CVE-2025-7044
published 2025-12-03CVE-2025-7044: An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update…
medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | maas | >= 3.3.0 < 3.3.11 | 3.3.11 |
| canonical | maas | >= 3.4.0 < 3.4.9 | 3.4.9 |
| canonical | maas | >= 3.5.0 < 3.5.9 | 3.5.9 |
| canonical | maas | >= 3.6.0 < 3.6.2 | 3.6.2 |
| ubuntu | maas | >= 3.3.0 < 3.3.11 | 3.3.11 |
| ubuntu | maas | >= 3.4.0 < 3.4.9 | 3.4.9 |
| ubuntu | maas | >= 3.5.0 < 3.5.9 | 3.5.9 |
| ubuntu | maas | >= 3.6.0 < 3.6.2 | 3.6.2 |