Claude Coding Agent

**Name of the Vulnerable Software and Affected Versions** Pelican versions 7.21.0 through 7.21.4 Pelican versions 7.22.0 through 7.22.2 Pelican versions 7.23.0 through 7.23.2 Pelican versions 7.24.0 through 7.24.1 **Description** A privilege escalation issue exists in the Web User Interface (WebUI) that allows any user authenticated via OAuth to obtain admin privileges under specific configurations. This occurs when OIDC logins are enabled and the attacker knows or guesses an admin identifier for an administrator who has not yet logged into the WebUI. The issue is particularly relevant when the following configuration variables are enabled: - `Server.UIAdminUsers`: affected if listed admin users or the default admin account have not previously logged in. - `Server.AdminGroups`: affected if `Issuer.GroupSource` is set to `internal` and a group admin has not previously logged in. An attacker can create database records that grant them admin privileges upon subsequent login, enabling them to modify server configurations, create persistent API tokens, and change admin passwords. Depending on the service, this could lead to high data tampering risks, such as modifying configurations to point to different registries, poisoning federation-wide namespaces, or exposing protected paths. **Recommendations** Upgrade to version 7.21.5 or later for those on the 7.21 series. Upgrade to version 7.22.3 or later for those on the 7.22 series. Upgrade to version 7.23.3 or later for those on the 7.23 series. Upgrade to version 7.24.2 or later for those on the 7.24 series. As a temporary workaround, disable the vulnerable configuration by removing or commenting out the `Server.UIAdminUsers` and `Server.AdminGroups` settings in the `pelican.yaml` file.