{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/webui/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pelicanplatform/pelican","github.com"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","webui","pelican"],"_cs_type":"advisory","_cs_vendors":["Pelican","GitHub"],"content_html":"\u003cp\u003eOn April 2nd, 2026, a privilege escalation vulnerability was identified in the Pelican Web User Interface (WebUI) affecting versions v7.21 to v7.24. This vulnerability allows any authenticated user via OAuth to gain admin privileges under specific configurations, including servers with \u003ccode\u003eServer.UIAdminUsers\u003c/code\u003e where listed users haven\u0026rsquo;t logged in or \u003ccode\u003eServer.AdminGroups\u003c/code\u003e with \u003ccode\u003eIssuer.GroupSource\u003c/code\u003e set to \u003ccode\u003einternal\u003c/code\u003e where an admin hasn\u0026rsquo;t logged in. Successful exploitation permits attackers to modify server configurations, create API tokens, and change admin passwords. The OSDF operations team mitigated this vulnerability for core services, but mitigation may be required for other caches and origins. There is currently no evidence this attack has been exploited in services managed by OSDF operators.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the Pelican WebUI by authenticating via OIDC.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid \u003ccode\u003eServer.UIAdminUsers\u003c/code\u003e username or \u003ccode\u003eServer.AdminGroups\u003c/code\u003e group name for an admin who has not yet logged into the WebUI.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious database records designed to grant admin privileges upon subsequent login.\u003c/li\u003e\n\u003cli\u003eThe attacker injects these records into the Pelican server\u0026rsquo;s SQLite database, potentially using API endpoints or other methods to interact with the database.\u003c/li\u003e\n\u003cli\u003eThe attacker logs out of the WebUI.\u003c/li\u003e\n\u003cli\u003eThe attacker logs back into the WebUI.\u003c/li\u003e\n\u003cli\u003eThe server grants the attacker admin privileges based on the manipulated database records.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies server configurations, creates persistent API tokens, or changes admin passwords.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability poses a significant risk to Pelican servers and the wider federation they support. A compromised Director service could have high federation-wide impact, enabling denial of service and redirection to malicious registries. Registry services also have high federation-wide impact, with attackers potentially poisoning namespaces. Compromised Origins could lead to high data exposure and tampering risks by enabling unauthorized writes and changing export paths. Caches present a medium data exposure risk, as attackers could expose cached protected data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRun the provided mitigation script (\u003ccode\u003emitigate-user-escalation.sh\u003c/code\u003e from \u003ca href=\"https://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9\"\u003ehttps://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9\u003c/a\u003e) to audit the database for signs of exploitation and block further exploitation.\u003c/li\u003e\n\u003cli\u003eUpgrade Pelican servers to a patched release (\u0026gt;=v7.21.5, \u0026gt;=v7.22.3, \u0026gt;=v7.23.3, \u0026gt;=v7.24.2).\u003c/li\u003e\n\u003cli\u003eIf unable to upgrade immediately, disable the vulnerable configuration by commenting out \u003ccode\u003eUIAdminUsers\u003c/code\u003e and \u003ccode\u003eAdminGroups\u003c/code\u003e settings in the \u003ccode\u003epelican.yaml\u003c/code\u003e configuration file.\u003c/li\u003e\n\u003cli\u003eMonitor process executions for the \u003ccode\u003emitigate-user-escalation.sh\u003c/code\u003e script and review associated user and API token changes. Deploy the provided Sigma rule to detect potential malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:24:50Z","date_published":"2026-05-04T21:24:50Z","id":"/briefs/2026-05-pelican-privesc/","summary":"A privilege escalation vulnerability in Pelican WebUI versions v7.21 to v7.24 allows authenticated users to gain admin privileges by manipulating database records, potentially leading to configuration modification, API token creation, and password changes.","title":"Pelican Web UI Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-pelican-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-6832"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6832","path-traversal","file-deletion","webui"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHermes WebUI, a web-based user interface, contains an arbitrary file deletion vulnerability, tracked as CVE-2026-6832. The vulnerability resides in the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint. An authenticated attacker can exploit this flaw by supplying a crafted \u003ccode\u003esession_id\u003c/code\u003e parameter containing an absolute path or path traversal sequences. This allows the attacker to bypass the intended \u003ccode\u003eSESSION_DIR\u003c/code\u003e boundary and delete arbitrary files on the server, provided the attacker has write access to those files. Versions prior to the patched version are affected. Successful exploitation leads to information integrity issues and potential denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to Hermes WebUI using valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003esession_id\u003c/code\u003e parameter with a path traversal payload (e.g., \u003ccode\u003e../../../../etc/passwd\u003c/code\u003e) or an absolute path to a target file.\u003c/li\u003e\n\u003cli\u003eThe Hermes WebUI application fails to properly validate the \u003ccode\u003esession_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path using the unvalidated \u003ccode\u003esession_id\u003c/code\u003e, allowing it to escape the intended \u003ccode\u003eSESSION_DIR\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application attempts to delete the file specified by the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf the attacker has sufficient privileges, the target file is successfully deleted from the file system.\u003c/li\u003e\n\u003cli\u003eThe deletion of critical system or application files leads to a denial-of-service condition or other system instability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6832 allows authenticated attackers to delete arbitrary files on the system running Hermes WebUI. This can lead to data loss, application malfunction, or even complete system compromise if critical system files are deleted. The vulnerability affects all deployments of Hermes WebUI prior to the patched version, potentially impacting numerous organizations using the vulnerable software. While the exact number of victims is unknown, the severity of the vulnerability is high due to the potential for significant damage and disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Hermes WebUI to version v0.50.132 or later, where the vulnerability is patched, as referenced in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on the \u003ccode\u003esession_id\u003c/code\u003e parameter in the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect malicious requests to the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint containing path traversal sequences.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to \u003ccode\u003e/api/session/delete\u003c/code\u003e with suspicious \u003ccode\u003esession_id\u003c/code\u003e values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-hermes-file-deletion/","summary":"Hermes WebUI is vulnerable to arbitrary file deletion via path traversal in the /api/session/delete endpoint due to insufficient validation of the session_id parameter, allowing authenticated attackers to delete writable JSON files on the host system.","title":"Hermes WebUI Arbitrary File Deletion Vulnerability (CVE-2026-6832)","url":"https://feed.craftedsignal.io/briefs/2026-04-hermes-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Webui","version":"https://jsonfeed.org/version/1.1"}