Skip to main content

manage.get.gov EUVDEUVD-2026-28434

| CVE-2026-43510 MEDIUM
Incorrect Privilege Assignment (CWE-266)
2026-05-07 cisa-cg
5.1
CVSS 4.0 · Vendor: cisa-cg
Share

Severity by source

Vendor (cisa-cg) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (cisa-cg) · only source for this CVE.

CVSS VectorVendor: cisa-cg

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
Jun 25, 2026 - 17:22 NVD
HIGH MEDIUM
CVSS changed
Jun 25, 2026 - 17:22 NVD
7.0 (HIGH) 5.1 (MEDIUM)
Re-analysis Queued
May 07, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
May 07, 2026 - 20:22 NVD
7.6 (HIGH) 7.0 (HIGH)
Source Code Evidence Fetched
May 07, 2026 - 20:00 vuln.today
Analysis Generated
May 07, 2026 - 20:00 vuln.today
CVE Published
May 07, 2026 - 18:50 nvd
HIGH 7.6

DescriptionCVE.org

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30.

AnalysisAI

Privilege escalation in CISA's manage.get.gov 1.x allows organization administrators to assign domain manager privileges for domains outside their portfolio, including legacy domains not associated with any organization. The vulnerability enables cross-portfolio domain takeover scenarios where an authenticated admin can grant themselves or others unauthorized domain management access. Fixed in version 1.176.0 released April 30, 2026. No public exploit identified at time of analysis, EPSS risk assessment not available for this CVE.

Technical ContextAI

manage.get.gov is CISA's official .gov top-level domain registrar built on Django/Python. The platform uses a portfolio-based organizational model where domains are associated with specific portfolios, and administrators can manage members' domain permissions. The vulnerability stems from CWE-266 (Incorrect Privilege Assignment) in the member domain assignment endpoint. The affected code failed to validate portfolio boundaries when assigning UserDomainRole objects, allowing administrators to reference domain IDs from other portfolios or legacy domains (portfolio=None) when granting manager privileges. The patch introduces portfolio ownership checks before allowing domain assignment or removal operations, explicitly returning HTTP 403 for cross-portfolio operations. The source diff shows comprehensive test coverage added for three forbidden scenarios: cross-portfolio assignment, cross-portfolio removal, and legacy domain manipulation.

RemediationAI

Upgrade to manage.get.gov version 1.176.0 or later, released on April 30, 2026. The fix is documented in GitHub PR 4900 (https://github.com/cisagov/manage.get.gov/pull/4900) and release v1.176.0 (https://github.com/cisagov/manage.get.gov/releases/tag/v1.176.0). The patch adds portfolio boundary validation to the member domain assignment endpoint, returning HTTP 403 Forbidden for cross-portfolio operations. For environments unable to upgrade immediately, restrict organization administrator role assignments and audit existing UserDomainRole grants for anomalous cross-portfolio assignments via database queries against DomainInformation.portfolio foreign keys. Note that compensating controls are limited since the vulnerability requires legitimate admin credentials; focus should be on rapid patching. Review logs around the member domains edit endpoint for suspicious POST requests with domain IDs from other portfolios (GitHub issue 4858 provides additional context: https://github.com/cisagov/manage.get.gov/issues/4858).

Share

EUVD-2026-28434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy