CVE-2026-12673

An attacker who is an Admin in a secondary domain can escalate to Sysadmin by intercepting the HTTP request when creating or updating a group and changing the `group[admin_level]` parameter to 5. The controller's authorization logic only prevents assigning Domain Admin level (4) in secondary domains, but does not prevent assigning SysAdmin level (5). This is a broken access control issue [CWE-863] as described in the researcher's write-up [ref_id=1].

The vulnerability resides in `app/controllers/admin/groups_controller.rb`, specifically in the `limit_create_for_admins` and `limit_update_for_admins` methods. For secondary (non-default) domains, these methods only blocked setting `admin_level` to 4 (Domain Admin) but failed to block setting it to 5 (SysAdmin), allowing an Admin in a secondary domain to escalate privileges.

The patch replaces the two separate `limit_create_for_admins` and `limit_update_for_admins` methods with a single `permitted_admin_level?` check. This new method compares the requested `admin_level` against the current user's own group `admin_level`, ensuring that no user can grant a group a higher privilege level than they themselves hold. Sysadmins are still unrestricted. This closes the gap where secondary-domain Admins could bypass the Domain Admin check and assign SysAdmin level.