cbcvebase.
CVE-2026-56115
published 2026-06-23

CVE-2026-56115: Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.31%
22.3th percentile
Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but fails to inspect the is_admin flag. Attackers can send requests to any endpoint under the /api/users path to create new administrator accounts or reset administrator passwords, thereby gaining full control of the server and the ability to modify boot menus and installation scripts served to PXE clients.

Affected

3 ranges
VendorProductVersion rangeFixed in
bootimusbootimus<= 0.1.70
dhcpcd_projectdhcpcd
garybowersbootimus<= 0.1.70

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128
  • Vulnerable function is dhcp6_makemessage() in src/dhcp6.c — monitor for crashes or anomalous stack behavior in this function when processing DHCPv6 ADVERTISE messages with oversized RFC6603 OPTION_PD_EXCLUDE option bodies
  • Attack vector is same-link (link-local), unauthenticated — detection should focus on DHCPv6 traffic on the local network segment, specifically ADVERTISE messages with anomalous OPTION_PD_EXCLUDE option lengths
  • ·Fix is available in commit 2f00c7b; versions of dhcpcd through 10.3.2 are vulnerable. Red Hat Enterprise Linux 10 fix is listed as deferred.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.