CVE-2026-42571

Name of the Vulnerable Software and Affected Versions Pelican versions 7.21.0 through 7.21.4 Pelican versions 7.22.0 through 7.22.2 Pelican versions 7.23.0 through 7.23.2 Pelican versions 7.24.0 through 7.24.1

Description A privilege escalation issue exists in the Web User Interface (WebUI) that allows any user authenticated via OAuth to obtain admin privileges under specific configurations. This occurs when OIDC logins are enabled and the attacker knows or guesses an admin identifier for an administrator who has not yet logged into the WebUI. The issue is particularly relevant when the following configuration variables are enabled:

An attacker can create database records that grant them admin privileges upon subsequent login, enabling them to modify server configurations, create persistent API tokens, and change admin passwords. Depending on the service, this could lead to high data tampering risks, such as modifying configurations to point to different registries, poisoning federation-wide namespaces, or exposing protected paths.

Recommendations Upgrade to version 7.21.5 or later for those on the 7.21 series. Upgrade to version 7.22.3 or later for those on the 7.22 series. Upgrade to version 7.23.3 or later for those on the 7.23 series. Upgrade to version 7.24.2 or later for those on the 7.24 series. As a temporary workaround, disable the vulnerable configuration by removing or commenting out the Server.UIAdminUsers and Server.AdminGroups settings in the pelican.yaml file.