Home / Vulnerability Intelligence / CVE-2026-35182

CVE-2026-35182 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 7, 2026

Brave CMS - Broken Access Control

Published: April 6, 2026Updated: April 7, 2026Remote Exploitable

Overview

Brave CMS < 2.0.6 contains a broken access control caused by missing authorization check in the update role endpoint at routes/web.php, letting authenticated users escalate their privileges to Super Admin, exploit requires user authentication.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.2%(Probability of exploitation in next 30 days)

Impact

Authenticated users can escalate their privileges to Super Admin, leading to full system compromise.

Mitigation

Upgrade to version 2.0.6 or later.

References

https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-g58h-mvjw-f4hv

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 7, 2026

🟠 CVE-2026-35182 - High (8.8) Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/{id} lacks the checkUserPermissions:assign-user-roles ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35182/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-35182
Severity: High
CVSS Score: 8.8
Type: broken_access_control
Status: unconfirmed
EPSS: 3.2%
Social Posts: 1

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.2%Probability of exploitation in the next 30 days