CVE-2025-70866
Published: 13 February 2026
Summary
CVE-2025-70866 is a high-severity Improper Access Control (CWE-284) vulnerability in Lavalite Lavalite. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations including role-based checks to block low-privilege users from accessing the admin backend via shared authentication guards.
Applies least privilege principle to explicitly limit User role access to administrative functions, preventing privilege escalation.
Mandates access control decisions based on role attributes, directly countering the absence of role verification in admin login.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The access control flaw directly enables an authenticated low-privilege account to reach the admin backend, constituting exploitation for privilege escalation (T1068).
NVD Description
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the…
more
same user provider without role-based access control verification.
Deeper analysisAI
LavaLite CMS version 10.1.0 is affected by CVE-2025-70866, an Incorrect Access Control vulnerability published on 2026-02-13. The flaw allows an authenticated user with low-level privileges, specifically the User role, to directly access the admin backend by logging in through the /admin/login endpoint. This occurs because the admin and user authentication guards share the same user provider without role-based access control verification. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284.
An attacker requires only a valid low-privilege User role account to exploit this over the network with low complexity and no user interaction. By logging into the /admin/login endpoint, the attacker bypasses intended restrictions and gains full access to the admin backend, enabling high-impact actions that compromise confidentiality, integrity, and availability of the CMS, such as modifying sensitive data or administrative settings.
Key references include a GitHub gist at https://gist.github.com/gkjzjh146/6d541c80b0666a596581ccd85bd10058, likely detailing the issue or proof-of-concept, and the LavaLite CMS release page for v10.1.0 at https://github.com/LavaLite/cms/releases/tag/v10.1.0. Security practitioners should consult these sources for further technical details and any guidance on remediation.
Details
- CWE(s)