The vulnerability identified as CVE-2026-27899 affects wg-portal, a web-based configuration portal used to manage WireGuard VPN servers. Prior to version 2.1.3, the application improperly manages user privileges due to a flaw in how it processes the user profile update requests. Specifically, when an authenticated user updates their profile via a PUT request, the server parses the entire JSON payload into the user model, including the 'IsAdmin' boolean attribute. While the server has mechanisms to preserve certain protected fields by pinning them to their database values, it fails to do so for the 'IsAdmin' field. Consequently, a non-admin user can set 'IsAdmin' to true in their profile update request, which the server then writes directly to the database. Upon subsequent login, the user's session reflects the elevated admin privileges. This vulnerability is classified under CWE-269 (Improper Privilege Management) and CWE-863 (Incorrect Authorization). The CVSS v3.1 base score is 8.8, indicating high severity, with an attack vector of network (remote), low attack complexity, requiring privileges (authenticated user), no user interaction, and impacting confidentiality, integrity, and availability. The flaw allows an attacker with valid user credentials to fully compromise the wg-portal management interface, potentially controlling WireGuard server configurations and user access. The issue was resolved in version 2.1.3, and the fix is included in the latest Docker images from the master branch. No public exploits have been reported yet, but the vulnerability presents a critical risk to affected installations.

The exploitation of CVE-2026-27899 allows an authenticated non-admin user to escalate privileges to full administrator within the wg-portal management interface. This can lead to complete compromise of the WireGuard VPN management environment, enabling the attacker to modify VPN configurations, add or remove users, and potentially intercept or disrupt VPN traffic. The confidentiality of VPN credentials and network topology information is at risk, as is the integrity of VPN configurations. Availability may also be impacted if the attacker disables or misconfigures the VPN service. Organizations relying on wg-portal for WireGuard management could face severe operational disruptions, unauthorized access to internal networks, and exposure of sensitive communications. Given WireGuard's widespread adoption for secure VPN connectivity, this vulnerability poses a significant threat to enterprises, service providers, and any organization using wg-portal for VPN administration. The requirement for authentication limits exploitation to insiders or compromised user accounts, but the low complexity and lack of user interaction make it a highly exploitable flaw once credentials are obtained.

Organizations should immediately upgrade wg-portal installations to version 2.1.3 or later, where the vulnerability is fixed. For environments using Docker images, ensure the 'latest' tag or images built from the master branch are deployed. Until upgrades can be applied, restrict access to wg-portal to trusted users only and implement strong authentication controls, including multi-factor authentication, to reduce the risk of credential compromise. Monitor user account activities for unusual privilege changes or profile update requests. Employ network segmentation and firewall rules to limit access to the management portal. Additionally, conduct regular audits of user privileges in the wg-portal database to detect unauthorized admin assignments. Consider implementing web application firewalls (WAFs) with custom rules to detect and block suspicious PUT requests attempting to modify the 'IsAdmin' field. Finally, educate users about the importance of credential security to prevent attackers from gaining authenticated access.