CVE-2026-43510: CWE-266 Incorrect Privilege Assignment in CISA manage.get.gov
CVE-2026-43510 is a high-severity vulnerability in the CISA-managed . gov TLD registrar service manage. get. gov. The issue involves incorrect privilege assignment, where an organization administrator can assign domain manager privileges for domains not already assigned to another organization. This vulnerability was fixed in version 1. 176. 0 around April 30, 2026. The CVSS 4. 0 base score is 7.
AI Analysis
Technical Summary
The vulnerability CVE-2026-43510 in manage.get.gov relates to CWE-266 (Incorrect Privilege Assignment). It allows an organization administrator to assign domain manager privileges improperly for domains that are not already assigned to another organization. This could lead to unauthorized privilege escalation within the domain management system. The issue was addressed in version 1.176.0 released on or around April 30, 2026. The CVSS 4.0 vector indicates the vulnerability is exploitable remotely without user interaction, requires high privileges, and has a high impact on availability with limited impact on integrity and no impact on confidentiality.
Potential Impact
The vulnerability allows improper assignment of domain manager privileges, which could enable unauthorized users to gain control over domain management functions for certain domains. This could disrupt domain management availability or lead to unauthorized administrative actions. The CVSS score of 7.0 reflects a high severity impact primarily on availability. No known exploits have been reported in the wild as of the publication date.
Mitigation Recommendations
The vulnerability has been fixed in manage.get.gov version 1.176.0 released around April 30, 2026. Organizations using this service should ensure they are running version 1.176.0 or later to mitigate this issue. Since this is not a cloud service, patching the affected software version is required. Patch status is inferred from the fixed version information; however, no explicit vendor advisory is provided, so users should verify with CISA for official remediation guidance.
CVE-2026-43510: CWE-266 Incorrect Privilege Assignment in CISA manage.get.gov
Description
CVE-2026-43510 is a high-severity vulnerability in the CISA-managed . gov TLD registrar service manage. get. gov. The issue involves incorrect privilege assignment, where an organization administrator can assign domain manager privileges for domains not already assigned to another organization. This vulnerability was fixed in version 1. 176. 0 around April 30, 2026. The CVSS 4. 0 base score is 7.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-43510 in manage.get.gov relates to CWE-266 (Incorrect Privilege Assignment). It allows an organization administrator to assign domain manager privileges improperly for domains that are not already assigned to another organization. This could lead to unauthorized privilege escalation within the domain management system. The issue was addressed in version 1.176.0 released on or around April 30, 2026. The CVSS 4.0 vector indicates the vulnerability is exploitable remotely without user interaction, requires high privileges, and has a high impact on availability with limited impact on integrity and no impact on confidentiality.
Potential Impact
The vulnerability allows improper assignment of domain manager privileges, which could enable unauthorized users to gain control over domain management functions for certain domains. This could disrupt domain management availability or lead to unauthorized administrative actions. The CVSS score of 7.0 reflects a high severity impact primarily on availability. No known exploits have been reported in the wild as of the publication date.
Mitigation Recommendations
The vulnerability has been fixed in manage.get.gov version 1.176.0 released around April 30, 2026. Organizations using this service should ensure they are running version 1.176.0 or later to mitigate this issue. Since this is not a cloud service, patching the affected software version is required. Patch status is inferred from the fixed version information; however, no explicit vendor advisory is provided, so users should verify with CISA for official remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cisa-cg
- Date Reserved
- 2026-05-01T15:27:56.173Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fce65acbff5d861023a2ee
Added to database: 5/7/2026, 7:22:02 PM
Last enriched: 5/7/2026, 7:36:22 PM
Last updated: 5/7/2026, 8:24:28 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.