CVE-2026-27899
📋 TL;DR
This vulnerability allows any authenticated non-admin user in WireGuard Portal to elevate their privileges to full administrator by sending a crafted PUT request to their user profile endpoint. All users of WireGuard Portal versions before 2.1.3 are affected, as the system fails to properly validate the IsAdmin field during profile updates.
💻 Affected Systems
- WireGuard Portal (wg-portal)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control over the WireGuard VPN management portal, allowing them to modify VPN configurations, add/remove users, access all VPN traffic, and potentially compromise the entire VPN infrastructure.
Likely Case
Malicious or compromised users escalate their privileges to admin level, gaining unauthorized access to sensitive VPN management functions and potentially other users' VPN configurations.
If Mitigated
With proper network segmentation and monitoring, the impact is limited to unauthorized administrative access within the portal, but VPN traffic remains encrypted and secure.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial with a single HTTP PUT request containing malicious JSON.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.3
Vendor Advisory: https://github.com/h44z/wg-portal/security/advisories/GHSA-5rmx-256w-8mj9
Restart Required: Yes
Instructions:
1. Update WireGuard Portal to version 2.1.3 or later. 2. For Docker deployments, pull the latest image or use tag 2.1.3+. 3. Restart the WireGuard Portal service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to WireGuard Portal administration interface to trusted IP addresses only.
Web Application Firewall Rule
allBlock PUT requests to user profile endpoints containing IsAdmin field modifications.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WireGuard Portal from critical systems
- Enable detailed logging and monitoring for privilege escalation attempts and admin user changes
🔍 How to Verify
Check if Vulnerable:
Check if running WireGuard Portal version earlier than 2.1.3. Review application logs for PUT requests to /api/user/me endpoint with IsAdmin field modifications.Check Version:
Check the WireGuard Portal web interface or application logs for version information, or run docker inspect for container version.Verify Fix Applied:
After updating to 2.1.3+, attempt to reproduce the exploit by sending a PUT request with IsAdmin:true to user profile endpoint - it should fail.📡 Detection & Monitoring
Log Indicators:
- PUT requests to /api/user/me endpoint with IsAdmin field in JSON body
- User privilege changes from non-admin to admin
- Unusual admin user creation patterns
Network Indicators:
- HTTP PUT requests to user profile endpoints with IsAdmin parameter
- Sudden increase in admin-level API calls from previously non-admin users
SIEM Query:
source="wireguard-portal" AND (method="PUT" AND uri="/api/user/me" AND json.IsAdmin="true")