CVE-2026-35182

Name of the Vulnerable Software and Affected Versions Brave CMS versions prior to 2.0.6

Description Brave CMS is an open-source CMS. Prior to version 2.0.6, a missing authorization check exists in the update role endpoint located at /routes/web.php. Specifically, the POST route /rights/update-role/{id} lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to modify account roles and elevate privileges to Super Admin.

Recommendations Update Brave CMS to version 2.0.6 or later.