CVE-2026-29789

Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326	Patch
https://github.com/vitodeploy/vito/pull/1036	Issue Tracking Patch
https://github.com/vitodeploy/vito/releases/tag/3.20.3	Product Release Notes
https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vitodeploy:vito:*:*:*:*:*:*:*:*

History

13 Mar 2026, 18:42

Type	Values Removed	Values Added
References	~~() https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326 -~~	() https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326 - Patch
References	~~() https://github.com/vitodeploy/vito/pull/1036 -~~	() https://github.com/vitodeploy/vito/pull/1036 - Issue Tracking, Patch
References	~~() https://github.com/vitodeploy/vito/releases/tag/3.20.3 -~~	() https://github.com/vitodeploy/vito/releases/tag/3.20.3 - Product, Release Notes
References	~~() https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76 -~~	() https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:vitodeploy:vito::::::::
First Time		Vitodeploy vito Vitodeploy
Summary		(es) Vito es una aplicación web autoalojada que ayuda a gestionar servidores y a desplegar aplicaciones PHP en servidores de producción. Antes de la versión 3.20.3, una comprobación de autorización faltante en las acciones de creación de sitios del flujo de trabajo permite a un atacante autenticado con acceso de escritura al flujo de trabajo en un proyecto crear/gestionar sitios en servidores pertenecientes a otros proyectos al proporcionar un server_id externo. Este problema ha sido parcheado en la versión 3.20.3.

06 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 21:16

Updated : 2026-03-13 18:42

NVD link : CVE-2026-29789

Mitre link : CVE-2026-29789

CVE.ORG link : CVE-2026-29789

JSON object : View

Products Affected

vitodeploy

vito

CWE

CWE-862

Missing Authorization

9.9 /10