CVE-2026-27899: The 'Are You God?' Checkbox in WireGuard Portal
Vulnerability ID: CVE-2026-27899
CVSS Score: 8.8
Published: 2026-02-26
A critical Privilege Escalation vulnerability in h44z/wg-portal allows any authenticated user to promote themselves to Administrator by simply adding a JSON field to a profile update request. This classic Mass Assignment vulnerability exposes the entire VPN management interface to compromise.
TL;DR
WireGuard Portal trusted user input too much. By sending "IsAdmin": true in a profile update, any standard user becomes a root-level administrator. Fixed in v2.1.3 by explicitly filtering sensitive fields.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-269 (Improper Privilege Management)
- Attack Vector: Network (API)
- CVSS v3.1: 8.8 (High)
- Exploit Status: Proof-of-Concept (Trivial)
- Patch Date: 2026-02-23
- Impact: Full Administrative Access
Affected Systems
- WireGuard Portal (wg-portal) < v2.1.3
-
wg-portal: < 2.1.3 (Fixed in:
2.1.3)
Code Analysis
Commit: fe44850
Fix user profile update logic to prevent mass assignment of admin privileges
func (u *User) CopyAdminAttributes(src *User, apiAdminOnly bool) {
+ if !apiAdminOnly {
+ u.IsAdmin = src.IsAdmin
+ }
Exploit Details
- GitHub Advisory: Official advisory containing reproduction steps
Mitigation Strategies
- Strict Input Validation
- Use of Data Transfer Objects (DTOs)
- Principle of Least Privilege
Remediation Steps:
- Upgrade
wg-portalto version 2.1.3 or later immediately. - Audit the User database for unauthorized accounts with
IsAdmin=true. - Check access logs for
PUTrequests to profile endpoints containing theIsAdminstring. - Revoke and regenerate WireGuard keys for any suspicious administrative accounts.
References
Read the full report for CVE-2026-27899 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)