CVE-2026-32699 Overview
FacturaScripts is an open source accounting and invoicing platform used by businesses to manage billing, customers, and financial records. The vulnerability affects FacturaScripts versions 2025.92 and earlier. The application fails to validate the nick parameter during a POST request to the EditUser controller.
While the user interface restricts editing of the nick field, an authenticated attacker can intercept the request and modify the nick form-data parameter directly. This allows renaming any account, including the administrator account. The flaw is tracked under [CWE-472: External Control of Assumed-Immutable Web Parameter].
Critical Impact
Authenticated low-privilege users can rename arbitrary accounts, including the administrator, by tampering with a form parameter the UI assumes is immutable.
Affected Products
- FacturaScripts versions 2025.92 and earlier
- The EditUser controller component
- Self-hosted FacturaScripts deployments exposing user management endpoints
Discovery Timeline
- 2026-05-05 - CVE-2026-32699 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-32699
Vulnerability Analysis
The vulnerability resides in the EditUser controller of FacturaScripts. The application enforces the immutability of the nick field only at the user interface layer. The server-side controller does not validate or reject changes to this parameter when submitted in a POST request.
An authenticated user with access to the user edit form can intercept the outgoing POST request using a proxy. By adding or modifying the nick form-data field, the attacker rewrites the username on any account record, including privileged accounts. This is a business logic flaw rooted in client-side trust.
The attack does not yield direct code execution or data exfiltration. The integrity impact is limited to renaming account identifiers. However, account rename operations can disrupt audit trails, break authentication workflows, and enable follow-on social engineering or impersonation attacks.
Root Cause
The root cause is improper server-side input validation on a parameter the application treats as assumed-immutable [CWE-472]. The UI hides or disables the nick field, but the controller accepts whatever value the client submits. There is no authorization check confirming that the requesting user has permission to modify the target account's identifier.
Attack Vector
Exploitation requires network access to the application and valid authenticated credentials with access to the EditUser workflow. The attacker uses any HTTP intercepting proxy to capture a legitimate user edit request. The attacker then injects or modifies the nick parameter in the form-data body before forwarding the request. The server processes the modified parameter and renames the targeted account.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-pp79-hqv6-vmc3. No verified proof-of-concept code is publicly available.
Detection Methods for CVE-2026-32699
Indicators of Compromise
- Unexpected changes to the nick field on user records, particularly administrator accounts
- POST requests to the EditUser controller containing a nick parameter from non-administrative sessions
- Authentication failures on previously valid usernames following an account rename event
- Audit log entries showing user record updates without corresponding UI session activity for the nick field
Detection Strategies
- Inspect web server and application logs for POST requests to EditUser endpoints and correlate the submitting user with the target account being modified
- Alert when the nick value of an existing user account changes outside of approved administrative provisioning workflows
- Compare current user account names against a baseline snapshot to identify unauthorized renames
Monitoring Recommendations
- Forward FacturaScripts application and access logs to a centralized logging or SIEM platform for retention and correlation
- Create alerts on changes to administrator-tier accounts, including username modifications
- Monitor for repeated form submissions from low-privilege accounts targeting the EditUser controller
How to Mitigate CVE-2026-32699
Immediate Actions Required
- Upgrade FacturaScripts to a release later than 2025.92 once an official fixed version is published by the maintainers
- Audit all user accounts to confirm the nick field values match expected administrator and operator identities
- Restrict access to the EditUser controller to administrative roles only at the web server or reverse proxy layer
- Review authentication and audit logs for evidence of unauthorized account renames
Patch Information
Refer to the FacturaScripts GitHub Security Advisory GHSA-pp79-hqv6-vmc3 for the latest patch information and remediated release. Apply vendor-supplied updates as soon as they are available.
Workarounds
- Place the FacturaScripts EditUser endpoint behind reverse proxy access controls that limit POST requests to administrator IP ranges or sessions
- Implement a web application firewall rule that blocks requests to EditUser containing a nick parameter when submitted by non-administrator sessions
- Periodically export and compare the user table to detect unauthorized identifier changes until the patch is applied
# Example NGINX configuration to restrict EditUser access
location ~* /EditUser {
allow 10.0.0.0/24; # Admin management network
deny all;
proxy_pass http://facturascripts_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
