CVE-2026-50881
Description
Bonsai 6.0 allows authenticated Editors to escalate to Administrator due to missing operation-level access control in user and configuration management.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bonsai 6.0 allows authenticated Editors to escalate to Administrator due to missing operation-level access control in user and configuration management.
Vulnerability
In Bonsai version 6.0, the AdminAuthHandler accepts both Administrator and Editor roles as valid for administrative endpoints. However, sensitive controllers such as UsersController and DynamicConfigController rely solely on this handler and do not perform an additional operation-level check to restrict Editor access from administrator-grade actions. This allows an authenticated Editor to reach endpoints meant only for Administrators, including user management and global configuration changes. [1]
Exploitation
An attacker who has valid Editor credentials can log in to Bonsai 6.0 and send direct HTTP requests to routes handled by UsersController (e.g., creating a user or changing a role) or DynamicConfigController (e.g., modifying global settings). The AdminAuthHandler accepts the Editor session, and the requested mutation is applied without further authorization checks. [1]
Impact
Successful exploitation results in privilege escalation from Editor to full administrative control. The attacker can create, modify, or delete user accounts, change passwords, and alter global configuration settings—operations that should be limited to Administrators. This effectively grants persistent unauthorized access at the highest privilege level. [1]
Mitigation
As of the publication date, no official fix or patch has been released. The vendor has not announced a mitigation or updated version. Users should restrict Editor account privileges where possible and monitor for unauthorized user or configuration changes until a patch is available. [1]
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing operation-level access control check in sensitive controllers allows Editor sessions to reach administrator-only endpoints."
Attack vector
An authenticated attacker with Editor privileges can directly send requests to user-management routes (e.g., creating a user or changing another user's role) or dynamic configuration routes that are handled by `UsersController` and `DynamicConfigController`. Because `AdminAuthHandler` accepts Editor sessions as sufficient, no second authorization gate blocks the request [ref_id=1]. The attacker can then perform administrator-grade operations such as account creation, password changes, and global configuration modifications, achieving privilege escalation to Administrator [CWE-862].
Affected code
The `AdminAuthHandler` in Bonsai v6.0 accepts both Administrator and Editor roles at the route level, while `UsersController` and `DynamicConfigController` lack a second operation-level check. The `UsersManagerService` then applies user mutations after the handler has already allowed the request, making the missing boundary the absence of a role distinction inside the controller actions.
What the fix does
The advisory does not include a published patch. The fix would require adding an operation-level authorization check inside `UsersController` and `DynamicConfigController` (or their corresponding services) that ensures only the Administrator role, not merely the Editor role, can perform user management and global configuration actions. This would enforce the intended separation between editor-facing admin pages and sensitive administrative endpoints.
Preconditions
- authValid Editor session on Bonsai v6.0
- networkHTTP access to user-management or dynamic-configuration endpoints
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.