Pelican Web UI Privilege Escalation Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 21:24:50 +0000

On April 2nd, 2026, a privilege escalation vulnerability was identified in the Pelican Web User Interface (WebUI) affecting versions v7.21 to v7.24. This vulnerability allows any authenticated user via OAuth to gain admin privileges under specific configurations, including servers with Server.UIAdminUsers where listed users haven’t logged in or Server.AdminGroups with Issuer.GroupSource set to internal where an admin hasn’t logged in. Successful exploitation permits attackers to modify server configurations, create API tokens, and change admin passwords. The OSDF operations team mitigated this vulnerability for core services, but mitigation may be required for other caches and origins. There is currently no evidence this attack has been exploited in services managed by OSDF operators.

Attack Chain

An attacker gains initial access to the Pelican WebUI by authenticating via OIDC.
The attacker identifies a valid Server.UIAdminUsers username or Server.AdminGroups group name for an admin who has not yet logged into the WebUI.
The attacker crafts malicious database records designed to grant admin privileges upon subsequent login.
The attacker injects these records into the Pelican server’s SQLite database, potentially using API endpoints or other methods to interact with the database.
The attacker logs out of the WebUI.
The attacker logs back into the WebUI.
The server grants the attacker admin privileges based on the manipulated database records.
The attacker modifies server configurations, creates persistent API tokens, or changes admin passwords.

Impact

The successful exploitation of this vulnerability poses a significant risk to Pelican servers and the wider federation they support. A compromised Director service could have high federation-wide impact, enabling denial of service and redirection to malicious registries. Registry services also have high federation-wide impact, with attackers potentially poisoning namespaces. Compromised Origins could lead to high data exposure and tampering risks by enabling unauthorized writes and changing export paths. Caches present a medium data exposure risk, as attackers could expose cached protected data.

Recommendation

Run the provided mitigation script (mitigate-user-escalation.sh from https://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9) to audit the database for signs of exploitation and block further exploitation.
Upgrade Pelican servers to a patched release (>=v7.21.5, >=v7.22.3, >=v7.23.3, >=v7.24.2).
If unable to upgrade immediately, disable the vulnerable configuration by commenting out UIAdminUsers and AdminGroups settings in the pelican.yaml configuration file.
Monitor process executions for the mitigate-user-escalation.sh script and review associated user and API token changes. Deploy the provided Sigma rule to detect potential malicious activity.

Hermes WebUI Arbitrary File Deletion Vulnerability (CVE-2026-6832)

hello@craftedsignal.io — Wed, 22 Apr 2026 12:00:00 +0000

Hermes WebUI, a web-based user interface, contains an arbitrary file deletion vulnerability, tracked as CVE-2026-6832. The vulnerability resides in the /api/session/delete endpoint. An authenticated attacker can exploit this flaw by supplying a crafted session_id parameter containing an absolute path or path traversal sequences. This allows the attacker to bypass the intended SESSION_DIR boundary and delete arbitrary files on the server, provided the attacker has write access to those files. Versions prior to the patched version are affected. Successful exploitation leads to information integrity issues and potential denial of service.

Attack Chain

Attacker authenticates to Hermes WebUI using valid credentials.
Attacker crafts a malicious HTTP POST request to the /api/session/delete endpoint.
The request includes a session_id parameter with a path traversal payload (e.g., ../../../../etc/passwd) or an absolute path to a target file.
The Hermes WebUI application fails to properly validate the session_id parameter.
The application constructs a file path using the unvalidated session_id, allowing it to escape the intended SESSION_DIR.
The application attempts to delete the file specified by the attacker-controlled path.
If the attacker has sufficient privileges, the target file is successfully deleted from the file system.
The deletion of critical system or application files leads to a denial-of-service condition or other system instability.

Impact

Successful exploitation of CVE-2026-6832 allows authenticated attackers to delete arbitrary files on the system running Hermes WebUI. This can lead to data loss, application malfunction, or even complete system compromise if critical system files are deleted. The vulnerability affects all deployments of Hermes WebUI prior to the patched version, potentially impacting numerous organizations using the vulnerable software. While the exact number of victims is unknown, the severity of the vulnerability is high due to the potential for significant damage and disruption.

Recommendation

Upgrade Hermes WebUI to version v0.50.132 or later, where the vulnerability is patched, as referenced in the advisory.
Implement strict input validation on the session_id parameter in the /api/session/delete endpoint to prevent path traversal attacks.
Deploy the provided Sigma rule to detect malicious requests to the /api/session/delete endpoint containing path traversal sequences.
Monitor web server logs for HTTP requests to /api/session/delete with suspicious session_id values.

Webui — CraftedSignal Threat Feed

Pelican Web UI Privilege Escalation Vulnerability

Attack Chain

Impact

Recommendation

Hermes WebUI Arbitrary File Deletion Vulnerability (CVE-2026-6832)

Attack Chain

Impact

Recommendation