CVE-2026-27899
published 2026-02-26CVE-2026-27899: WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.31%
22.2th percentile
WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin": true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database. When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for `IsAdmin`. As a result, whatever value the client sends for `IsAdmin` is written directly to the database. After the exploit, the attacker has full admin access to the WireGuard VPN management portal. The problem was fixed in v2.1.3. The docker images for the tag 'latest' built from the master branch also include the fix.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | h44z_wg-portal | >= 0 < 2.1.3 | 2.1.3 |
| h44z | wg-portal | < 2.1.3 | 2.1.3 |
| wgportal | wireguard_portal | < 2.1.3 | 2.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for PUT requests to user profile endpoints containing the JSON field `IsAdmin` set to `true` by non-admin users. This is the exact exploit payload for privilege escalation. ↗
- →Alert on unexpected privilege escalation in wg-portal: a non-admin user gaining admin rights after a profile update (PUT) request, detectable by comparing pre/post session privilege levels or database `IsAdmin` field changes. ↗
- →Inspect HTTP PUT request bodies to the wg-portal user profile endpoint for the presence of `IsAdmin` field — legitimate user self-update flows should never include or require this field. ↗
- ·The vulnerability is fixed in wg-portal v2.1.3 and later. The `latest` Docker image built from the master branch also includes the fix. Ensure deployments are running at least v2.1.3. ↗
- ·The affected package is `github.com/h44z/wg-portal`. Any deployment of this Go module prior to v2.1.3 is vulnerable to this privilege escalation via mass assignment. ↗
- ·The root cause is a missing protection of the `IsAdmin` field in the profile update handler. The function that pins protected fields to DB values does not cover `IsAdmin`, allowing client-supplied values to be written directly to the database. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level in github.com/h44z/wg-portal
osv·2026-03-10
CVE-2026-27899 WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level in github.com/h44z/wg-portal
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level in github.com/h44z/wg-portal
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level in github.com/h44z/wg-portal.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/h44z/wg-portal before v2.1.3.
GHSA
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level
ghsa·2026-02-26
CVE-2026-27899 [HIGH] CWE-269 WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level
# Privilege Escalation to Admin via User Self-Update in wg-portal
## Summary
Any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin": true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database.
Tested against wg-portal v2.1.2 (Docker image `wgportal/wg-portal:v2`).
## Root Cause
When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data,
OSV
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level
osv·2026-02-26
CVE-2026-27899 [HIGH] WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level
# Privilege Escalation to Admin via User Self-Update in wg-portal
## Summary
Any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin": true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database.
Tested against wg-portal v2.1.2 (Docker image `wgportal/wg-portal:v2`).
## Root Cause
When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data,
No detection rules found.
No public exploits indexed.
2026-02-26
Published