Cyber Posture

CVE-2026-34427

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0033 56.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super…

more

Administrator privileges, enabling plugin upload functionality for remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations in the admin profile save endpoint to prevent authenticated users from modifying privileged fields like role_id.

AC-6 Least Privilege good match
prevent

Restricts user privileges to the minimum necessary, prohibiting self-escalation to Super Administrator via profile modifications.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes input parameters such as role_id in profile save requests to block unauthorized privilege escalation attempts.

Security SummaryAI

CVE-2026-34427 is a privilege escalation vulnerability affecting Vvveb versions prior to 1.0.8.1. The issue resides in the admin user profile save endpoint, where authenticated users can modify privileged fields on their own profile. By injecting the parameter role_id=1 into profile save requests, attackers can elevate their privileges to Super Administrator. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-915.

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants Super Administrator access, which unlocks the plugin upload functionality and enables remote code execution on the server.

Mitigation is available via the official patch in Vvveb release 1.0.8.1, detailed in the corresponding GitHub commit (0eca14af50f038915b8bf7ceec2becf6b6720b0a). Additional guidance is provided in the Vulncheck advisory on the privilege escalation via admin user save.

Details

CWE(s)
CWE-915

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability is a privilege escalation allowing low-privileged authenticated users to modify their profile's role_id parameter to gain Super Administrator access, directly enabling T1068 (Exploitation for Privilege Escalation). This unlocks further capabilities like plugin upload leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References