CVE-2026-48010

Description

`UserController::upsertUser()` writes user data in `SYSTEM_SCOPE` and does not filter the `admin` field. A non-admin API user with `user:create` or `user:update` ACL permission can set `admin: true` on new or existing users, escalating to full admin access. ## The Problem In `src/Core/Framework/Api/Controller/UserController.php`, line 210-234: ```php public function upsertUser(?string $userId, Request $request, Context $context, ResponseFactoryInterface $factory): Response { $data = $request->request->all(); // raw request data, no field filtering // ... $events = $context->scope(Context::SYSTEM_SCOPE, fn (Context $context) => $this->userRepository->upsert([$data], $context) ); } ``` `SYSTEM_SCOPE` bypasses `AclWriteValidator` entirely (line 52 of `AclWriteValidator::preValidate()` returns early for `SYSTEM_SCOPE`). The `admin` boolean field is accepted without restriction. Compare with `IntegrationController::upsertIntegration()` in the same codebase, which correctly checks: ```php if ((!$source instanceof AdminApiSource) || (!$source->isAdmin() && isset($data['admin'])) ) { throw new PermissionDeniedException(); } ``` `UserController` is missing this exact check. ## Impact Any API user with the low-privilege `user:create` permission can create accounts with full admin access, or with `user:update` can promote any existing user to admin. This is a direct privilege escalation. ## Suggested Fix Add the same `isAdmin()` check from `IntegrationController`: ```php $source = $context->getSource(); if ((!$source instanceof AdminApiSource) || (!$source->isAdmin() && isset($data['admin']))) { throw new PermissionDeniedException(); } ``` Best regards, Keyvan Hardani

How to fix CVE-2026-48010

To remediate CVE-2026-48010, upgrade the affected package to a fixed version below.

• —upgrade to 6.7.10.1 or later
• —upgrade to 6.7.10.1 or later

Is CVE-2026-48010 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-48010.