CVE-2026-29002 Overview
CVE-2026-29002 is a privilege escalation vulnerability affecting CouchCMS, a popular open-source content management system. The vulnerability allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. By modifying the parameter value from 4 to 10 in the HTTP request body, attackers can bypass authorization validation and gain full application control, circumventing restrictions on SuperAdmin account creation and privilege assignment.
This is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), where the application fails to properly validate privilege level assignments during user creation operations.
Critical Impact
Authenticated administrators can escalate to SuperAdmin privileges, gaining complete control over the CouchCMS application and potentially compromising all managed content and user accounts.
Affected Products
- CouchCMS (all versions prior to patched release)
- Self-hosted CouchCMS deployments
- Web applications built on CouchCMS platform
Discovery Timeline
- April 10, 2026 - CVE-2026-29002 published to NVD
- April 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-29002
Vulnerability Analysis
This privilege escalation vulnerability exists in CouchCMS's user management functionality. The application uses a parameter called f_k_levels_list to define the privilege level when creating new user accounts. Standard Admin users are assigned a level value of 4, while SuperAdmin accounts use a value of 10.
The core issue is that the application performs insufficient server-side validation of the f_k_levels_list parameter during user creation requests. While the user interface restricts Admin users from creating SuperAdmin accounts, the backend does not properly enforce these authorization boundaries when processing HTTP requests directly.
An attacker with Admin-level access can intercept the user creation request using a proxy tool and modify the f_k_levels_list parameter value from 4 to 10. When the server processes this tampered request, it creates a new user account with SuperAdmin privileges, effectively bypassing the intended access control restrictions.
Root Cause
The root cause of CVE-2026-29002 is improper authorization validation in the user creation workflow. The application relies on client-side restrictions to prevent Admin users from assigning SuperAdmin privileges, but fails to implement corresponding server-side authorization checks. This allows attackers to manipulate request parameters to bypass the intended privilege boundaries, as the f_k_levels_list value is directly used without validating whether the requesting user has permission to assign that privilege level.
Attack Vector
The attack is network-based and requires an attacker to have valid Admin-level credentials for the target CouchCMS installation. The attack sequence involves:
- Authenticating to the CouchCMS admin panel with Admin credentials
- Initiating a user creation request through the standard interface
- Intercepting the HTTP POST request using a web proxy (e.g., Burp Suite)
- Modifying the f_k_levels_list parameter from 4 to 10
- Forwarding the tampered request to the server
Upon successful exploitation, the attacker gains a SuperAdmin account with full administrative privileges over the CouchCMS installation. For detailed technical information, see the VulnCheck advisory and the security researcher's documentation.
Detection Methods for CVE-2026-29002
Indicators of Compromise
- Unexpected SuperAdmin accounts appearing in the CouchCMS user database
- Admin user accounts showing activity related to user creation with elevated privileges
- HTTP POST requests to user creation endpoints containing f_k_levels_list=10 from Admin sessions
- Audit log entries showing Admin users creating accounts with SuperAdmin privilege levels
Detection Strategies
- Monitor HTTP request bodies for f_k_levels_list parameter values that exceed the requesting user's privilege level
- Implement alerting on user creation events where the assigned privilege level is higher than expected
- Review web server access logs for requests to admin endpoints with modified privilege parameters
- Deploy web application firewall (WAF) rules to detect parameter tampering in user management requests
Monitoring Recommendations
- Enable detailed audit logging for all user creation and modification operations in CouchCMS
- Configure alerts for any new SuperAdmin account creation events
- Implement periodic review of user privilege levels to identify unauthorized escalations
- Monitor for proxy tool signatures or unusual request patterns from Admin sessions
How to Mitigate CVE-2026-29002
Immediate Actions Required
- Audit existing CouchCMS user accounts to identify any unauthorized SuperAdmin accounts
- Review access logs for evidence of exploitation attempts targeting the user creation functionality
- Restrict network access to CouchCMS admin panels to trusted IP ranges
- Implement additional authentication factors for administrative actions
Patch Information
Check the CouchCMS official website for security updates addressing this vulnerability. Apply the latest security patches as soon as they become available. No official vendor advisory has been published at this time.
Workarounds
- Implement a web application firewall (WAF) rule to reject user creation requests containing f_k_levels_list values that exceed authorized levels
- Restrict Admin account creation to SuperAdmin users only until a patch is applied
- Deploy server-side middleware to validate that the f_k_levels_list parameter matches the requesting user's maximum assignable privilege level
- Consider temporarily disabling user creation functionality for Admin-level accounts in production environments
# Example WAF rule to detect privilege escalation attempts
# Block requests with f_k_levels_list=10 from non-SuperAdmin sessions
# Adjust based on your WAF platform (ModSecurity example)
SecRule REQUEST_BODY "@contains f_k_levels_list=10" \
"id:100001,phase:2,deny,status:403,\
msg:'Potential CouchCMS privilege escalation attempt (CVE-2026-29002)'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
