Skip to main content

Pelican WebUI CVE-2026-42571

CRITICAL
Incorrect Authorization (CWE-863)
2026-05-04 https://github.com/PelicanPlatform/pelican GHSA-rpfr-x88x-xwcw
9.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 09, 2026 - 20:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 09, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
May 09, 2026 - 20:22 NVD
9.0 (CRITICAL)
Source Code Evidence Fetched
May 04, 2026 - 21:47 vuln.today
Analysis Generated
May 04, 2026 - 21:47 vuln.today

DescriptionGitHub Advisory

Background

On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI) for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. These may include servers with the following configuration variables enabled:

  • Server.UIAdminUsers: Affected if any of the listed admin users or the default admin account have not previously logged in to the server.
  • Server.AdminGroups: Affected if Issuer.GroupSource is set to internal and an admin of the group has not previously logged in to the server.

The OSDF operations team has mitigated these for core services, origins, and caches operated by the PATh project. However, mitigation may be needed for caches and origins not centrally operated.

Pelican Command Line has not currently identified any evidence this attack has been exploited in the services managed by OSDF operators.

Severity and Impact

When leveraged, an attacker with any kind of authenticated session on the server can create database records that cause the server to grant them admin privileges on subsequent login. Critically, admin access enables modifying the server's configuration, creating persistent API tokens, and changing admin passwords. The table below summarizes potential implications of this exploit.

ServiceData exposure riskData tampering riskFederation-wide impact
DirectorLow (no data stored)High - can modify configuration to point to a different RegistryHigh - can modify configuration to add GeoIP overrides to steer federation. Denial of service on the federation
RegistryLowHigh - can modify existing or create malicious namespaces that impersonate trusted pathsHigh - federation-wide namespace poisoning. Denial of service on the federation
OriginHigh - can expose protected paths via config or export object store/filesystem paths into a namespaceHigh - can potentially enable writes + change export pathsMedium - scoped to that origin's namespaces
CacheMedium - can expose cached protected data via config changesLow - caches don't originate dataLow - scoped to that cache

Attack Preconditions

Both attacks share the same prerequisites:

  1. The server's OIDC logins must be enabled.
  2. The attacker must have some form of authenticated session on the server, typically from an OIDC login.
  3. The attacker must know or guess a relevant admin identifier (a Server.UIAdminUsers username or a Server.AdminGroups group name) for an admin who has not previously logged into the WebUI.

Immediate Mitigation Steps

1. Audit the consuming service's database

Before upgrading, Pelican Command Line recommends auditing the service's database to see if it has already been exploited and to block further exploitation. Upgrading an exploited server is insufficient to prevent future unauthorized access if the exploit has already occurred.

Pelican Command Line is providing a script mitigate-user-escalation.sh that:

  • Displays all user records and group memberships for manual review, highlighting any that show fingerprints of the attack with [!] for explicit review - administrators should verify all entries, but especially those with this syntax highlighting. The highlighted changes do not guarantee an exploit occurred but that further examination is needed.
  • Creates database records mitigating the attack vector.
  • Displays all API tokens, which may have been created by an attacker for persistent access, for administrator review. Suspicious tokens should be deleted using the provided SQLite commands.
  • Provides additional guidance about rotating secrets on the server.

This script is available as a github gist: https://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9

To run the script:

bash
# Run as the same user that runs the Pelican server (e.g., pelican):
$ sudo bash mitigate-user-escalation.sh
# If using a non-standard config file:
$ sudo bash mitigate-user-escalation.sh --config /path/to/pelican.yaml
# If the database is in a non-standard location:
$ sudo bash mitigate-user-escalation.sh --db-path /path/to/pelican.sqlite

2. Upgrade to a patched version

Administrators for Pelican servers running an affected version should upgrade to a patched release. Within each minor release series, these versions include:

  • >=v7.21.5
  • >=v7.22.3
  • >=v7.23.3
  • >=v7.24.2

Administrators can check their server's version by invoking pelican with the --version flag, or by inspecting the WebUI's ? icon displayed in the lower left corner.

3. Disable vulnerable configuration if not upgrading immediately

If administrators are unable to upgrade to a patched version, disable the vulnerable configuration by commenting or removing the relevant settings from the service's pelican.yaml:

yaml
Server:
# Comment or remove these lines:
# UIAdminUsers:
#   - user1
#   - user2
# AdminGroups:
#   - admin-group

> Note: Disabling Server.UIAdminUsers removes OIDC-based admin access entirely, leaving only password-based login for admin access. Ensure the project has a working admin password before making this change.

If a server doesn't currently configure Server.UIAdminUsers or Server.AdminGroups, *do not populate these settings until the administrator has upgraded to a patched version.* If their project doesn't currently have these configured but have in the past, they should still audit the records using the provided mitigation script.

Long-Term Fixes

In addition to closing the immediate vulnerabilities, the Pelican development team is working toward several defense-in-depth solutions to minimize the risk of similar vulnerabilities in the future. These include:

  • Reviewing all code in the vicinity of these vulnerabilities for other attack vectors.
  • Changing internal frameworks so security implications of new APIs are more visible to code reviewers.
  • Automating security scanning using coding agents like the one that discovered this class of vulnerabilities.

AnalysisAI

Authenticated attackers can escalate privileges to administrator in Pelican Web User Interface versions 7.21 through 7.24 by manipulating database records before legitimate admin users log in. This vulnerability was discovered by a Claude coding agent on April 2, 2026, and affects servers with Server.UIAdminUsers or Server.AdminGroups configured where designated admins have not previously authenticated. No public exploit code exists, and Pelican Command Line reports no confirmed exploitation in OSDF-managed services. Vendor patches are available across all affected minor release series (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2), with fix commit 7f73b9c3e677 addressing CWE-863 (Incorrect Authorization).

Technical ContextAI

Pelican is a data federation platform written in Go (github.com/pelicanplatform/pelican) that provides WebUI authentication via OAuth/OIDC. The vulnerability stems from CWE-863 (Incorrect Authorization) in how the WebUI handles admin privilege assignment through database records. When Server.UIAdminUsers or Server.AdminGroups configuration variables are enabled but designated admins have not yet logged in, the system fails to properly validate authorization before creating database entries that grant admin privileges. The attack exploits a race condition in the privilege initialization logic: any authenticated OAuth user can create database records that the server then trusts on subsequent logins to grant administrator access. This affects the SQLite database backend where user records and group memberships are stored, allowing persistent privilege escalation through database manipulation rather than traditional session hijacking.

RemediationAI

Administrators must follow a three-step process before upgrading. First, run the vendor-provided audit script (https://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9) as the Pelican service user to inspect the SQLite database for exploitation indicators marked with [!], review all user records and group memberships for unauthorized admin privileges, audit API tokens for attacker-created persistence mechanisms, and create database records that block the attack vector - this step is MANDATORY because upgrading alone does not remove attacker-created admin privileges if exploitation already occurred. Second, upgrade to patched versions: 7.21.5 or later for 7.21.x series, 7.22.3 or later for 7.22.x series, 7.23.3 or later for 7.23.x series, or 7.24.2 or later for 7.24.x series (commit 7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854). Verify current version via 'pelican --version' command or WebUI '?' icon in lower left corner. Third, if immediate upgrade is not possible, disable vulnerable configuration by commenting out or removing Server.UIAdminUsers and Server.AdminGroups entries from pelican.yaml - WARNING: this removes OIDC-based admin access entirely, requiring password-based login, so verify admin password access works before making this change. Do NOT populate these configuration variables on unpatched servers even if not currently configured. Long-term defensive measures include code review of authorization APIs, framework changes for security-visible code review, and automated security scanning using coding agents. Advisory available at https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw with patch at https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854.

Share

CVE-2026-42571 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy