CVE-2026-36720
Description
BookCars v8.3 allows authenticated users to escalate privileges to admin by modifying their user type via an insecure API endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BookCars v8.3 allows authenticated users to escalate privileges to admin by modifying their user type via an insecure API endpoint.
Vulnerability
A privilege escalation vulnerability exists in BookCars versions up to and including v8.3. The vulnerability resides in the /api/update-user endpoint, which allows authenticated users to modify their own user type without sufficient authorization checks. Specifically, the application accepts a type parameter directly from user input and applies it without validating the requesting user's privileges, potentially leading to privilege escalation [1].
Exploitation
An authenticated attacker with a standard user account can exploit this vulnerability. The attacker needs to send a crafted request to the /api/update-user endpoint, including their own user ID and a new type parameter set to 'admin'. The application will then update the user's role to administrator without verifying if the user making the request has the authority to perform such a change [1].
Impact
Successful exploitation allows an authenticated attacker to escalate their privileges from a regular user to an administrator. This grants them complete control over the application's access control system, potentially enabling them to perform any administrative action, modify other user accounts, or access sensitive data [1].
Mitigation
To mitigate this vulnerability, it is recommended to implement proper authorization checks on the /api/update-user endpoint to ensure that only administrators can modify user types. Additionally, consider removing the ability for users to update their own roles through this endpoint and enforce role-based access control (RBAC) for privileged operations. Logging all user type modification attempts is also advised for security auditing [1]. The fixed version and release date are not yet disclosed in the available references.
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Authenticated users can modify their own user type without proper authorization checks."
Attack vector
An authenticated attacker can exploit this vulnerability by sending a POST request to the `/api/update-user` endpoint. The request body should include the user's ID and the desired new type, such as 'admin'. The application accepts the `type` parameter directly from user input and applies it without validating if the requesting user has the necessary privileges to perform such a modification. This allows any authenticated user to escalate their privileges to administrator.
Affected code
The vulnerability resides in the `update` function within `/backend/src/controllers/userController.ts`. Specifically, the code directly assigns the `type` parameter from the request body to the user object without any authorization checks to verify if the current user has the permission to change user types.
What the fix does
The advisory recommends implementing proper authorization checks to ensure only administrators can modify user types. It also suggests removing the ability for users to update their own roles through the self-service update endpoint and applying role-based access control (RBAC) to restrict privileged operations. Logging all user type modification attempts is also advised for security auditing.
Preconditions
- authThe attacker must be an authenticated user.
Reproduction
Login as user test@localhost.localhost on the user frontend. Update type of user test@localhost.localhost to admin by its id. Login as user test@localhost.localhost on the admin frontend to verify the type has been changed to admin.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.