CVE-2026-27591
Published: 11 March 2026
Summary
CVE-2026-27591 is a critical-severity Improper Access Control (CWE-284) vulnerability in Wintercms Winter. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of flaws like this Winter CMS privilege escalation vulnerability to prevent exploitation via crafted requests.
Mandates enforcement of access controls to block authenticated backend users from unauthorized self-modification of roles and permissions.
Applies least privilege to limit backend user access, reducing the scope and impact of potential privilege escalations even if enforcement partially fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via improper access controls and authorization bypass in authenticated backend session, matching exploitation of a software vulnerability to gain higher privileges.
NVD Description
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the…
more
roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any level of access. This vulnerability is fixed in 1.0.477, 1.1.12, and 1.2.12.
Deeper analysisAI
CVE-2026-27591 is a privilege escalation vulnerability in Winter CMS, a free open-source content management system built on the Laravel PHP framework. Affected versions are those prior to 1.0.477, 1.1.12, and 1.2.12. The flaw stems from improper access controls (CWE-284, CWE-639, CWE-915), enabling authenticated backend users to modify the roles and permissions assigned to their own accounts through specially crafted requests to the backend while logged in. It carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for full system compromise.
Exploitation requires an attacker to have any level of access to the Winter CMS backend via a valid user account. Once authenticated, the attacker can send tailored HTTP requests to escalate their privileges, potentially gaining administrative control over the CMS. This could lead to unauthorized data access, modification, or deletion, as well as full system takeover given the scope (S:C) and high impacts on confidentiality, integrity, and availability.
The official GitHub security advisory (GHSA-pgpf-m8m4-6cg6) details the issue and confirms remediation in Winter CMS versions 1.0.477, 1.1.12, and 1.2.12. Security practitioners should immediately upgrade to one of these patched releases, available via the project's release notes, and review backend user accounts for signs of unauthorized role changes. No workarounds are specified beyond applying the patches.
Details
- CWE(s)