CVE-2026-27198 HIGH

CVE-2026-27198: Formwork Improperly Manages Privileges During User Creation

Vendor Getformwork
Product formwork
Weakness CWE-269
Published February 21, 2026
Last update February 24, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

Key dates

02Disclosure timeline

February 21, 2026 CVE published
February 24, 2026 Record updated