Cyber Resilience

CVE-2026-35182

HighPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 25.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35182 is a high-severity Missing Authorization (CWE-862) vulnerability in Ajax30 Bravecms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).

Deeper analysis

CVE-2026-35182 is a missing authorization vulnerability (CWE-862) in Brave CMS, an open-source content management system. The issue resides in the update role endpoint defined at routes/web.php, specifically the POST route /rights/update-role/{id}, which lacks the checkUserPermissions:assign-user-roles middleware prior to version 2.0.6. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Any authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a crafted POST request to the affected endpoint, an attacker can update user roles, including promoting their own account or others to Super Admin, thereby gaining full administrative control over the CMS instance.

The vulnerability is addressed in Brave CMS version 2.0.6, which adds the necessary authorization middleware to the endpoint. Security advisories published on GitHub detail the issue and recommend upgrading to the patched version immediately.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/{id} lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to change…

more

account roles and promote themselves to Super Admin. This vulnerability is fixed in 2.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Missing authorization on role update endpoint allows low-priv authenticated users to escalate to Super Admin via crafted POST, directly enabling T1068 (Exploitation for Privilege Escalation) and T1098 (Account Manipulation) by modifying user roles.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35164Same product: Ajax30 Bravecms
CVE-2026-35183Same product: Ajax30 Bravecms
CVE-2026-35047Same product: Ajax30 Bravecms
CVE-2026-7802Shared CWE-862
CVE-2026-4261Shared CWE-862
CVE-2023-47179Shared CWE-862
CVE-2024-13677Shared CWE-862
CVE-2026-25045Shared CWE-862
CVE-2025-8322Shared CWE-862
CVE-2025-8310Shared CWE-862

Affected Assets

ajax30
bravecms
2.0.0 — 2.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for access to system resources, directly addressing the missing authorization middleware on the update role endpoint.

prevent

Employs least privilege to restrict role update capabilities to only necessary authorized users, mitigating unauthorized privilege escalation.

prevent

Establishes conditions and approval processes for account and role management, preventing unauthorized changes to user roles.

References