{"repro_id":"REPRO-2026-00111","version":6,"title":"Formwork CMS Improper Privilege Management in User Creation","repro_type":"security","status":"published","severity":"high","description":"Application fails to enforce role-based authorization during account creation. An authenticated user with editor role can create new accounts with administrative privileges, leading to full administrative access and CMS compromise.","root_cause":"Application fails to enforce role-based authorization during account creation. An authenticated user with editor role can create new accounts with administrative privileges, leading to full administrative access and CMS compromise.","ghsa_id":"GHSA-34p4-7w83-35g2","cve_id":"CVE-2026-27198","package":{"name":"getformwork/formwork","ecosystem":"composer","affected_versions":">= 2.0.0, <= 2.3.3","fixed_version":"2.3.4"},"reproduced_at":"2026-02-20T15:03:49.843657+00:00","duration_secs":762.911623954773,"tool_calls":119,"turns":64,"handoffs":2,"total_cost_usd":0.44255020000000006,"agent_costs":{"repro":0.20886139999999995,"support":0.0111372,"vuln_variant":0.2225516},"cost_breakdown":{"repro":{"accounts/fireworks/models/kimi-k2p5":0.20886139999999995},"support":{"accounts/fireworks/models/kimi-k2p5":0.0111372},"vuln_variant":{"accounts/fireworks/models/kimi-k2p5":0.2225516}},"quality":{"idempotent_verified":false,"community_verifications":0},"published_at":"2026-02-20T15:03:51.620742+00:00","retracted":false,"artifacts":[{"path":"repro/rca_report.md","filename":"rca_report.md","size":6725,"category":"analysis"},{"path":"repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":7438,"category":"reproduction_script"},{"path":"bundle/source.json","filename":"source.json","size":3959,"category":"other"},{"path":"bundle/ticket.json","filename":"ticket.json","size":6416,"category":"other"},{"path":"bundle/ticket.md","filename":"ticket.md","size":1836,"category":"ticket"},{"path":"logs/privilege_escalation_poc.txt","filename":"privilege_escalation_poc.txt","size":1234,"category":"other"},{"path":"logs/variant_analysis.log","filename":"variant_analysis.log","size":999,"category":"log"},{"path":"logs/vulnerability_details.md","filename":"vulnerability_details.md","size":1764,"category":"documentation"},{"path":"logs/vulnerability_test.log","filename":"vulnerability_test.log","size":311,"category":"log"}]}