CVE-2026-42571 Unknown Vendor CVE debrief

Who should care

Administrators and operators running Pelican WebUI, especially deployments that allow OAuth-based authentication and rely on WebUI role separation. Security teams should treat this as a high-priority authentication and authorization issue.

Technical summary

The provided advisory describes a privilege escalation vulnerability in Pelican WebUI mapped to CWE-863 (incorrect authorization). The issue affects versions 7.21.0 through before 7.21.5, 7.22.0 through before 7.22.3, 7.23.0 through before 7.23.3, and 7.24.0 through before 7.24.2. According to the description, an authenticated OAuth user can gain admin privileges when the vulnerable configuration is present. NVD lists the vulnerability with a CVSS v4.0 score of 9.0 and impact across confidentiality, integrity, and availability.

Defensive priority

Immediate. This is a critical privilege escalation in a management interface, with authenticated access as the starting point. Prioritize patching and access review now.

Recommended defensive actions

• Upgrade Pelican to 7.21.5, 7.22.3, 7.23.3, or 7.24.2, or later in the relevant release line.
• Review WebUI OAuth authentication and authorization settings to confirm only intended users can reach administrative functions.
• Audit existing WebUI admin accounts and recent privilege changes for unexpected elevation.
• If immediate upgrading is not possible, restrict access to the WebUI to trusted administrative networks until remediation is complete.

Evidence notes

This debrief is based only on the supplied CVE/NVD record and the GitHub advisory references. The source description explicitly states the affected versions, the OAuth-authenticated privilege escalation condition, the fixed versions, and the CWE-863 mapping. No additional behavioral details are inferred beyond those sources.

Official resources