Privilege escalation in RBAC system
Description
Privilege escalation in Google Exposure Notification Verification Server allows users with UserWrite to create higher-privileged users via crafted requests due to insufficient permission checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Privilege escalation in Google Exposure Notification Verification Server allows users with UserWrite to create higher-privileged users via crafted requests due to insufficient permission checks.
Vulnerability
Overview
CVE-2021-22538 is a privilege escalation vulnerability in the Google Exposure Notification Verification Server (versions prior to 0.23.1). The root cause is insufficient validation of permission values in the CompileAndAuthorize function. The function did not verify that a provided permission was a known permission, allowing a crafted permission value to pass a bitwise AND check and then be used to escalate privileges via OR operations [3].
Exploitation
An attacker must have UserWrite permissions on the server. By sending a carefully crafted request or routing traffic through a malicious proxy, the attacker can supply a permission value that bypasses the intended permission checks. The fix added a check to ensure the permission is in the PermissionMap (or is a legacy permission), preventing this bypass [2][3].
Impact
Successful exploitation allows the attacker to create a new user account with higher privileges than their own, such as administrative permissions. The creation event is logged in the Event Log, but the attacker gains unauthorized elevated access.
Mitigation
The vulnerability is fixed in versions 0.23.1 and 0.24.0 of the verification server [2][4]. Users should upgrade to at least 0.23.1. No workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/google/exposure-notifications-verification-serverGo | < 0.23.1 | 0.23.1 |
Affected products
2- Google LLC/Exposure Notifications Verification Serverv5Range: stable
Patches
1eb8cf40b12dbMerge pull request from GHSA-5v95-v8c8-3rh6
2 files changed · +34 −0
pkg/rbac/rbac.go+10 −0 modified@@ -64,6 +64,16 @@ func Can(given Permission, target Permission) bool { func CompileAndAuthorize(actorPermission Permission, toUpdate []Permission) (Permission, error) { var permission Permission for _, update := range toUpdate { + // Verify the provided permission is a known permission. This prevents a + // security vulnerability whereby a carefully crafted request is able to + // provide a value that correctly passes an the bitwise AND check and then + // modifies the target permission using OR to escalate privilege. + if _, ok := PermissionMap[update]; !ok { + if update != LegacyRealmAdmin && update != LegacyRealmUser { + return 0, fmt.Errorf("provided permission %v is unknown", update) + } + } + // Verify that the user making changes has the permissions they are trying // to grant. It is not valid for someone to grant permissions larger than // they currently have.
pkg/rbac/rbac_test.go+24 −0 modified@@ -57,6 +57,30 @@ func TestRequiredPermissions(t *testing.T) { t.Errorf("expected error") } }) + + t.Run("legacy_admin", func(t *testing.T) { + t.Parallel() + + if _, err := CompileAndAuthorize(LegacyRealmAdmin, []Permission{LegacyRealmAdmin}); err != nil { + t.Error(err) + } + }) + + t.Run("legacy_user", func(t *testing.T) { + t.Parallel() + + if _, err := CompileAndAuthorize(LegacyRealmAdmin, []Permission{LegacyRealmUser}); err != nil { + t.Error(err) + } + }) + + t.Run("escalate", func(t *testing.T) { + t.Parallel() + + if _, err := CompileAndAuthorize(UserRead|UserWrite, []Permission{16383}); err == nil { + t.Errorf("expected error") + } + }) } func TestImpliedBy(t *testing.T) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5v95-v8c8-3rh6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22538ghsaADVISORY
- github.com/google/exposure-notifications-verification-server/commit/eb8cf40b12dbe79304f1133c06fb73419383cd95ghsax_refsource_CONFIRMWEB
- github.com/google/exposure-notifications-verification-server/releases/tag/v0.23.1ghsax_refsource_CONFIRMWEB
- github.com/google/exposure-notifications-verification-server/releases/tag/v0.24.0ghsax_refsource_CONFIRMWEB
- github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-5v95-v8c8-3rh6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.