Fixes #39478 - CVE-2026-5136: Privilege escalation via usergroup role assignment#11065
Merged
Odilhao merged 3 commits intoJul 1, 2026
Merged
Conversation
A user who is a member of a usergroup can add a role granting escalate_roles to that usergroup, bypassing the privilege escalation check. The role assignment is cached before the validation runs, so can_escalate? sees the newly granted permission and allows it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a user is a member of a usergroup and edits its roles, the role_ids= setter immediately persists UserRole records and populates the CachedUserRole cache. By the time the ensure_roles_not_escalated validation runs, can_escalate? sees the freshly cached permission and allows the assignment — letting the user grant themselves escalate_roles through the group. Fix by excluding CachedUserRole entries for the newly added roles on the edited usergroup when checking escalation capability. Pre-existing roles on the same usergroup (including a legitimate escalate_roles grant) are still honored. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
62affa8 to
2baf387
Compare
Odilhao
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CVE-2026-5136
Privilege escalation via usergroup role assignment manipulation.
The Usergroup model does not validate whether the calling user is permitted to assign the specified roles. A user with
create_usergroupsoredit_usergroupspermission can attach arbitrary roles to a usergroup via the API, add themselves as a member, and inherit elevated privileges.