On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI) for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. These may include servers with the following configuration variables enabled:
Issuer.GroupSource is set to internal and an admin of the group has not previously logged in to the server.The OSDF operations team has mitigated these for core services, origins, and caches operated by the PATh project. However, mitigation may be needed for caches and origins not centrally operated.
Pelican Command Line has not currently identified any evidence this attack has been exploited in the services managed by OSDF operators.
When leveraged, an attacker with any kind of authenticated session on the server can create database records that cause the server to grant them admin privileges on subsequent login. Critically, admin access enables modifying the server's configuration, creating persistent API tokens, and changing admin passwords. The table below summarizes potential implications of this exploit.
| Service | Data exposure risk | Data tampering risk | Federation-wide impact | |---------|-------------------|---------------------|----------------------| | Director | Low (no data stored) | High — can modify configuration to point to a different Registry | High — can modify configuration to add GeoIP overrides to steer federation. Denial of service on the federation | | Registry | Low | High — can modify existing or create malicious namespaces...
0.0.0-20260408120501-7f73b9c3e677Exploitability
AV:NAC:LAT:PPR:LUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:HSI:HSA:H9.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H