Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, low-complexity attack needing an existing non-admin account (PR:L) and no user interaction; admin takeover yields full C/I/A impact with no scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions on nested relational save operations. Attackers can modify sensitive User record fields such as roles and group by submitting changes through a related entity's save path, bypassing the USER_RESTRICTED_FIELDS control and causing the JPA persistence layer to flush attacker-supplied admin role and group assignments on commit.
AnalysisAI
Privilege escalation in Axelor Open Platform 8.x before 8.2.2 lets an authenticated non-admin user grant themselves administrative roles and groups by writing to protected User fields through a nested relational save on a related entity, bypassing the USER_RESTRICTED_FIELDS control. The flaw (CWE-863, improper authorization) was reported by VulnCheck and has publicly available exploit code; it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated non-admin account on the target Axelor Open Platform instance (CVSS PR:L) and the ability to submit a save operation on an entity that has a relational path to the User record; the malicious admin role and group values are supplied within that nested relational payload so they bypass the USER_RESTRICTED_FIELDS check that only guards direct User saves. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The available signals are largely consistent and point to a genuine priority for any Axelor deployment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding an ordinary authenticated Axelor account crafts a save request against an entity that has a relation to their own User record, embedding admin role and group values into the nested User payload. On transaction commit, Hibernate flushes the attacker-supplied roles and group, silently promoting the account to administrator. … |
| Remediation | Vendor-released patch: 8.2.2 - upgrade Axelor Open Platform to v8.2.2 or later (release: https://github.com/axelor/axelor-open-platform/releases/tag/v8.2.2). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Axelor Open Platform 8.x instances; restrict platform access to essential users only; enable detailed audit logging of user role and group modifications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44950
GHSA-fgwg-8qwr-qvw3