CVE-2026-27198 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2026-27198?

CVE-2026-27198 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users with editor roles in Formwork CMS to create new accounts with administrative privileges. It affects all installations running versions 2.0.0 through 2.3.3. Attackers can gain full administrative control of the CMS.

📋 TL;DR

This vulnerability allows authenticated users with editor roles in Formwork CMS to create new accounts with administrative privileges. It affects all installations running versions 2.0.0 through 2.3.3. Attackers can gain full administrative control of the CMS.

💻 Affected Systems

Products:

Formwork CMS

Versions: 2.0.0 through 2.3.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires at least one authenticated user with editor role to exploit.

📦 What is this software?

Formwork by Formwork Project

View all CVEs affecting Formwork →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the CMS with administrative access, allowing data theft, defacement, or installation of backdoors.

🟠

Likely Case

Attackers create admin accounts to gain persistent access and control over the CMS and its content.

🟢

If Mitigated

Limited to authorized role assignments with proper access controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with editor privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.4

Vendor Advisory: https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2

Restart Required: No

Instructions:

1. Backup your Formwork installation. 2. Update to version 2.3.4 via the update mechanism or manual installation. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict account creation

all

Temporarily disable new user account creation functionality.

Monitor user creation logs

all

Implement logging and alerting for new user account creation events.

🧯 If You Can't Patch

Restrict access to the CMS admin interface to trusted IP addresses only.
Review and audit all user accounts, especially those with admin privileges created recently.

🔍 How to Verify

Check if Vulnerable:

Check the Formwork version in the admin panel or by examining the installation files.

Check Version:

Check the version in the admin dashboard or look for version information in the installation directory.

Verify Fix Applied:

Confirm the version is 2.3.4 or later and test that editor users cannot assign admin roles.

📡 Detection & Monitoring

Log Indicators:

Unusual user account creation events, especially with admin roles assigned.

Network Indicators:

HTTP POST requests to user creation endpoints from editor accounts.

SIEM Query:

source="formwork_logs" AND event="user_created" AND role="admin"

📊 Metadata

CVE ID: CVE-2026-27198

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: February 21, 2026

Last Updated: March 3, 2026

🔗 References

https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd Patch
https://github.com/getformwork/formwork/releases/tag/2.3.4 Product,Release Notes
https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27198, you might also want to check these: