Formwork Improperly Manages Privileges During User Creation
Description
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
getformwork/formworkPackagist | >= 2.0.0, < 2.3.4 | 2.3.4 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-34p4-7w83-35g2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27198ghsaADVISORY
- github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cdghsax_refsource_MISCWEB
- github.com/getformwork/formwork/releases/tag/2.3.4ghsax_refsource_MISCWEB
- github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.