CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the fklevels_list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass authorization validation and gain full application control, circumventing restrictions on SuperAdmin account creation and privilege assignment.
{
"cna_assigner": "VulnCheck",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"last_affected": "2.4.0"
}
]
}
],
"cwe_ids": [
"CWE-639"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29002.json"
}{
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "2.4"
}
],
"cpe": "cpe:2.3:a:couchcms:couchcms:*:*:*:*:*:*:*:*"
}