CVE-2026-27899

Name of the Vulnerable Software and Affected Versions WireGuard Portal versions prior to 2.1.3

Description WireGuard Portal, a web-based configuration portal for WireGuard server management, contains a flaw that allows authenticated non-admin users to escalate their privileges to full administrator level. This is achieved by sending a specially crafted PUT request to their own user profile endpoint, setting the IsAdmin field to true within the JSON body. The server does not properly validate or sanitize this input, directly writing the provided value to the database. Upon logging back in, the user session reflects the newly granted administrative privileges. An attacker gaining administrative access can read and modify user accounts, manage WireGuard peers, view interface configurations, disable user accounts, and access API tokens.

Recommendations Versions prior to 2.1.3 should be updated to version 2.1.3 or later. Ensure that docker images used are updated to the latest version built from the master branch, as it includes the fix.