VYPR
Get started
← All advisories
Critical severityNVD Advisory· Published May 9, 2026· Updated May 13, 2026

CVE-2026-42571

CVE-2026-42571

Description

Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/pelicanplatform/pelicanGo
< 0.0.0-20260408120501-7f73b9c3e6770.0.0-20260408120501-7f73b9c3e677

Patches

1
7f73b9c3e677

Do not use an external container image layer cache

https://github.com/PelicanPlatform/pelicanBrian AydemirApr 8, 2026via ghsa
commit
1 file changed · +0 7
  • .github/workflows/build-and-test.yml+0 7 modified
    @@ -331,7 +331,6 @@ jobs:
 
           # Configure the build cache.
           cache-from: |
-            type=registry,ref=${{ needs.params.outputs.registry-cache }}-${{ matrix.arch }}
             type=local,src=${{ runner.temp }}/.base-buildx-cache
 
           # Save Docker's build cache to the file/directory we set up
@@ -416,14 +415,8 @@ jobs:
 
           # Configure the build cache.
           cache-from: |
-            type=registry,ref=${{ needs.params.outputs.registry-cache }}-${{ matrix.arch }}
             type=local,src=${{ runner.temp }}/.base-buildx-cache
 
-          # Upload the dev image as a build cache because, in theory,
-          # it contains layers that change relatively infrequently and
-          # thus could be used to reduce future build times.
-          cache-to: ${{ contains(fromJson(needs.params.outputs.images-to-push), matrix.image) && matrix.image == 'pelican-dev' && format('{0}{1}-{2}{3}', 'type=registry,ref=', needs.params.outputs.registry-cache, matrix.arch, ',mode=max,ignore-error=true,image-manifest=true,oci-mediatypes=true') || null }}
-
       - name: Export digest
         if: ${{ contains(fromJson(needs.params.outputs.images-to-push), matrix.image) }}
         run: |

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.