Cyber Resilience

CVE-2026-27899

High

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27899 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wgportal Wireguard Portal. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-27899 is an improper privilege management vulnerability (CWE-269, CWE-863) in WireGuard Portal (wg-portal), a web-based configuration portal for WireGuard server management. In versions prior to 2.1.3, the server fails to protect the `IsAdmin` boolean field during user profile updates. When an authenticated user sends a PUT request to their own profile endpoint with `"IsAdmin": true` in the JSON body, the server parses the full body into the user model. A function preserves certain protected attributes like base model data and linked peer counts, but overlooks `IsAdmin`, allowing the client-supplied value to be written directly to the database.

Any authenticated non-admin user (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). After sending the malicious PUT request, logging out and back in grants the attacker full administrative privileges, providing complete control over the WireGuard VPN management portal. The CVSS 3.1 base score is 8.8 (C:H/I:H/A:H/S:U), reflecting high impacts on confidentiality, integrity, and availability.

The vulnerability was addressed in wg-portal version 2.1.3, with Docker images tagged 'latest' built from the master branch also including the fix. Additional details are available in the GitHub security advisory at https://github.com/h44z/wg-portal/security/advisories/GHSA-5rmx-256w-8mj9.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin":…

more

true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database. When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for `IsAdmin`. As a result, whatever value the client sends for `IsAdmin` is written directly to the database. After the exploit, the attacker has full admin access to the WireGuard VPN management portal. The problem was fixed in v2.1.3. The docker images for the tag 'latest' built from the master branch also include the fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Improper privilege management (CWE-269/863) allows an authenticated low-privileged user to directly set IsAdmin=true via profile update API, enabling exploitation for privilege escalation to full admin control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27802Shared CWE-269, CWE-863
CVE-2026-23896Shared CWE-269
CVE-2026-40291Shared CWE-269, CWE-863
CVE-2025-0893Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2026-31368Shared CWE-269
CVE-2026-21983Shared CWE-269
CVE-2024-49742Shared CWE-269
CVE-2026-1993Shared CWE-269
CVE-2026-29124Shared CWE-269

Affected Assets

wgportal
wireguard portal
≤ 2.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations, preventing non-admin users from modifying their own IsAdmin field via unprotected PUT requests to the user profile endpoint.

prevent

Restricts privileges to the minimum necessary, blocking unauthorized self-escalation to full administrator access in wg-portal.

prevent

Validates JSON inputs to the profile update endpoint, ensuring client-supplied IsAdmin values are rejected or ignored before database persistence.

References