The vulnerability identified as CVE-2026-29789 affects vitodeploy's vito, a self-hosted web application designed to manage servers and deploy PHP applications. Prior to version 3.20.3, vito lacks proper authorization checks in its workflow site-creation actions. Specifically, an authenticated attacker who has workflow write permissions within one project can exploit this flaw by supplying a foreign server_id parameter to create or manage sites on servers that belong to other projects. This missing authorization check (CWE-862) effectively allows privilege escalation across project boundaries, undermining the application's multi-tenant security model. Because the attacker can manipulate servers outside their authorized scope, they can compromise server confidentiality, integrity, and availability. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and only requires privileges of a user with workflow write access (PR:L) but no additional user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially authorized privileges. The CVSS v3.1 base score is 10.0, indicating critical severity. Although no known exploits are reported in the wild yet, the potential impact is severe. The vendor has addressed this issue in version 3.20.3 by implementing proper authorization checks to validate server ownership during site-creation workflows.

This vulnerability poses a critical risk to organizations using vitodeploy vito versions prior to 3.20.3. Exploitation allows an attacker with workflow write access in one project to manage or create sites on servers belonging to other projects, effectively breaching project isolation. This can lead to unauthorized access to sensitive data, deployment of malicious code, disruption of services, and potential lateral movement within the infrastructure. The compromise of server confidentiality, integrity, and availability can result in data breaches, service outages, and damage to organizational reputation. Since vito is used to deploy PHP applications into production servers, attackers could inject backdoors or manipulate application deployments, amplifying the threat. The ease of exploitation combined with the critical impact makes this a high-priority issue for any organization relying on vito for server and application management.

Organizations should immediately upgrade vitodeploy vito to version 3.20.3 or later, where the authorization checks have been properly implemented. Until the upgrade is applied, restrict workflow write access strictly to trusted users and audit existing permissions to minimize exposure. Implement network segmentation and access controls to limit the ability of compromised accounts to affect multiple projects. Conduct thorough reviews of server_id parameters and workflow actions in custom integrations or automation scripts to detect unauthorized cross-project references. Monitor logs for unusual site-creation activities involving foreign server IDs. Additionally, enforce the principle of least privilege for all users and consider multi-factor authentication to reduce the risk of credential compromise. Regularly review and update security policies around deployment workflows to ensure robust authorization enforcement.