cbcvebase.
CVE-2026-27899
published 2026-02-26

CVE-2026-27899: WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.31%
22.2th percentile
WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `"IsAdmin": true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database. When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for `IsAdmin`. As a result, whatever value the client sends for `IsAdmin` is written directly to the database. After the exploit, the attacker has full admin access to the WireGuard VPN management portal. The problem was fixed in v2.1.3. The docker images for the tag 'latest' built from the master branch also include the fix.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comh44z_wg-portal>= 0 < 2.1.32.1.3
h44zwg-portal< 2.1.32.1.3
wgportalwireguard_portal< 2.1.32.1.3

Detection & IOCsextracted from sources · hover to see the quote

other"IsAdmin": true
  • Monitor for PUT requests to user profile endpoints containing the JSON field `IsAdmin` set to `true` by non-admin users. This is the exact exploit payload for privilege escalation.
  • Alert on unexpected privilege escalation in wg-portal: a non-admin user gaining admin rights after a profile update (PUT) request, detectable by comparing pre/post session privilege levels or database `IsAdmin` field changes.
  • Inspect HTTP PUT request bodies to the wg-portal user profile endpoint for the presence of `IsAdmin` field — legitimate user self-update flows should never include or require this field.
  • ·The vulnerability is fixed in wg-portal v2.1.3 and later. The `latest` Docker image built from the master branch also includes the fix. Ensure deployments are running at least v2.1.3.
  • ·The affected package is `github.com/h44z/wg-portal`. Any deployment of this Go module prior to v2.1.3 is vulnerable to this privilege escalation via mass assignment.
  • ·The root cause is a missing protection of the `IsAdmin` field in the profile update handler. The function that pins protected fields to DB values does not cover `IsAdmin`, allowing client-supplied values to be written directly to the database.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.