CVE-2026-6356

Critical

Published: 22 April 2026

Published

22 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0003 9.2th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6356 is a critical-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates and sanitizes user inputs including manipulated parameters to prevent privilege escalation exploits in the web application.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations in the web application, blocking standard users from escalating to super administrator privileges.

AC-6 Least Privilege partial match

prevent

Limits privileges to the minimum necessary, reducing the impact of potential privilege escalation even if parameter manipulation partially succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The CVE describes a privilege escalation vulnerability allowing low-privileged users to gain super administrator access via parameter manipulation in a web application, directly enabling exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information.

Deeper analysisAI

CVE-2026-6356 is a privilege escalation vulnerability in a web application that allows standard users to elevate their privileges to super administrator levels through parameter manipulation. This flaw enables attackers to access and modify sensitive information. It carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and is associated with CWE-1220. The vulnerability was published on 2026-04-22.

Standard users with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity and no user interaction required. Successful exploitation changes the scope (S:C) and results in high impacts to confidentiality and integrity (C:H/I:H), allowing attackers to gain super administrator access and manipulate sensitive data, while availability remains unaffected (A:N).

For mitigation details, refer to the advisories and resources in the referenced GitHub repositories at https://github.com/Penguinsecq/CVE-2026-6356/.

Details

CWE(s): CWE-1220

CVEs Like This One

CVE-2026-33825Shared CWE-1220

CVE-2024-53295Shared CWE-1220

CVE-2025-7493Shared CWE-1220

CVE-2026-6388Shared CWE-1220

CVE-2025-20111Shared CWE-1220

CVE-2024-13256Shared CWE-1220

CVE-2023-31342Shared CWE-1220

CVE-2023-31343Shared CWE-1220

References

https://github.com/Penguinsecq/CVE-2026-6356/
cret@cert.org
https://github.com/Penguinsecq/CVE-2026-6356/
134c704f-9b21-4f2e-91b3-4a467353bcc0