High severityNVD Advisory· Published Feb 21, 2026· Updated Feb 24, 2026

Formwork Improperly Manages Privileges During User Creation

CVE-2026-27198

Description

Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Formwork CMS 2.0.0 through 2.3.3, authenticated editors can escalate privileges to admin by creating new accounts with any role, leading to full site compromise.

Vulnerability

Overview

CVE-2026-27198 is an improper authorization vulnerability in Formwork, a flat-file CMS. The application fails to enforce role-based access control during account creation, allowing an authenticated user with the editor role to create a new account with administrative privileges. The system only validates that the specified role exists, but does not check whether the current user has sufficient privileges to assign a highly privileged role like admin. This affects versions 2.0.0 through 2.3.3 [1].

Exploitation

Details

The attack surface is the user creation endpoint accessible through the administration panel. An attacker with valid editor credentials can create a new user account and, by manipulating the role parameter in the request, assign the 'admin' role (or any other role) to the new account. The lack of server-side validation of the current user's role against the requested role means the editor's privilege escalation is not blocked. The fix, introduced in commit 19390a0, enforces that non-admin users can only assign their own role [4].

Impact

Successful exploitation grants the attacker full administrative access to the CMS. This includes the ability to modify site content, manage users, change configurations, and potentially execute arbitrary code through file uploads or template manipulation [1][3]. As the CMS manages website content, the compromise could be leveraged to deface the site, inject malicious content, or pivot to further attacks.

Mitigation

The vulnerability has been fixed in Formwork version 2.3.4 [2]. Users should upgrade immediately. The fix modifies the user creation logic to restrict role assignment based on the current user's privileges. No workaround is known aside from applying the patch or restricting editor accounts to only trusted users.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
getformwork/formworkPackagist	>= 2.0.0, < 2.3.4	2.3.4

Affected products

Formwork/Formworkllm-create
Range: >=2.0.0, <=2.3.3
getformwork/formworkv5
Range: >= 2.0.0, < 2.3.4

Patches

19390a0b408e

Merge commit from fork

https://github.com/getformwork/formworkGiuseppe CriscioneFeb 18, 2026via ghsa

commit

2 files changed · +7 −4

formwork/src/Panel/Controllers/UsersController.php+6 −4 modified

@@ -56,18 +56,20 @@ public function create(UserFactory $userFactory): Response
             return $this->redirect($this->generateRoute('panel.users'));
         }
 
-        // Get the role
-        $roleId = $form->data()->get('role', 'user');
+        $currentUser = $this->panel->user();
 
-        if (!$this->site->users()->roles()->has($roleId)) {
+        // Prevent non-admins from escalating privileges by assigning a role different from their own
+        $role = $currentUser->isAdmin() ? $form->data()->get('role') : $currentUser->role()->id();
+
+        if (!$this->site->users()->roles()->has($role)) {
             $this->panel->notify($this->translate('panel.users.user.cannotCreate.invalidRole'), 'error');
             return $this->redirect($this->generateRoute('panel.users'));
         }
 
         $user = $userFactory->make([]);
 
         try {
-            $user->setMultiple($form->data()->toArray());
+            $user->setMultiple([...$form->data()->toArray(), 'role' => $role]);
             $user->save();
         } catch (TranslatedException $e) {
             $this->panel->notify($this->translate($e->getLanguageString()), 'error');

panel/modals/newUser.yaml+1 −0 modified

@@ -44,6 +44,7 @@ fields:
         label: '{{user.role}}'
         default: editor
         options@: site.users.availableRoles
+        visible@: formwork.panel.user.isAdmin
 
 buttons:
     dismiss:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-34p4-7w83-35g2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27198ghsaADVISORY
github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cdghsax_refsource_MISCWEB
github.com/getformwork/formwork/releases/tag/2.3.4ghsax_refsource_MISCWEB
github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000