Missing Authorization Check in Brave CMS Allows User Role Escalation
CVE-2026-35182

8.8HIGH

Key Information:

Vendor: Ajax30
Status: Bravecms-2.0
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35182?

Brave CMS, an open-source content management system, contains a vulnerability that permits any authenticated user to escalate their privileges improperly. This occurs due to a missing authorization check in the update role endpoint, specifically the POST route for /rights/update-role/{id}, which lacks the necessary middleware to validate user permissions. The flaw enables users to change account roles, promoting themselves to Super Admin without proper authorization. Users are advised to upgrade to version 2.0.6, where this security issue has been addressed.

Affected Version(s)

BraveCMS-2.0 < 2.0.6

References

https://github.com/Ajax30/BraveCMS-2.0/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35182 Data

JSON