External risk intelligence

Pelican could allow internal attacker to gain unauthorized administrative access

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-42571

Pelican allows an internal attacker with a standard account to gain full administrative privileges. This enables unauthorized modification of sensitive system settings and access to restricted data, effectively compromising the platform.

2Halo Surface Signal

Privilege Escalation

External exposure likelihood

Halo Surface Signal score for CVE-2026-42571

The vulnerability involves privilege escalation within the WebUI and requires a pre-existing, valid authenticated account. The context describes the threat as an internal attacker, suggesting the interface is typically positioned behind internal access controls or identity management systems rather than being exposed as a public-facing internet service.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A privilege escalation vulnerability exists in Pelican's Web User Interface, allowing authenticated users to gain administrator access under specific configurations. This issue demands attention as it could compromise system control.

  • Authenticated users can become administrators.
  • Affects systems using Pelican's WebUI.
  • Compromises data federation control.

Attack Path

How an attacker could exploit the issue

An attacker who has already authenticated into Pelican's WebUI via OAuth can exploit this flaw to escalate their privileges to administrator. This requires a specific configuration to be in place, but if successful, grants full control over the platform.

  • Authenticated WebUI user.
  • OAuth authentication.
  • Specific system configuration.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows authenticated users to gain admin privileges, which is an attractive target. However, its exploitation requires a user to be already authenticated to the WebUI via OAuth, suggesting it's more likely to be used by an insider threat rather than an external attacker. Attackers typically prefer vulnerabilities that grant initial access or do not require pre-existing credentials.

  • Exploitation requires OAuth authentication.
  • Not listed as KEV.
  • Patched in multiple versions.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching affected Pelican WebUI instances to prevent privilege escalation. If immediate patching is not feasible, implement strict access controls and monitor for unauthorized administrative actions.

  • Patch to version 7.21.5, 7.22.3, 7.23.3, or 7.24.2.
  • Monitor OAuth-authenticated user activity.

Frequently asked questions

What is Pelican, and what is it used for?

Pelican is a platform designed for creating data federations, which means it helps connect and manage data from various sources. It's used to facilitate the sharing and access of data across different systems in a unified way.

What kind of weakness does CVE-2026-42571 describe?

CVE-2026-42571 describes a privilege escalation vulnerability, specifically a CWE-863, where an authenticated user can gain higher administrative privileges than they are supposed to have. This allows them to take control of the Pelican platform.

What are the conditions for this vulnerability to be exploited?

An attacker must first be authenticated to Pelican's Web User Interface using OAuth. The vulnerability is not triggered if a user is not authenticated or if the specific system configuration required for the attack is not present.

Who should be concerned about this external-facing vulnerability?

Organizations using Pelican's WebUI should be concerned. Since the vulnerability requires an authenticated user to escalate privileges, it's more likely to be exploited by an internal threat actor rather than an external attacker targeting internet-facing systems. [cite:haloSurfaceSignal]

What is the first step to address this threat?

The primary step is to update Pelican to a patched version. Specific versions that fix this issue include 7.21.5, 7.22.3, 7.23.3, and 7.24.2.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified