Home / Vulnerability Intelligence / CVE-2026-29789

CVE-2026-29789 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 9, 2026

Vito - Broken Access Control

Published: March 6, 2026Updated: March 9, 2026Remote Exploitable

Overview

Vito < 3.20.3 contains a broken access control caused by missing authorization check in workflow site-creation actions, letting authenticated attackers with workflow write access create/manage sites on servers of other projects, exploit requires workflow write access.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can create or manage sites on servers of other projects, leading to unauthorized access and control.

Mitigation

Upgrade to version 3.20.3 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🔴 CVE-2026-29789 - Critical (9.9) Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with wor... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29789/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-29789
Severity: Critical
CVSS Score: 9.9
Type: broken_access_control
Status: unconfirmed
EPSS: 4.7%
Social Posts: 1

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

4.7%Probability of exploitation in the next 30 days