CVE-2026-27198
Published: 21 February 2026
Summary
CVE-2026-27198 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Formwork Project Formwork. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access, directly countering the failure to verify current user privileges before assigning admin roles during account creation.
AC-2 requires defined procedures for account management including privilege assignment and approvals for privileged accounts, preventing unauthorized admin account creation by lower-privileged users.
AC-6 enforces least privilege principles, ensuring editor-role users cannot perform or assign administrative actions like creating admin accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization check on role assignment during account creation, allowing an authenticated low-privileged user to directly create an account with administrative rights; this maps to T1136 (Create Account) for the account creation action and T1068 (Exploitation for Privilege Escalation) for the resulting elevation to full admin access.
NVD Description
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the…
more
current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
Deeper analysisAI
CVE-2026-27198 is an improper privilege management vulnerability (CWE-269) in Formwork, a flat file-based Content Management System (CMS). It affects versions 2.0.0 through 2.3.3, where the application fails to properly enforce role-based authorization during account creation. Specifically, while the system validates that a specified role exists, it does not check whether the current user has sufficient privileges to assign highly privileged roles such as admin.
An authenticated user with editor privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By creating a new account and assigning it administrative privileges, the attacker gains full administrative access, leading to complete compromise of the CMS, including high confidentiality, integrity, and availability impacts. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability was fixed in Formwork version 2.3.4. Mitigation involves updating to this patched release. Key resources include the fixing commit at https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd, the release notes at https://github.com/getformwork/formwork/releases/tag/2.3.4, and the GitHub security advisory at https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2.
Details
- CWE(s)