Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Formwork: User with Editor Role Can Gain Admin Access
CVE-2026-27198
GHSA-34p4-7w83-35g2
Summary
A security flaw in Formwork allows an authenticated user with the 'editor' role to create new accounts with admin privileges, giving them full control over the CMS and its data. This could lead to sensitive information being accessed or modified. To fix this, update to Formwork 2.3.4.
What to do
- Update getformwork formwork to version 2.3.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| getformwork | formwork | > 2.0.0 , <= 2.3.3 | 2.3.4 |
| formwork_project | formwork | > 2.0.0 , <= 2.3.4 | – |
Original title
Formwork Improperly Managed Privileges in User creation
Original description
### Summary
The application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS.
### Impact
Successful exploitation allows an attacker to:
- Gain full administrative control over the CMS.
- Access all site data and user information.
- Modify system configuration and security settings.
- Create, modify, or delete any user account, including legitimate administrators.
### Patches
[Formwork 2.3.4](https://github.com/getformwork/formwork/releases/tag/2.3.4) properly assigns roles on user creation.
The application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS.
### Impact
Successful exploitation allows an attacker to:
- Gain full administrative control over the CMS.
- Access all site data and user information.
- Modify system configuration and security settings.
- Create, modify, or delete any user account, including legitimate administrators.
### Patches
[Formwork 2.3.4](https://github.com/getformwork/formwork/releases/tag/2.3.4) properly assigns roles on user creation.
nvd CVSS3.1
8.8
Vulnerability type
CWE-269
Improper Privilege Management
- https://nvd.nist.gov/vuln/detail/CVE-2026-27198
- https://github.com/advisories/GHSA-34p4-7w83-35g2
- https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3e... Patch
- https://github.com/getformwork/formwork/releases/tag/2.3.4 Product Release Notes
- https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2 Patch Vendor Advisory
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026