Vulnerability Description
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Formwork Project | Formwork | >= 2.0.0, < 2.3.4 |
Related Weaknesses (CWE)
References
- https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ePatch
- https://github.com/getformwork/formwork/releases/tag/2.3.4ProductRelease Notes
- https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2PatchVendor Advisory
FAQ
What is CVE-2026-27198?
CVE-2026-27198 is a vulnerability with a CVSS score of 8.8 (HIGH). Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the...
How severe is CVE-2026-27198?
CVE-2026-27198 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27198?
Check the references section above for vendor advisories and patch information. Affected products include: Formwork Project Formwork.