CVE-2026-35182 Overview
CVE-2026-35182 is a missing authorization vulnerability in Brave CMS, an open-source content management system. Prior to version 2.0.6, the update role endpoint at routes/web.php lacks proper authorization checks. The POST route for /rights/update-role/{id} is missing the checkUserPermissions:assign-user-roles middleware, which allows any authenticated user to modify account roles and escalate their privileges to Super Admin.
Critical Impact
Any authenticated user can exploit this vulnerability to promote themselves to Super Admin, gaining full administrative control over the Brave CMS installation.
Affected Products
- Brave CMS versions prior to 2.0.6
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35182 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35182
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization). The issue stems from an improperly secured administrative endpoint that fails to verify whether the requesting user has permission to modify user roles. In properly configured systems, the checkUserPermissions:assign-user-roles middleware enforces role-based access control on sensitive endpoints. However, this middleware was not applied to the /rights/update-role/{id} route, creating an authorization bypass.
The attack requires only basic authentication—any user with a valid account on the Brave CMS platform can exploit this flaw. The network-accessible nature of the vulnerability combined with the low complexity required for exploitation makes this a significant security concern for any Brave CMS deployment.
Root Cause
The root cause is a missing middleware configuration in the routes/web.php file. The POST route handler for /rights/update-role/{id} was defined without the checkUserPermissions:assign-user-roles middleware that is required to enforce proper authorization checks. This represents a broken access control configuration where the endpoint assumes all authenticated users are authorized to perform role modifications.
Attack Vector
An attacker with any level of authenticated access to the Brave CMS platform can craft a POST request to the /rights/update-role/{id} endpoint. By manipulating the role parameters in this request, the attacker can assign themselves the Super Admin role, effectively bypassing all role-based restrictions. This privilege escalation grants the attacker full administrative control, including the ability to modify content, access sensitive data, manage other user accounts, and potentially compromise the underlying server depending on CMS configuration.
The vulnerability is exploitable over the network without any user interaction, requiring only low privileges (a basic authenticated account).
Detection Methods for CVE-2026-35182
Indicators of Compromise
- Unexpected POST requests to /rights/update-role/{id} endpoints from non-administrative user sessions
- Audit log entries showing role changes performed by users who should not have role assignment permissions
- Sudden appearance of new Super Admin accounts or privilege changes without corresponding administrator actions
Detection Strategies
- Monitor web application logs for POST requests to the /rights/update-role/ path and correlate with user permission levels
- Implement alerts for any role changes to Super Admin status that occur outside of expected maintenance windows
- Review user session activity for accounts that access administrative endpoints without prior administrative privileges
Monitoring Recommendations
- Enable detailed logging for all authentication and authorization events within Brave CMS
- Configure SIEM rules to detect unauthorized access to role management endpoints
- Regularly audit user role assignments and compare against expected administrative accounts
How to Mitigate CVE-2026-35182
Immediate Actions Required
- Upgrade Brave CMS to version 2.0.6 or later immediately
- Audit all user accounts for unexpected privilege escalations, particularly accounts with Super Admin roles
- Review access logs for any exploitation attempts targeting the /rights/update-role/{id} endpoint
- Consider temporarily restricting access to administrative functions until the patch is applied
Patch Information
The vulnerability is fixed in Brave CMS version 2.0.6. The patch adds the missing checkUserPermissions:assign-user-roles middleware to the affected route, ensuring proper authorization checks are performed before allowing role modifications. For complete details, refer to the GitHub Security Advisory.
Workarounds
- If immediate upgrade is not possible, manually add the checkUserPermissions:assign-user-roles middleware to the /rights/update-role/{id} route in routes/web.php
- Implement network-level restrictions to limit access to administrative endpoints to trusted IP addresses only
- Enable web application firewall (WAF) rules to block unauthorized POST requests to role management endpoints
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
