cvedb.io
CVE-2025-7044
HIGH · CVSS 7.7
EPSS exploitation probability: 0%
Published 2025-12-03T16:16:00.450 · Last modified 2026-06-17T10:04:09.137

Summary

An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment.

Affected products

canonical — maas

Does this affect you?

Add your gear to cvedb and we'll alert you only when canonical ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.