Unrated severityNVD Advisory· Published Dec 2, 2025· Updated Dec 3, 2025

CVE-2025-58386

Description

In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account's password, effectively taking full control of it.

Affected products

Terminalfour/Terminalfourdescription
Terminalfour/Terminalfourllm-create
Range: >=8, <=8.1.1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/mitre
terminalfour.commitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000