 at 04:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wooey
Wooey wooey
Vendors & Products Wooey
Wooey wooey

Mon, 27 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.13.3rc1 and 0.14.0 is sufficient to resolve this issue. This patch is called f7846fc0c323da8325422cab32623491757f1b88. The affected component should be upgraded.
Title Wooey API Endpoint scripts.py add_or_update_script improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wooey Wooey
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T20:12:13.840Z

Reserved: 2026-04-26T19:42:42.726Z

Link: CVE-2026-7142

cve-icon Vulnrichment

Updated: 2026-04-27T19:39:21.939Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T17:16:45.820

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-7142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:17:01Z

Weaknesses