Description

Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an authenticated user with the editor role can create a new account with administrative privileges, leading to full administrative access and complete compromise of the CMS. This issue has been fixed in version 2.3.4.

INFO

Published Date :

2026-02-21T05:11:42.535Z

Last Modified :

2026-02-24T19:01:22.284Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27198 vulnerability.

Vendors Products
Formwork Project
  • Formwork
Getformwork
  • Formwork
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27198.

URL Resource
https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd cve-icon cve-icon
https://github.com/getformwork/formwork/releases/tag/2.3.4 cve-icon cve-icon
https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact