CVE-2026-29789
Published: 06 March 2026
Summary
CVE-2026-29789 is a critical-severity Missing Authorization (CWE-862) vulnerability in Vitodeploy Vito. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-5 (Separation of Duties).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the missing authorization check on foreign server_ids in workflow site-creation actions.
AC-6 enforces least privilege, restricting workflow write access to only the user's own project and preventing cross-project server management.
AC-5 implements separation of duties to ensure workflow management duties are isolated by project, mitigating unauthorized access across project boundaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization check (CWE-862) in workflow actions allows low-privileged authenticated user to perform cross-project server/site operations, directly constituting exploitation of a software vulnerability for unauthorized privilege escalation.
NVD Description
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project…
more
to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.
Deeper analysisAI
CVE-2026-29789 is a missing authorization vulnerability (CWE-862) in Vito, a self-hosted web application designed to manage servers and deploy PHP applications to production environments. The flaw exists in workflow site-creation actions prior to version 3.20.3, where insufficient checks allow unauthorized access across project boundaries.
An authenticated attacker with low privileges—specifically workflow write access in one project—can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a foreign server_id, the attacker can create and manage sites on servers belonging to other projects, potentially leading to high impacts on confidentiality, integrity, and availability (CVSS v3.1 score: 9.9; AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
The vulnerability has been patched in Vito version 3.20.3. Security practitioners should upgrade to this version immediately. Additional details on the fix are provided in the GitHub security advisory (GHSA-3m6w-8qh4-qr76), pull request #1036, commit 0fdcfe5f0b93da644a0456e0e4544763828e3326, and release notes for v3.20.3.
Details
- CWE(s)