What is CVE-2026-29002?

CVE-2026-29002 is a high-severity vulnerability in Couchcms, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 7.2/10. Published 2026-04-10.

How severe is CVE-2026-29002?

High severity. CVSS v3 base score is 7.2 out of 10.

Auth bypass in Couchcms

CVE-2026-29002

CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (19.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Couchcms — versions 0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

gist.github.com/thepiyushkumarshukla/477e2d2bbbe8cc3ec0d640c50f0cf9e1 (technical-description, exploit)
www.couchcms.com/ (product)
www.vulncheck.com/advisories/couchcms-privilege-escalation-via-f-k-levels-list-… (third-party-advisory)

Frequently asked questions

What is CVE-2026-29002?: CVE-2026-29002 is a high-severity vulnerability in Couchcms, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 7.2/10. Published 2026-04-10.
How severe is CVE-2026-29002?: High severity. CVSS v3 base score is 7.2 out of 10.