Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in mickasmt next-saas-stripe-starter 1.0.0. Affected by this vulnerability is the function updateUserrole of the file actions/update-user-role.ts. The manipulation of the argument userId/role results in improper authorization. The attack may be launched remotely.
AnalysisAI
Improper authorization in mickasmt next-saas-stripe-starter 1.0.0 allows authenticated users to manipulate userId and role parameters in the updateUserRole function, enabling unauthorized modification of user permissions. An attacker with valid credentials can exploit this vulnerability remotely to escalate privileges or modify other users' roles. No patch is currently available.
Technical ContextAI
The vulnerability resides in a Next.js server action (actions/update-user-role.ts) commonly used in SaaS applications for role-based access control (RBAC) modifications. Next-saas-stripe-starter is a TypeScript-based starter template integrating Stripe payment processing with user management, typically deployed in Node.js/Vercel environments. The root cause is classified under CWE-285 (Improper Authorization), specifically an insufficient authorization check where user input (userId and role parameters) is not properly validated against the requester's permissions before execution. The function likely fails to verify that the authenticated user has administrative privileges or authorization to modify roles for the target user, allowing horizontal or vertical privilege escalation through direct parameter manipulation.
RemediationAI
Immediately upgrade next-saas-stripe-starter to a patched version if the maintainer has released one, or apply a manual security patch to actions/update-user-role.ts that enforces proper authorization checks before role modifications (verify the authenticated user is an administrator and has explicit permission to modify the target user's role). As a compensating control pending patch availability, implement server-side middleware that restricts the updateUserRole action to users with administrative roles via middleware enforcement in your Next.js configuration, and audit all recent role modification logs for unauthorized changes. Review and restrict API endpoint access to the role update function through network controls and request signing mechanisms if operating in a critical environment. Monitor the official next-saas-stripe-starter GitHub repository (https://github.com/mickasmt/next-saas-stripe-starter/releases) for security updates and consider contributing a fix upstream if you identify the precise authorization logic flaw.
More in Next Saas Stripe Starter
View allA business logic vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the generateUserStripe f
An authorization bypass vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the openCustomerP
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14306
GHSA-8fh2-hm78-4frg