CVE-2026-32991 - Vulnerability Details - OpenCVE

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Webpros	Cpanel Cpanel (cloudlinux 6, Centos 6) Wp Squared
Wordpress	Wordpress

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/virtual-ciso
https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026

History

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Webpros Webpros cpanel Webpros cpanel (cloudlinux 6, Centos 6) Webpros wp Squared Wordpress Wordpress wordpress
Vendors & Products		Webpros Webpros cpanel Webpros cpanel (cloudlinux 6, Centos 6) Webpros wp Squared Wordpress Wordpress wordpress

Thu, 14 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 13 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
Title		Team Member Privilege Escalation to Team Owner in cPanel and WP Squared

Wed, 13 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
Weaknesses		CWE-863
References		https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-05-13T22:07:16.151Z

Updated: 2026-05-14T13:11:23.622Z

Reserved: 2026-03-17T15:00:07.746Z

Link: CVE-2026-32991

Vulnrichment

Updated: 2026-05-14T13:11:20.357Z

NVD

Status : Deferred

Published: 2026-05-13T23:16:43.110

Modified: 2026-05-14T16:49:18.583

Link: CVE-2026-32991

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32991", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-03-17T15:00:07.746Z", "datePublished": "2026-05-13T22:07:16.151Z", "dateUpdated": "2026-05-14T13:11:23.622Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account."}], "affected": [{"defaultStatus": "unaffected", "vendor": "WebPros", "product": "cPanel", "versions": [{"version": "11.136.0.0", "status": "affected", "lessThan": "11.136.0.10", "versionType": "semver"}, {"version": "11.134.0.0", "status": "affected", "lessThan": "11.134.0.26", "versionType": "semver"}, {"version": "11.132.0.0", "status": "affected", "lessThan": "11.132.0.32", "versionType": "semver"}, {"version": "11.130.0.0", "status": "affected", "lessThan": "11.130.0.23", "versionType": "semver"}, {"version": "11.126.0.0", "status": "affected", "lessThan": "11.126.0.59", "versionType": "semver"}, {"version": "11.124.0.0", "status": "affected", "lessThan": "11.124.0.38", "versionType": "semver"}, {"version": "11.118.0.0", "status": "affected", "lessThan": "11.118.0.67", "versionType": "semver"}, {"version": "11.110.0.0", "status": "affected", "lessThan": "11.110.0.119", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "vendor": "WebPros", "product": "WP Squared", "versions": [{"version": "11.136.1.0", "status": "affected", "lessThan": "11.136.1.12", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "vendor": "WebPros", "product": "cPanel (CloudLinux 6, CentOS 6)", "versions": [{"version": "11.110.0.0", "status": "affected", "lessThan": "11.110.0.118", "versionType": "semver"}]}], "references": [{"url": "https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-05-13T22:07:16.151Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-14T13:11:15.440259Z", "id": "CVE-2026-32991", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T13:11:23.622Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32991", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-14T13:11:15.440259Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T13:11:20.357Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"}}], "affected": [{"vendor": "WebPros", "product": "cPanel", "versions": [{"status": "affected", "version": "11.136.0.0", "lessThan": "11.136.0.10", "versionType": "semver"}, {"status": "affected", "version": "11.134.0.0", "lessThan": "11.134.0.26", "versionType": "semver"}, {"status": "affected", "version": "11.132.0.0", "lessThan": "11.132.0.32", "versionType": "semver"}, {"status": "affected", "version": "11.130.0.0", "lessThan": "11.130.0.23", "versionType": "semver"}, {"status": "affected", "version": "11.126.0.0", "lessThan": "11.126.0.59", "versionType": "semver"}, {"status": "affected", "version": "11.124.0.0", "lessThan": "11.124.0.38", "versionType": "semver"}, {"status": "affected", "version": "11.118.0.0", "lessThan": "11.118.0.67", "versionType": "semver"}, {"status": "affected", "version": "11.110.0.0", "lessThan": "11.110.0.119", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "WebPros", "product": "WP Squared", "versions": [{"status": "affected", "version": "11.136.1.0", "lessThan": "11.136.1.12", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "WebPros", "product": "cPanel (CloudLinux 6, CentOS 6)", "versions": [{"status": "affected", "version": "11.110.0.0", "lessThan": "11.110.0.118", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026"}], "descriptions": [{"lang": "en", "value": "Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-05-13T22:07:16.151Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32991", "state": "PUBLISHED", "dateUpdated": "2026-05-14T13:11:23.622Z", "dateReserved": "2026-03-17T15:00:07.746Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-05-13T22:07:16.151Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}