Improper Input Validation Leading to Unauthorized Administrator Access in MAAS
CVE-2025-7044

7.7HIGH

Key Information:

Vendor: Ubuntu
Status: Maas
Vendor: CVE Published:; 3 December 2025

What is CVE-2025-7044?

An improper input validation vulnerability exists in the user websocket handler of MAAS. Authenticated, unprivileged attackers can intercept a user.update websocket request and manipulate the 'is_superuser' property to assume administrative privileges. This vulnerability allows attackers to bypass normal access controls, resulting in unauthorized administrative access and complete control over the MAAS deployment.

Affected Version(s)

MAAS Linux 3.3.0 < 3.3.11

MAAS Linux 3.4.0 < 3.4.9

MAAS Linux 3.5.0 < 3.5.9

References

https://bugs.launchpad.net/maas/+bug/2115714

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 3, 2025
Vulnerability Reserved
Jul 3, 2025

Credit

Jacopo Rota

JSON