CVE-2026-27899
Published: 26 February 2026
Summary
CVE-2026-27899 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wgportal Wireguard Portal. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations, preventing non-admin users from modifying their own IsAdmin field via unprotected PUT requests to the user profile endpoint.
Restricts privileges to the minimum necessary, blocking unauthorized self-escalation to full administrator access in wg-portal.
Validates JSON inputs to the profile update endpoint, ensuring client-supplied IsAdmin values are rejected or ignored before database persistence.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper privilege management (CWE-269/863) allows an authenticated low-privileged user to directly set IsAdmin=true via profile update API, enabling exploitation for privilege escalation to full admin control.
NVD Description
WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin":…
more
true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database. When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for `IsAdmin`. As a result, whatever value the client sends for `IsAdmin` is written directly to the database. After the exploit, the attacker has full admin access to the WireGuard VPN management portal. The problem was fixed in v2.1.3. The docker images for the tag 'latest' built from the master branch also include the fix.
Deeper analysisAI
CVE-2026-27899 is an improper privilege management vulnerability (CWE-269, CWE-863) in WireGuard Portal (wg-portal), a web-based configuration portal for WireGuard server management. In versions prior to 2.1.3, the server fails to protect the `IsAdmin` boolean field during user profile updates. When an authenticated user sends a PUT request to their own profile endpoint with `"IsAdmin": true` in the JSON body, the server parses the full body into the user model. A function preserves certain protected attributes like base model data and linked peer counts, but overlooks `IsAdmin`, allowing the client-supplied value to be written directly to the database.
Any authenticated non-admin user (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). After sending the malicious PUT request, logging out and back in grants the attacker full administrative privileges, providing complete control over the WireGuard VPN management portal. The CVSS 3.1 base score is 8.8 (C:H/I:H/A:H/S:U), reflecting high impacts on confidentiality, integrity, and availability.
The vulnerability was addressed in wg-portal version 2.1.3, with Docker images tagged 'latest' built from the master branch also including the fix. Additional details are available in the GitHub security advisory at https://github.com/h44z/wg-portal/security/advisories/GHSA-5rmx-256w-8mj9.
Details
- CWE(s)