Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (cisa-cg) · only source for this CVE.
CVSS VectorVendor: cisa-cg
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.
AnalysisAI
Privilege escalation in CISA's manage.get.gov 1.x allows organization administrators to assign domain manager privileges for domains outside their portfolio, including legacy domains not associated with any organization. The vulnerability enables cross-portfolio domain takeover scenarios where an authenticated admin can grant themselves or others unauthorized domain management access. Fixed in version 1.176.0 released April 30, 2026. No public exploit identified at time of analysis, EPSS risk assessment not available for this CVE.
Technical ContextAI
manage.get.gov is CISA's official .gov top-level domain registrar built on Django/Python. The platform uses a portfolio-based organizational model where domains are associated with specific portfolios, and administrators can manage members' domain permissions. The vulnerability stems from CWE-266 (Incorrect Privilege Assignment) in the member domain assignment endpoint. The affected code failed to validate portfolio boundaries when assigning UserDomainRole objects, allowing administrators to reference domain IDs from other portfolios or legacy domains (portfolio=None) when granting manager privileges. The patch introduces portfolio ownership checks before allowing domain assignment or removal operations, explicitly returning HTTP 403 for cross-portfolio operations. The source diff shows comprehensive test coverage added for three forbidden scenarios: cross-portfolio assignment, cross-portfolio removal, and legacy domain manipulation.
RemediationAI
Upgrade to manage.get.gov version 1.176.0 or later, released on April 30, 2026. The fix is documented in GitHub PR 4900 (https://github.com/cisagov/manage.get.gov/pull/4900) and release v1.176.0 (https://github.com/cisagov/manage.get.gov/releases/tag/v1.176.0). The patch adds portfolio boundary validation to the member domain assignment endpoint, returning HTTP 403 Forbidden for cross-portfolio operations. For environments unable to upgrade immediately, restrict organization administrator role assignments and audit existing UserDomainRole grants for anomalous cross-portfolio assignments via database queries against DomainInformation.portfolio foreign keys. Note that compensating controls are limited since the vulnerability requires legitimate admin credentials; focus should be on rapid patching. Review logs around the member domains edit endpoint for suspicious POST requests with domain IDs from other portfolios (GitHub issue 4858 provides additional context: https://github.com/cisagov/manage.get.gov/issues/4858).
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28434