cvedb.io
CVE-2026-56115
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-06-23T17:17:09.287 · Last modified 2026-06-29T12:20:24.487

Summary

Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but fails to inspect the is_admin flag. Attackers can send requests to any endpoint under the /api/users path to create new administrator accounts or reset administrator passwords, thereby gaining full control of the server and the ability to modify boot menus and installation scripts served to PXE clients.

Affected products

bootimus — bootimus

Does this affect you?

Add your gear to cvedb and we'll alert you only when bootimus ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.