SpirityCVE

Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pelicanplatform	Pelican

No data.

References

Link	Providers
https://www.spirityenterprise.com/virtual-ciso
https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854
https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw

History

Sun, 10 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pelicanplatform Pelicanplatform pelican
Vendors & Products		Pelicanplatform Pelicanplatform pelican

Sat, 09 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2.
Title		Privilege Escalation Attack affecting Pelican Web UI
Weaknesses		CWE-863
References		https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854 https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw
Metrics		cvssV4_0 `{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-09T19:19:36.522Z

Updated: 2026-05-09T19:19:36.522Z

Reserved: 2026-04-28T17:26:12.084Z

Link: CVE-2026-42571

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-09T20:16:29.277

Modified: 2026-05-09T20:16:29.277

Link: CVE-2026-42571

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object