CVE-2026-27899 Overview
CVE-2026-27899 is a privilege escalation vulnerability in WireGuard Portal (wg-portal), a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can escalate their privileges to full administrator by sending a crafted PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. This vulnerability allows complete takeover of the WireGuard VPN management portal.
Critical Impact
Any authenticated user can gain full administrative access to the WireGuard VPN management portal, potentially compromising the entire VPN infrastructure and all connected clients.
Affected Products
- WireGuard Portal (wg-portal) versions prior to 2.1.3
- Docker images built from master branch (prior to fix)
Discovery Timeline
- 2026-02-26 - CVE-2026-27899 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27899
Vulnerability Analysis
This privilege escalation vulnerability stems from improper access control (CWE-269) in the user profile update functionality. When a user updates their own profile via the API, the server parses the complete JSON body into the user model without properly restricting which fields can be modified by the user.
The application implements a function designed to preserve calculated or protected attributes by pinning certain fields to their database values. This function correctly protects fields such as base model data, linked peer count, and authentication data. However, the critical IsAdmin boolean field was not included in this protection mechanism.
As a result, whatever value the client sends for IsAdmin is written directly to the database without validation. After modifying this field, an attacker simply needs to log out and log back in to have their session pick up the new admin privileges from the database.
Root Cause
The root cause is insufficient input validation and missing field-level access control on the user profile update endpoint. The server-side code fails to filter or validate the IsAdmin field when processing user profile update requests. While other sensitive fields are explicitly protected by resetting them to their database values before saving, the IsAdmin field was inadvertently omitted from this protection list.
Attack Vector
The attack is network-based and requires only low privileges (an authenticated non-admin user account). The attacker sends a PUT request to their own user profile endpoint, including "IsAdmin": true in the JSON payload. The exploitation requires no user interaction and has no complexity barriers.
The attack flow proceeds as follows:
- The attacker authenticates as a regular (non-admin) user
- The attacker sends a PUT request to their profile endpoint with the IsAdmin field set to true in the JSON body
- The server processes the request and writes the IsAdmin value directly to the database
- The attacker logs out and logs back in
- The new session now has full administrative privileges
For technical details on the vulnerability mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-27899
Indicators of Compromise
- Unexpected changes to user IsAdmin status in the database
- PUT requests to user profile endpoints containing IsAdmin field from non-admin users
- Users gaining admin privileges without authorized elevation
- Unusual administrative actions performed by accounts that should not have admin access
Detection Strategies
- Monitor API logs for PUT/PATCH requests to user profile endpoints containing IsAdmin in the request body
- Implement database audit logging to detect unauthorized changes to the IsAdmin field
- Alert on role changes where the source user does not have administrative privileges
- Review access logs for privilege escalation patterns where non-admin users begin performing admin-only actions
Monitoring Recommendations
- Enable detailed request body logging for user profile update endpoints
- Implement real-time alerting for any modifications to admin privilege fields
- Conduct regular audits of user privilege levels against authorized access lists
- Deploy application-layer web application firewalls (WAF) to inspect and block suspicious requests containing privilege escalation attempts
How to Mitigate CVE-2026-27899
Immediate Actions Required
- Upgrade WireGuard Portal to version 2.1.3 or later immediately
- Audit all user accounts for unexpected administrative privileges
- Review recent API access logs for potential exploitation attempts
- Reset any user accounts that may have been compromised
- Pull the latest Docker image if using the latest tag from the master branch
Patch Information
The vulnerability was fixed in WireGuard Portal version 2.1.3. The Docker images built from the master branch with the latest tag also include the fix. Organizations should update to the patched version as soon as possible. For additional details, see the GitHub Security Advisory.
Workarounds
- Restrict network access to the WireGuard Portal to trusted networks only until patching is complete
- Implement additional authentication layers such as VPN or IP whitelisting for portal access
- Disable self-service profile updates if possible until the patch is applied
- Monitor and audit all user privilege changes through external logging mechanisms
- Consider temporarily revoking access for non-essential users until the upgrade is completed
# Example: Update WireGuard Portal Docker container to latest patched version
docker pull h44z/wg-portal:latest
docker stop wg-portal
docker rm wg-portal
docker run -d --name wg-portal -p 8080:8080 h44z/wg-portal:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
