{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30269", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-20T18:23:39.346Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T16:35:36.556Z"}, "descriptions": [{"lang": "en", "value": "Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privilege escalation to high-privileged roles."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/apidoorman/doorman"}, {"url": "https://blog.orxiain.life/archives/cve-2026-30269---improper-access-control-in-doorman-allows-privilege-escalation"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-269", "lang": "en", "description": "CWE-269 Improper Privilege Management"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T18:22:55.563315Z", "id": "CVE-2026-30269", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T18:23:39.346Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30269", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T18:22:55.563315Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T18:20:34.471Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/apidoorman/doorman"}, {"url": "https://blog.orxiain.life/archives/cve-2026-30269---improper-access-control-in-doorman-allows-privilege-escalation"}], "descriptions": [{"lang": "en", "value": "Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privilege escalation to high-privileged roles."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T16:35:36.556Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30269", "state": "PUBLISHED", "dateUpdated": "2026-04-20T18:23:39.346Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:doorman:doorman:0.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "FEA94C59-0D12-4638-B640-7A65AD04586A", "vulnerable": true}, {"criteria": "cpe:2.3:a:doorman:doorman:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "C0C616A1-0504-4D08-A376-9BB21E2AE88A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privilege escalation to high-privileged roles."}], "id": "CVE-2026-30269", "lastModified": "2026-04-27T15:24:09.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T17:16:33.483", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.orxiain.life/archives/cve-2026-30269---improper-access-control-in-doorman-allows-privilege-escalation"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/apidoorman/doorman"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T03:32:04.075610+00:00", "value": {"mitigation_remediation": ["Upgrade Doorman to a version that implements a permission check for role changes.", "If an upgrade is not yet possible, modify the API to enforce a manage_users permission check even for self\u2011updates or remove the ability to edit the role field via this endpoint.", "Restrict access to the /platform/user/{username} endpoint so that only users with explicit role\u2011management privileges can invoke it.", "Apply least privilege principles to default accounts and implement mandatory password rotation to minimize the impact of compromised credentials."], "summary": {"action": "Apply patch", "impact": "Privilege escalation via improper access control"}, "threat_synthesis": {"affected_systems": "Doorman versions 0.1.0 and 1.0.2 are vulnerable. The product is an open\u2011source access control service. The problem exists in the user account management API endpoint /platform/user/{username}.", "description_and_impact": "Improper access control in Doorman allows any authenticated user to change the role field of their own account via the /platform/user/{username} endpoint. The update model accepts the role property without checking for manage_users permission on self\u2011updates, permitting escalation to high\u2011privileged roles. This yields full administrative capabilities for the user, potentially leading to uncontrolled system changes and data exposure.", "risk_and_exploitability": "The vulnerability requires authentication and access to the REST API; an attacker with a legitimate session can identify their username and send a patch request to elevate their role. The CVSS score of 9.9 indicates critical severity. No publicly disclosed exploits or patch notes are available, and the EPSS score is 0.00038, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The lack of a permission check means the flaw can be leveraged by any authenticated user, making the risk high within a compromised user base or after a credential compromise."}}}}, "created": "2026-04-20T17:30:12.653242+00:00", "title": "Doorman Improper Access Control Allows Privilege Escalation", "updated": "2026-04-22T03:45:06.967967+00:00", "vendors": []}