privilege escalation possible #1719

New Issue

Closed

opened 2026-02-05 01:42:20 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 01:42:20 +03:00

Owner

Copy Link

Originally created by @Defelo on GitHub (May 7, 2020).

Describe the bug
A non-admin user with the Manage users permission can obtain admin privileges by giving himself the admin role.

Steps To Reproduce
Steps to reproduce the behavior:

1. Add a custom role with the Manage users permission
2. Add a new user with this new role but without the admin role
3. Login as the new user
4. Go to your own Users settings
5. Give yourself the admin role
6. You should now have admin privileges

Expected behavior
It should not be possible to obtain more privileges than you already have.

Your Configuration (please complete the following information):

• Exact BookStack Version (Found in settings): v0.29.1
• Hosting Method: Docker

Originally created by @Defelo on GitHub (May 7, 2020). **Describe the bug** A non-admin user with the `Manage users` permission can obtain admin privileges by giving himself the admin role. **Steps To Reproduce** Steps to reproduce the behavior: 1. Add a custom role with the `Manage users` permission 2. Add a new user with this new role but without the admin role 3. Login as the new user 4. Go to your own `Users` settings 5. Give yourself the admin role 6. You should now have admin privileges **Expected behavior** It should not be possible to obtain more privileges than you already have. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): v0.29.1 - Hosting Method: Docker

OVERLORD added the 🛠️ Enhancement📖 Docs Update🔒 Security labels 2026-02-05 01:42:20 +03:00

OVERLORD closed this issue 2026-02-05 01:42:20 +03:00

OVERLORD commented 2026-02-05 01:42:24 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (May 15, 2020):

Thanks for reporting @Defelo.

To be honest, this is known and intended behaviour. A Manage users person could also update the password for a more privileged person to gain power. The Manage roles permission will have some similar cases. And Manage app settings since they could alter the default registration role.

I think it'll get more complicated than it's worth to diff permissions between users upon actions, such a role change, to prevent escalation of privileges.

We should address the fact that people may underestimate the power of the first three system permissions (Manage Users, Manage app settings and Manage roles & role permissions), I think some added warning text surrounding those permission options would go a long way.

@ssddanbrown commented on GitHub (May 15, 2020): Thanks for reporting @Defelo. To be honest, this is known and intended behaviour. A `Manage users` person could also update the password for a more privileged person to gain power. The `Manage roles` permission will have some similar cases. And `Manage app settings` since they could alter the default registration role. I think it'll get more complicated than it's worth to diff permissions between users upon actions, such a role change, to prevent escalation of privileges. We should address the fact that people may underestimate the power of the first three system permissions (`Manage Users`, `Manage app settings` and `Manage roles & role permissions`), I think some added warning text surrounding those permission options would go a long way.

OVERLORD commented 2026-02-05 01:42:32 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 4, 2020):

I've now added a warning to such permissions that could allow escalation. This will be part of v0.30:

I've marked this as a "Docs Update" as a reminder to put a note in the update details that admins should review their roles if they did not previously expect such escalation to be possible.

Thanks again for reporting @Defelo

@ssddanbrown commented on GitHub (Aug 4, 2020): I've now added a warning to such permissions that could allow escalation. This will be part of v0.30:  I've marked this as a "Docs Update" as a reminder to put a note in the update details that admins should review their roles if they did not previously expect such escalation to be possible. Thanks again for reporting @Defelo

OVERLORD referenced this issue 2026-02-05 10:19:05 +03:00

[PR #1719] [MERGED] Add feature to send test e-mails #5868

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 📖 Docs Update 🛠️ Enhancement 🔒 Security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1719