Vulnerability Description
In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account's password, effectively taking full control of it.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Terminalfour | Terminalfour | >= 8.0.0, < 8.4.1.2 |
Related Weaknesses (CWE)
References
- https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/Vendor Advisory
- https://terminalfour.comProduct
FAQ
What is CVE-2025-58386?
CVE-2025-58386 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this paramet...
How severe is CVE-2025-58386?
CVE-2025-58386 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-58386?
Check the references section above for vendor advisories and patch information. Affected products include: Terminalfour Terminalfour.