Privilege Chaining with the user admin role in dhis2-core
Description
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Affected versions are subject to a privilege escalation vulnerability. A DHIS2 user with authority to manage users can assign superuser privileges to themself by manually crafting an HTTP PUT request. Only users with the following DHIS2 user role authorities can exploit this vulnerability. Note that in many systems the only users with user admin privileges are also superusers. In these cases, the escalation vulnerability does not exist. The vulnerability is only exploitable by attackers who can authenticate as users with the user admin authority. As this is usually a small and relatively trusted set of users, exploit vectors will often be limited. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. The only known workaround to this issue is to avoid the assignment of the user management authority to any users until the patch has been applied.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DHIS2 privilege escalation: authenticated users with user admin authority can gain superuser status via crafted HTTP PUT request.
Vulnerability
DHIS2 versions 2.36.12.1, 2.37.8.1, 2.38.2.1, and 2.39.0.1 and earlier are vulnerable to a privilege escalation flaw in the user management functionality. A user with the User (Add/Update/Delete) and User Group (Add/Update/Delete) authorities can manually craft an HTTP PUT request to assign superuser privileges to themselves [1]. In many systems, users with these authorities are already superusers, in which case the vulnerability is not exploitable [1].
Exploitation
An attacker must first authenticate as a DHIS2 user who possesses both the User (Add/Update/Delete) and User Group (Add/Update/Delete) authorities. With that access, the attacker can send a specially crafted HTTP PUT request to the user management API endpoint, modifying their own user record to include the superuser role [1]. No additional user interaction or race condition is required. Because the set of users with these privileges is typically small and trusted, the attack surface is limited [1].
Impact
Successful exploitation allows the attacker to escalate their privileges to superuser level. As a superuser, the attacker gains full administrative control over the DHIS2 system, including the ability to read, modify, and delete any data, manage all users, and alter system configuration. This represents a complete compromise of confidentiality, integrity, and availability [1].
Mitigation
DHIS2 administrators should upgrade to the following hotfix releases: versions 2.36.12.1, 2.37.8.1, 2.38.2.1, or 2.39.0.1 [1]. The only known workaround is to avoid assigning the user management authority to any users until the patch is applied [1]. There is no indication that this vulnerability has been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- dhis2/dhis2-corev5Range: < 2.36.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/dhis2/dhis2-core/security/advisories/GHSA-59fm-8432-2426mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.