Listen to this Post
The vulnerability exists in Pelican’s WebUI for versions between v7.21 and v7.24. An attacker with any authenticated session (e.g., via OIDC) can create specific database records. Upon their next login, the server grants them admin privileges if certain conditions are met. The attack works when the `Server.UIAdminUsers` variable is enabled, and any listed admin user (or default admin) hasn’t logged in. It also works when `Server.AdminGroups` is set with Issuer.GroupSource: internal, and an admin of that group hasn’t logged in. The flaw allows a low-privileged user to escalate to full admin rights. Admin access then lets the attacker modify server configuration, create persistent API tokens, and change admin passwords. The vulnerability was discovered by a Claude coding agent on April 2nd, 2026. No evidence of exploitation in OSDF-managed services has been found. However, all non-centrally managed caches/origins require mitigation. The attack preconditions are OIDC logins enabled, a valid authenticated session, and knowledge of an unused admin identifier. The attack has a critical severity rating.
Platform: `Pelican WebUI`
Version: `v7.21 to v7.24`
Vulnerability: `Privilege Escalation`
Severity: `Critical`
Date: `April 2, 2026`
Prediction: `Patch: April 23, 2026`
What Undercode Say:
Audit the database for exploitation before upgrading: $ sudo bash mitigate-user-escalation.sh If using a non-standard configuration file: $ sudo bash mitigate-user-escalation.sh --config /path/to/pelican.yaml If the SQLite database is in a custom location: $ sudo bash mitigate-user-escalation.sh --db-path /path/to/pelican.sqlite Check the Pelican server version: $ pelican --version Disable vulnerable settings in pelican.yaml if an immediate upgrade isn't possible: Server: UIAdminUsers: [] Comment out or remove AdminGroups: [] Comment out or remove
Exploit:
Any authenticated user with an existing session can inject crafted database records. The server then misinterprets these records on the next login, granting administrative privileges to the attacker. This bypasses the proper role-based access control that normally separates regular users from admins. The exploit succeeds only when the targeted admin user (specified in `UIAdminUsers` or AdminGroups) has never previously logged into the WebUI. Once admin access is gained, the attacker can exfiltrate sensitive data, create backdoor API tokens, and manipulate critical federation settings.
Protection from this CVE
- Immediately upgrade to a patched version within each affected minor release series:
>=v7.21.5,>=v7.22.3,>=v7.23.3, or `>=v7.24.2`
– If upgrading is not possible, disable the vulnerable configuration by removing `Server.UIAdminUsers` and `Server.AdminGroups` from `pelican.yaml`
– Before upgrading, run the provided mitigation script to audit the database for existing compromises and block further exploitation - Review the database for suspicious user records, group memberships, and API tokens highlighted by the script
- Rotate all secrets on the server after applying the fix
- Administrators who do not currently use `UIAdminUsers` or `AdminGroups` should avoid populating these settings until after upgrading to a patched version
Impact
- Data Exposure: High for Origins (exposes protected paths); Medium for Caches (exposes cached protected data)
- Data Tampering: High for Directors (modifies configuration), Registry (poisons namespaces), and Origins (enables writes/alters export paths)
- Federation-wide: High for Director (GeoIP steering, Denial of Service) and Registry (namespace poisoning, DoS); Medium to Low for others
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
