CVE-2026-27899

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27899
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27899.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27899
Aliases
Published
2026-02-26T00:50:00.278Z
Modified
2026-02-26T19:35:47.278189Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
WireGuard Portal Vulnerable to Privilege Escalation to Admin via User Self-Update
Details

WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. After logging out and back in, the session picks up admin privileges from the database. When a user updates their own profile, the server parses the full JSON body into the user model, including the IsAdmin boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for IsAdmin. As a result, whatever value the client sends for IsAdmin is written directly to the database. After the exploit, the attacker has full admin access to the WireGuard VPN management portal. The problem was fixed in v2.1.3. The docker images for the tag 'latest' built from the master branch also include the fix.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27899.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-269",
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/h44z/wg-portal

Affected ranges

Type
GIT
Repo
https://github.com/h44z/wg-portal
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0a8ec71b3fb289992a1f00bfebce2145007695ee
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.3"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v2.*
v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.0-beta.6
v2.0.0-beta.7
v2.0.0-beta.8
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v2.0.0-rc.4
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.1.0-beta.1
v2.1.0-beta.2
v2.1.0-beta.3
v2.1.0-rc.1
v2.1.0-rc.2
v2.1.0-rc.3
v2.1.0-rc.4
v2.1.0-rc.5
v2.1.1
v2.1.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27899.json"