CVE-2026-30269

Published: Apr 20, 2026Modified: Apr 27, 2026

9.9

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Exploitability: 3.1 / Impact: 6.0

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privilege escalation to high-privileged roles.

Affected (2)

Products: Doorman: Doorman

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Doorman Doorman	Version 0.1.0
Doorman Doorman	Version 1.0.2

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (2)

https://blog.orxiain.life/archives/cve-2026-30269---improper-access-control-in-doorman-allows-privilege-escalation

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/apidoorman/doorman

Source: cve@mitre.org

Product

Timeline

No history available yet.