CVE-2025-27822

Name of the Vulnerable Software and Affected Versions Backdrop CMS Masquerade module versions prior to 1.x-1.0.1

Description An issue in the Masquerade module allows users to temporarily switch to another user account, potentially bypassing the "Masquerade as admin" permission. This permission is intended to restrict non-administrative users from switching to an account with administrative privileges. However, it is not always honored, which may allow non-administrative users to masquerade as an administrator. The vulnerability is mitigated by the requirement that an attacker must have a role with the Masquerade as user permission.

Recommendations For Backdrop CMS Masquerade module versions prior to 1.x-1.0.1, update to version 1.x-1.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the Masquerade as user permission to trusted roles only, to minimize the risk of exploitation.