CVE-2026-35182
Published: 06 April 2026
Summary
CVE-2026-35182 is a high-severity Missing Authorization (CWE-862) vulnerability in Ajax30 Bravecms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations for access to system resources, directly addressing the missing authorization middleware on the update role endpoint.
Employs least privilege to restrict role update capabilities to only necessary authorized users, mitigating unauthorized privilege escalation.
Establishes conditions and approval processes for account and role management, preventing unauthorized changes to user roles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on role update endpoint allows low-priv authenticated users to escalate to Super Admin via crafted POST, directly enabling T1068 (Exploitation for Privilege Escalation) and T1098 (Account Manipulation) by modifying user roles.
NVD Description
Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/{id} lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to change…
more
account roles and promote themselves to Super Admin. This vulnerability is fixed in 2.0.6.
Deeper analysisAI
CVE-2026-35182 is a missing authorization vulnerability (CWE-862) in Brave CMS, an open-source content management system. The issue resides in the update role endpoint defined at routes/web.php, specifically the POST route /rights/update-role/{id}, which lacks the checkUserPermissions:assign-user-roles middleware prior to version 2.0.6. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Any authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a crafted POST request to the affected endpoint, an attacker can update user roles, including promoting their own account or others to Super Admin, thereby gaining full administrative control over the CMS instance.
The vulnerability is addressed in Brave CMS version 2.0.6, which adds the necessary authorization middleware to the endpoint. Security advisories published on GitHub detail the issue and recommend upgrading to the patched version immediately.
Details
- CWE(s)