Platform
php
Component
formwork
Fixed in
2.0.1
CVE-2026-27198 is a privilege escalation vulnerability discovered in Formwork CMS, a flat file-based content management system. An authenticated user with the 'editor' role can exploit this flaw to create new accounts with administrative privileges, effectively gaining full control over the CMS. This vulnerability impacts versions 2.0.0 through 2.3.3 and has been resolved in version 2.3.4.
The impact of CVE-2026-27198 is significant. An attacker successfully exploiting this vulnerability can gain complete administrative access to the Formwork CMS instance. This allows them to modify content, install malicious plugins or themes, steal sensitive data stored within the CMS, and potentially pivot to other systems on the network. The flat-file architecture of Formwork means that data is stored in plain text, making it particularly vulnerable to data exfiltration if an attacker gains control. The ability to create admin accounts effectively bypasses all security controls intended to protect the CMS, leading to a complete compromise of the system.
CVE-2026-27198 was publicly disclosed on 2026-02-21. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog as of this writing. The ease of exploitation, given the requirement of only an authenticated 'editor' account, suggests that it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27198 is to immediately upgrade Formwork CMS to version 2.3.4 or later. If upgrading is not immediately feasible, consider implementing stricter role-based access controls within the CMS, although this is not a complete solution. Review user accounts and permissions to identify any suspicious activity. Monitor CMS logs for unusual account creation attempts. While a WAF cannot directly prevent this vulnerability, it can help detect and block suspicious requests related to account creation. After upgrading, verify the fix by attempting to create a new user with administrative privileges using an editor account; the creation should be denied.
Update Formwork to version 2.3.4 or higher. This version corrects the vulnerability that allows users with editor privileges to create accounts with administrator privileges. The update will prevent privilege escalation and protect the CMS from complete compromise.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27198 is a vulnerability in Formwork CMS where an editor can create admin accounts, gaining full control. It affects versions 2.0.0 through 2.3.3 and is rated HIGH severity.
You are affected if you are running Formwork CMS versions 2.0.0 through 2.3.3. Check your version and upgrade immediately if vulnerable.
Upgrade Formwork CMS to version 2.3.4 or later to resolve this vulnerability. If immediate upgrade is not possible, implement stricter role-based access controls.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the Formwork CMS official website and security advisories for the latest information and updates regarding CVE-2026-27198.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.