CVE-2026-42571 Overview
CVE-2026-42571 is a privilege escalation vulnerability in Pelican, a platform for creating data federations. The flaw affects the Pelican Web User Interface (WebUI) and allows any user authenticated via OAuth to obtain administrative privileges under specific configurations. The issue is classified as an authorization weakness [CWE-863] and impacts versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2. The Pelican maintainers released fixes in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.
Critical Impact
Any OAuth-authenticated WebUI user can escalate to administrator, gaining full control over the Pelican data federation under affected configurations.
Affected Products
- Pelican 7.21.0 through versions before 7.21.5
- Pelican 7.22.0 through versions before 7.22.3
- Pelican 7.23.0 through versions before 7.23.3 and 7.24.0 through versions before 7.24.2
Discovery Timeline
- 2026-05-09 - CVE-2026-42571 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in the NVD database
Technical Details for CVE-2026-42571
Vulnerability Analysis
The vulnerability resides in the authorization logic of Pelican's WebUI. Pelican supports OAuth-based authentication for users accessing the WebUI. Under certain configurations, the WebUI fails to correctly enforce the boundary between standard authenticated users and administrators. As a result, an attacker who successfully completes OAuth authentication can perform actions reserved for administrators. This includes managing federation membership, configuration, and operational state of the Pelican deployment.
Root Cause
The defect maps to CWE-863: Incorrect Authorization. The WebUI accepts OAuth authentication as sufficient evidence of administrative role under specific configuration paths. The privilege check does not properly validate that the authenticated user holds an administrative role before granting privileged operations. The patched releases tighten the authorization check so that OAuth authentication alone does not confer admin status.
Attack Vector
An attacker requires a valid OAuth identity that the target Pelican WebUI accepts. Once authenticated, the attacker invokes administrative WebUI endpoints. No additional user interaction or social engineering is needed. The attack is performed over the network against any exposed Pelican WebUI running an affected version with the vulnerable configuration. Verified exploitation details are described in the GitHub Security Advisory GHSA-rpfr-x88x-xwcw and the corresponding upstream commit.
Detection Methods for CVE-2026-42571
Indicators of Compromise
- WebUI audit log entries showing administrative actions performed by accounts that were not previously provisioned as administrators.
- Unexpected changes to federation configuration, namespace registrations, or origin/cache entries shortly after OAuth logins from non-admin users.
- New or modified user role assignments originating from the WebUI rather than from configuration files.
Detection Strategies
- Compare the list of users granted administrative actions in WebUI logs against the authoritative admin allowlist defined in the Pelican configuration.
- Hunt for HTTP requests to administrative WebUI API endpoints originating from sessions tied to standard OAuth identities.
- Correlate OAuth login events with subsequent privileged operations to identify privilege escalation patterns.
Monitoring Recommendations
- Forward Pelican WebUI access and audit logs to a centralized logging or SIEM platform for long-term retention and analysis.
- Alert on first-time administrative actions per user identity to catch unauthorized role transitions.
- Monitor changes to Pelican configuration files and runtime state for unauthorized modifications.
How to Mitigate CVE-2026-42571
Immediate Actions Required
- Upgrade Pelican to a fixed release: 7.21.5, 7.22.3, 7.23.3, or 7.24.2 depending on the deployed branch.
- Review WebUI audit logs for any unauthorized administrative actions performed since the affected version was deployed.
- Rotate OAuth client secrets and revoke active sessions to invalidate any tokens that may have been used for privilege escalation.
Patch Information
The Pelican maintainers fixed CVE-2026-42571 in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2. The corrective change is included in commit 7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854. Operators should consult the GitHub Security Advisory GHSA-rpfr-x88x-xwcw for upgrade guidance.
Workarounds
- Restrict network exposure of the Pelican WebUI to trusted administrative networks until patching is complete.
- Disable OAuth-based WebUI authentication or remove the vulnerable configuration paths described in the upstream advisory if upgrading is not immediately feasible.
- Reduce the OAuth identity provider's user pool that can authenticate to the WebUI to a minimal, vetted set of operators.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
