CVE-2026-33549
Published: 22 March 2026
Summary
CVE-2026-33549 is a medium-severity Function Call With Incorrect Variable or Reference as Argument (CWE-688) vulnerability in Spip Spip. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the privilege escalation flaw by requiring timely identification, reporting, and correction through patching to version 4.4.13, addressing the STATUT mishandling.
Enforces least privilege to prevent low-privilege authenticated users from editing author data structures in ways that assign administrator privileges.
Requires proper management of user accounts and privileges to avoid unintended assignments during author data structure modifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a privilege escalation vulnerability allowing an authenticated low-privileged user to gain administrator rights via improper STATUT field handling in the SPIP CMS author editing flow; this directly matches T1068 (Exploitation for Privilege Escalation).
NVD Description
SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.
Deeper analysisAI
CVE-2026-33549 is a privilege escalation vulnerability in SPIP, an open-source content management system, affecting versions 4.4.10 through 4.4.12 prior to 4.4.13. The flaw stems from improper handling of the STATUT field during the editing of an author data structure, enabling unintended assignment of administrator privileges. It is classified under CWE-688 (Incorrect Comparison Logic for Function Return Value with Origin) and carries a CVSS v3.1 base score of 6.7 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L), indicating medium severity with high confidentiality and integrity impacts.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and user interaction (UI:R), such as tricking a user into performing a specific edit action. Successful exploitation allows the attacker to elevate privileges to administrator level, potentially granting full control over the SPIP instance, including high-impact access to sensitive data (C:H), modification of site content and configurations (I:H), and limited disruption to availability (A:L).
The official SPIP security advisory recommends immediate upgrade to version 4.4.13, which addresses the issue via a specific commit (b8481a7feb00f301f0ff7d5ce2aad8a772d92c2e) and associated merge request. Details are available in the SPIP blog post announcing the release and the corresponding Git repository changes.
Details
- CWE(s)