CVE-2026-27198 Overview
CVE-2026-27198 is a privilege escalation vulnerability affecting Formwork, a flat file-based Content Management System (CMS). The vulnerability exists in versions 2.0.0 through 2.3.3 where the application fails to properly enforce role-based authorization during account creation. Although the system validates that a specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. This allows an authenticated user with the editor role to create a new account with administrative privileges, leading to a complete compromise of the CMS.
Critical Impact
An authenticated attacker with minimal privileges (editor role) can escalate to full administrative access, enabling complete control over the CMS including content manipulation, user management, and system configuration.
Affected Products
- Formwork CMS versions 2.0.0 through 2.3.3
- Self-hosted Formwork installations using default user management
- Environments with multiple user roles configured
Discovery Timeline
- 2026-02-21 - CVE-2026-27198 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-27198
Vulnerability Analysis
This vulnerability is classified under CWE-269 (Improper Privilege Management). The root issue lies in the UsersController.php file within the Formwork panel, where the user creation logic accepts a role parameter from form data without verifying whether the requesting user has the authority to assign that role.
When an editor-level user submits a request to create a new user account, the system checks whether the specified role exists in the roles registry but fails to validate if the current user should be allowed to assign roles with higher privileges than their own. This architectural flaw enables vertical privilege escalation through the legitimate account creation interface.
Root Cause
The vulnerability stems from missing authorization checks in the user creation workflow. The original code retrieves the role directly from form data using $form->data()->get('role', 'user') and only validates that the role exists via $this->site->users()->roles()->has($roleId). The critical missing step is verifying that the authenticated user's privilege level permits assigning the requested role.
Attack Vector
The attack is network-accessible and requires low-privilege authentication. An attacker with editor credentials can exploit this vulnerability by:
- Authenticating to the Formwork admin panel with editor credentials
- Navigating to the user creation interface
- Intercepting or modifying the form submission to specify role=admin
- Submitting the request to create a new administrative user
- Logging in with the newly created admin account
The following patch demonstrates the security fix implemented in version 2.3.4:
return $this->redirect($this->generateRoute('panel.users'));
}
- // Get the role
- $roleId = $form->data()->get('role', 'user');
+ $currentUser = $this->panel->user();
- if (!$this->site->users()->roles()->has($roleId)) {
+ // Prevent non-admins from escalating privileges by assigning a role different from their own
+ $role = $currentUser->isAdmin() ? $form->data()->get('role') : $currentUser->role()->id();
+
+ if (!$this->site->users()->roles()->has($role)) {
$this->panel->notify($this->translate('panel.users.user.cannotCreate.invalidRole'), 'error');
return $this->redirect($this->generateRoute('panel.users'));
}
$user = $userFactory->make([]);
try {
- $user->setMultiple($form->data()->toArray());
+ $user->setMultiple([...$form->data()->toArray(), 'role' => $role]);
$user->save();
} catch (TranslatedException $e) {
$this->panel->notify($this->translate($e->getLanguageString()), 'error');
Source: GitHub Commit Reference
The fix introduces a check using $currentUser->isAdmin() to determine whether the requesting user can specify arbitrary roles. Non-admin users are now restricted to creating accounts with their own role level, preventing privilege escalation.
Detection Methods for CVE-2026-27198
Indicators of Compromise
- Unexpected administrative user accounts in the Formwork user database
- User creation logs showing accounts with admin role created by non-admin users
- Authentication events from newly created admin accounts following suspicious user creation activity
- Audit trail anomalies showing privilege changes without corresponding admin approval
Detection Strategies
- Monitor user creation events and alert when non-admin users create accounts with elevated privileges
- Implement log analysis rules to detect role assignment patterns inconsistent with user permissions
- Review the Formwork user directory for recently created accounts with administrative privileges
- Enable verbose logging for the admin panel to capture role assignment attempts
Monitoring Recommendations
- Configure SIEM rules to correlate user creation events with the creating user's role level
- Establish baseline behavior for user management operations in the CMS
- Implement file integrity monitoring on Formwork user configuration files
- Set up alerts for authentication from newly created administrative accounts
How to Mitigate CVE-2026-27198
Immediate Actions Required
- Upgrade Formwork CMS to version 2.3.4 or later immediately
- Audit existing user accounts for unauthorized administrative privileges
- Review user creation logs for evidence of prior exploitation
- Temporarily restrict user creation privileges to trusted administrators only
Patch Information
The vulnerability has been addressed in Formwork version 2.3.4. The security patch modifies the UsersController.php file to enforce proper authorization checks during account creation. Non-admin users are now restricted to creating accounts with their own role level, preventing privilege escalation attacks.
For detailed patch information, refer to:
Workarounds
- Disable user creation functionality for non-admin users until the patch is applied
- Implement network-level access controls to restrict admin panel access to trusted IP addresses
- Remove or disable editor-level accounts that do not require user creation privileges
- Monitor and log all user management operations for manual review
# Configuration example
# Restrict admin panel access at the web server level (Apache example)
<Directory "/path/to/formwork/panel">
Require ip 10.0.0.0/8 192.168.1.0/24
</Directory>
# Or using .htaccess if permitted
# Deny access to user creation endpoint for non-admin IPs
<Files "users">
Require ip 10.0.0.0/8
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
