Cyber Posture

CVE-2026-34427

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0033 56.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34427 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 43.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations in the admin profile save endpoint to prevent authenticated users from modifying privileged fields like role_id.

AC-6 Least Privilege good match
prevent

Restricts user privileges to the minimum necessary, prohibiting self-escalation to Super Administrator via profile modifications.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes input parameters such as role_id in profile save requests to block unauthorized privilege escalation attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability is a privilege escalation allowing low-privileged authenticated users to modify their profile's role_id parameter to gain Super Administrator access, directly enabling T1068 (Exploitation for Privilege Escalation). This unlocks further capabilities like plugin upload leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super…

more

Administrator privileges, enabling plugin upload functionality for remote code execution.

Deeper analysisAI

CVE-2026-34427 is a privilege escalation vulnerability affecting Vvveb versions prior to 1.0.8.1. The issue resides in the admin user profile save endpoint, where authenticated users can modify privileged fields on their own profile. By injecting the parameter role_id=1 into profile save requests, attackers can elevate their privileges to Super Administrator. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-915.

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants Super Administrator access, which unlocks the plugin upload functionality and enables remote code execution on the server.

Mitigation is available via the official patch in Vvveb release 1.0.8.1, detailed in the corresponding GitHub commit (0eca14af50f038915b8bf7ceec2becf6b6720b0a). Additional guidance is provided in the Vulncheck advisory on the privilege escalation via admin user save.

Details

CWE(s)
CWE-915

CVEs Like This One

CVE-2026-34406Shared CWE-915
CVE-2026-34179Shared CWE-915
CVE-2025-15602Shared CWE-915
CVE-2026-34208Shared CWE-915
CVE-2026-6912Shared CWE-915
CVE-2026-5708Shared CWE-915
CVE-2026-27591Shared CWE-915
CVE-2026-33453Shared CWE-915
CVE-2026-40897Shared CWE-915
CVE-2025-31674Shared CWE-915

References