CVE 8.8 HIGH

Formwork Improperly Manages Privileges During User Creation_CVE-2026-27198

February 21, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

AI Analysis

Improper role-based authorization during account creation allows an authenticated user with the editor role to create a new account with administrative privileges

Basic Information

ID CVE-2026-27198

Source GitHub_M

Published Feb 21, 2026 at 05:11

Affected Product

Vendor getformwork

Product formwork

Version >= 2.0.0, < 2.3.4

Affected Versions getformwork formwork >= 2.0.0, < 2.3.4

CWE Classification

CWE-269

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor getformwork

Product formwork

Version 2.0.0-2.3.3

References

{
    "lastseen": "",
    "description": "Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.",
    "published": "2026-02-21T05:11:42.535Z",
    "modified": "2026-02-21T05:11:42.535Z",
    "type": "cve",
    "title": "Formwork Improperly Manages Privileges During User Creation",
    "source": "GitHub_M",
    "references": "https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2\nhttps://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd\nhttps://github.com/getformwork/formwork/releases/tag/2.3.4",
    "id": "CVE-2026-27198",
    "bulletinFamily": "",
    "cwe": [
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "getformwork formwork >= 2.0.0, < 2.3.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "formwork",
    "version": ">= 2.0.0, < 2.3.4",
    "vendor": "getformwork",
    "ai_description": "Improper role-based authorization during account creation allows an authenticated user with the editor role to create a new account with administrative privileges",
    "ai_severity": "High",
    "ai_vendor": "getformwork",
    "ai_product": "formwork",
    "ai_version": "2.0.0-2.3.3",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply