CVE-2026-56115

Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but fails to inspect the is_admin flag. Attackers can send requests to any endpoint under the /api/users path to create new administrator accounts or reset administrator passwords, thereby gaining full control of the server and the ability to modify boot menus and installation scripts served to PXE clients.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/garybowers/bootimus/issues/84	Exploit Issue Tracking Vendor Advisory
https://www.vulncheck.com/advisories/bootimus-broken-access-control-via-jwtmiddleware-authorization-bypass	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bootimus:bootimus:*:*:*:*:*:*:*:*

History

29 Jun 2026, 12:20

Type	Values Removed	Values Added
First Time		Bootimus bootimus Bootimus
CPE	cpe:2.3:a:dhcpcd_project:dhcpcd::::::::	cpe:2.3:a:bootimus:bootimus::::::::

28 Jun 2026, 00:28

Type	Values Removed	Values Added
CPE		cpe:2.3:a:dhcpcd_project:dhcpcd::::::::
First Time		Dhcpcd Project Dhcpcd Project dhcpcd
References	~~() https://github.com/garybowers/bootimus/issues/84 -~~	() https://github.com/garybowers/bootimus/issues/84 - Exploit, Issue Tracking, Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/bootimus-broken-access-control-via-jwtmiddleware-authorization-bypass -~~	() https://www.vulncheck.com/advisories/bootimus-broken-access-control-via-jwtmiddleware-authorization-bypass - Third Party Advisory

25 Jun 2026, 17:17

Type	Values Removed	Values Added
References	~~{'url': 'https://github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029', 'source': 'disclosure@vulncheck.com'}~~ ~~{'url': 'https://www.vulncheck.com/advisories/dhcpcd-stack-out-of-bounds-write-in-dhcp6-makemessage', 'source': 'disclosure@vulncheck.com'}~~	() https://github.com/garybowers/bootimus/issues/84 - () https://www.vulncheck.com/advisories/bootimus-broken-access-control-via-jwtmiddleware-authorization-bypass -
CVSS	v2 : ~~unknown~~ v3 : ~~5.3~~	v2 : unknown v3 : 8.8
CWE	~~CWE-787~~	CWE-862
Summary	(en) dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.	(en) Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but fails to inspect the is_admin flag. Attackers can send requests to any endpoint under the /api/users path to create new administrator accounts or reset administrator passwords, thereby gaining full control of the server and the ability to modify boot menus and installation scripts served to PXE clients.

23 Jun 2026, 17:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-23 17:17

Updated : 2026-06-29 12:20

NVD link : CVE-2026-56115

Mitre link : CVE-2026-56115

CVE.ORG link : CVE-2026-56115

JSON object : View

Products Affected

bootimus

bootimus

CWE

CWE-862

Missing Authorization

8.8 /10