orxiain's is1and

cve-2026-30269---improper-access-control-in-doorman-allows-privilege-escalation

Date: May 7, 2026

CVE ID: CVE-2026-30269

Vulnerability Type: Improper Access Control (CWE-284) / Broken Function Level Authorization

Reporter: orxiain

Executive Summary

A vulnerability was identified in Doorman (v0.1.0 and v1.0.2) where the backend fails to properly validate permissions during a user profile update. An authenticated user can exploit this flaw to modify their own account's role field, effectively escalating their privileges to any non-admin high-privileged role within the system.

Vulnerability Details

The vulnerability exists within the user update logic. When a user submits a PUT request to update their profile information via the /platform/user/{username} endpoint, the application processes the request using the update_user function.

While the system intends to restrict role modifications to administrators, it fails to perform a manage_users permission check when a user is updating their own account. Because the role field is accepted by the underlying update_user_model.py, a low-privileged user can include the role parameter in their request body to grant themselves elevated permissions.

Technical Analysis

  • Affected Component: backend-services/routes/user_routes.py (Function: update_user)

  • Root Cause: The role attribute in backend-services/models/update_user_model.py is mutable without specific authorization checks during self-service updates.

  • Attack Vector: Remote / API-based.

Affected Versions

  • Doorman v0.1.0

  • Doorman v1.0.2

  • Fixed Version: TBD (Users are advised to monitor the official repository for patches).

Proof of Concept (PoC)

An authenticated user with the username attacker_user and the role Guest can escalate their role by sending the following HTTP request:

Request:

HTTP

PUT /platform/user/attacker_user HTTP/1.1
Host: <doorman-instance-url>
Authorization: Bearer <valid_jwt_token>
Content-Type: application/json

{
  "email": "[email protected]",
  "role": "Manager" 
}

(Note: In this example, "Manager" represents a high-privileged non-admin role. The system accepts this update without verifying if the user has the authority to change roles.)

Impact

Successful exploitation of this vulnerability allows any authenticated user to bypass the intended RBAC (Role-Based Access Control) model. This could lead to:

  • Unauthorized access to sensitive data and platform configurations.

  • Unauthorized modification of resources managed by higher-privileged roles.

  • Complete compromise of the platform's logical security boundaries (short of full Admin access).

Remediation & Mitigation

  1. Code Fix: Implement a strict check in update_user to ensure that the role field can only be modified if the requesting user possesses the manage_users permission, even if the user is updating their own profile.

  2. Input Validation: Use Data Transfer Objects (DTOs) or schemas for self-updates that exclude the role field entirely, preventing "Mass Assignment" vulnerabilities.

  3. Temporary Workaround: Implement a Web Application Firewall (WAF) rule to strip the role field from incoming PUT requests to the user endpoint unless the requester is an administrator.

Credits

This vulnerability was discovered and reported by orxiain.

Halo