Home / Vulnerability Intelligence / CVE-2026-27899

CVE-2026-27899 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 27, 2026

WireGuard Portal - Broken Access Control

Published: February 26, 2026Updated: February 27, 2026Remote Exploitable

Overview

WireGuard Portal prior to 2.1.3 contains a broken access control vulnerability caused by improper handling of the IsAdmin field in user profile updates, letting authenticated non-admin users escalate to full admin privileges by sending a crafted PUT request, exploit requires user authentication.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 6.7%(Probability of exploitation in next 30 days)

Impact

Authenticated users can escalate their privileges to full administrator, gaining complete control over the WireGuard management portal.

Mitigation

Update to version 2.1.3 or later.

References

https://github.com/h44z/wg-portal/security/advisories/GHSA-5rmx-256w-8mj9

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 26, 2026

🟠 CVE-2026-27899 - High (8.8) WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-27899/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-27899
Severity: High
CVSS Score: 8.8
Type: broken_access_control
Status: unconfirmed
EPSS: 6.7%
Social Posts: 1

CWE

CWE-269

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

6.7%Probability of exploitation in the next 30 days