# REPRO-2026-00111: Formwork CMS Improper Privilege Management in User Creation

## Summary
Status: published
Severity: high
Type: security
Confidence: Unknown

## Identifiers
REPRO ID: REPRO-2026-00111
GHSA: GHSA-34p4-7w83-35g2
CVE: CVE-2026-27198

## Package
Name: getformwork/formwork
Ecosystem: composer
Affected: >= 2.0.0, <= 2.3.3
Fixed: 2.3.4

## Root Cause
Application fails to enforce role-based authorization during account creation. An authenticated user with editor role can create new accounts with administrative privileges, leading to full administrative access and CMS compromise.

## Reproduction Details
Reproduced: 2026-02-20T15:03:49.843Z
Duration: 763 seconds
Tool calls: 119
Turns: 64
Handoffs: 2


## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00111
    pruva-verify GHSA-34p4-7w83-35g2
    pruva-verify CVE-2026-27198

Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00111&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00111/artifacts/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References
- GitHub Advisory: https://github.com/advisories/GHSA-34p4-7w83-35g2
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27198


## Artifacts
- repro/rca_report.md (analysis, 6725 bytes)
- repro/reproduction_steps.sh (reproduction_script, 7438 bytes)
- bundle/source.json (other, 3959 bytes)
- bundle/ticket.json (other, 6416 bytes)
- bundle/ticket.md (ticket, 1836 bytes)
- logs/privilege_escalation_poc.txt (other, 1234 bytes)
- logs/variant_analysis.log (log, 999 bytes)
- logs/vulnerability_details.md (documentation, 1764 bytes)
- logs/vulnerability_test.log (log, 311 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00111
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00111/artifacts/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00111

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev