External risk intelligence

Doorman users can gain admin control by changing their roles

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-30269

An internal attacker with a standard user account can manipulate their Doorman profile to grant themselves administrative rights. This flaw allows a user to bypass permission settings and could lead to unauthorized access to sensitive data or full control over the platform.

2Halo Surface Signal

Privilege Escalation

Doorman

0.1.01.0.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-30269

This is an access control flaw requiring a pre-existing authenticated user session to exploit. The vulnerability lies within the internal user profile update logic of the application rather than an unauthenticated, public-facing service. It is not a network-level edge gateway or unauthenticated endpoint, and it relies on an existing user account to initiate the malicious request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Doorman allows any authenticated user to escalate their privileges by changing their account role. This happens because the system doesn't properly check permissions when a user updates their own role, potentially granting them administrative access.

  • Privileged access granted.
  • Affects authenticated users.
  • Allows role changes.

Attack Path

How an attacker could exploit the issue

An authenticated user can escalate their privileges by manipulating their own role within the Doorman application. This allows them to gain admin-like capabilities without needing direct administrator access, effectively turning a standard user account into a powerful one.

  • Authenticated user needed.
  • Target user account update.
  • Bypass role permission check.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to prioritize weaponizing this CVE because it requires an existing authenticated user session to exploit. This is an access control flaw within the application's internal user profile update mechanism, not an unauthenticated or network-facing vulnerability.

  • Requires authenticated user.
  • Not a network edge exploit.
  • Relies on self-update logic.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Doorman to the latest version, as this vulnerability allows any authenticated user to escalate privileges. If immediate patching is not feasible, implement strict monitoring for unauthorized role changes on user accounts.

  • Apply Doorman version 1.0.3 or later.
  • Monitor user account role update API calls.
  • Block requests altering user roles.

Frequently asked questions

What is Doorman software and its purpose?

Doorman is an application designed for managing user roles and permissions within a system. It enables users to modify their own account roles, a function that is susceptible to authorization flaws in specific versions.

How does CVE-2026-30269 enable privilege escalation?

CVE-2026-30269 is an instance of Improper Access Control (CWE-269). It permits any authenticated user to elevate their account role, including to administrative privileges, by altering their own profile. The application fails to verify if the user is authorized to manage other users when they update their role.

What is the specific trigger path for CVE-2026-30269?

The vulnerability is triggered when an authenticated user attempts to update their own account role via the /platform/user/{username} endpoint. The 'role' field in the update request is accepted without a necessary permission check for managing users, allowing unauthorized role changes.

What is the relevance of CVE-2026-30269 according to Halo Surface Signal?

Halo Surface Signal assesses this vulnerability as 'Unlikely' to be prioritized for exploitation. This is because it requires an existing authenticated user session and exploits an internal application logic flaw, rather than an unauthenticated or network-facing service.

What are the recommended actions to address CVE-2026-30269?

The primary recommendation is to update Doorman to a version later than 1.0.2, such as 1.0.3 or beyond. If immediate patching is not possible, implement vigilant monitoring of API calls related to user role updates and block any suspicious requests that modify user roles.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified