CVE-2026-30269
Published: 20 April 2026
Summary
CVE-2026-30269 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Doorman Doorman. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the /platform/user/{username} endpoint to block unauthorized self-updates to privileged roles.
Applies least privilege to restrict authenticated users from escalating their own roles without manage_users permission.
Requires management of user accounts and roles to prevent self-modification vulnerabilities in account update processes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct improper access control flaw in role-update endpoint allows low-privileged authenticated users to escalate to high-privileged roles via crafted request, matching exploitation for privilege escalation.
NVD Description
Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for…
more
self-updates, enabling privilege escalation to high-privileged roles.
Deeper analysisAI
CVE-2026-30269, published on 2026-04-20, is an improper access control vulnerability (CWE-269) in Doorman versions v0.1.0 and v1.0.2. It enables any authenticated user to update their own account role to a non-admin privileged role via the /platform/user/{username} endpoint. The update model accepts the `role` field without enforcing a manage_users permission check for self-updates, allowing unauthorized privilege escalation to high-privileged roles. The issue carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
Any low-privileged authenticated user can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation involves sending a crafted request to the vulnerable endpoint to modify their own role, achieving privilege escalation to high-privileged roles. This grants attackers high impact on confidentiality and integrity, with scope expansion due to the escalated permissions, alongside low availability impact.
Mitigation details are available in the referenced advisory at https://blog.orxiain.life/archives/cve-2026-30269---improper-access-control-in-doorman-allows-privilege-escalation and the Doorman GitHub repository at https://github.com/apidoorman/doorman.
Details
- CWE(s)