Docker
CVE-2026-27899
HIGH
GHSA-5rmx-256w-8mj9
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. After logging out and back in, the session picks up admin privileges from the database. When a user updates their own profile, the server parses the full JSON body into the user model, including the IsAdmin boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for IsAdmin. As a result, whatever value the client sends for IsAdmin is written directly to the database. After the exploit, the attacker has full admin access to the WireGuard VPN management portal. The problem was fixed in v2.1.3. The docker images for the tag 'latest' built from the master branch also include the fix.
AnalysisAI
Privilege escalation in WireGuard Portal prior to version 2.1.3 allows authenticated non-admin users to gain full administrator access by modifying their own user profile with an IsAdmin flag set to true. The vulnerability exists because the server fails to properly validate and restrict the IsAdmin field during profile updates, allowing the privilege change to persist after re-authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | WireGuard Portal versions prior to 2.1.3 with authenticated user access. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker (requires authentication) could exploit this vulnerability to compromise the affected system. |
| Remediation | A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WireGuard Portal instances and their versions; assess user account activity logs for suspicious privilege escalation attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in
Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote
Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as t
Server-side request forgery in Crawl4AI's Docker API server (versions <= 0.8.8) allows unauthenticated remote attackers
Vendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today