{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29789", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.899Z", "datePublished": "2026-03-06T20:35:03.552Z", "dateUpdated": "2026-03-09T20:54:30.631Z"}, "containers": {"cna": {"title": "Vito: Cross-project privilege escalation in workflow site-creation actions allows unauthorized server modification", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76"}, {"name": "https://github.com/vitodeploy/vito/pull/1036", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitodeploy/vito/pull/1036"}, {"name": "https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326"}, {"name": "https://github.com/vitodeploy/vito/releases/tag/3.20.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitodeploy/vito/releases/tag/3.20.3"}], "affected": [{"vendor": "vitodeploy", "product": "vito", "versions": [{"version": "< 3.20.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T20:35:03.552Z"}, "descriptions": [{"lang": "en", "value": "Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3."}], "source": {"advisory": "GHSA-3m6w-8qh4-qr76", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29789", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:50:56.436371Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:54:30.631Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29789", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:50:56.436371Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:51:46.436Z"}}], "cna": {"title": "Vito: Cross-project privilege escalation in workflow site-creation actions allows unauthorized server modification", "source": {"advisory": "GHSA-3m6w-8qh4-qr76", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vitodeploy", "product": "vito", "versions": [{"status": "affected", "version": "< 3.20.3"}]}], "references": [{"url": "https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76", "name": "https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vitodeploy/vito/pull/1036", "name": "https://github.com/vitodeploy/vito/pull/1036", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326", "name": "https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vitodeploy/vito/releases/tag/3.20.3", "name": "https://github.com/vitodeploy/vito/releases/tag/3.20.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T20:35:03.552Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29789", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:54:30.631Z", "dateReserved": "2026-03-04T16:26:02.899Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T20:35:03.552Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vitodeploy:vito:*:*:*:*:*:*:*:*", "matchCriteriaId": "2BD3E3C5-B254-47BE-821C-86BFD04A0285", "versionEndExcluding": "3.20.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3."}, {"lang": "es", "value": "Vito es una aplicaci\u00f3n web autoalojada que ayuda a gestionar servidores y a desplegar aplicaciones PHP en servidores de producci\u00f3n. Antes de la versi\u00f3n 3.20.3, una comprobaci\u00f3n de autorizaci\u00f3n faltante en las acciones de creaci\u00f3n de sitios del flujo de trabajo permite a un atacante autenticado con acceso de escritura al flujo de trabajo en un proyecto crear/gestionar sitios en servidores pertenecientes a otros proyectos al proporcionar un server_id externo. Este problema ha sido parcheado en la versi\u00f3n 3.20.3."}], "id": "CVE-2026-29789", "lastModified": "2026-03-13T18:42:39.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-06T21:16:15.460", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/vitodeploy/vito/pull/1036"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/vitodeploy/vito/releases/tag/3.20.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.20.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "vito", "source": "cna", "vendor": "vitodeploy"}, "product": "vito", "vendor": "vitodeploy"}], "analysis": {"en": {"generated_at": "2026-04-18T09:49:14.699992+00:00", "value": {"mitigation_remediation": ["Update Vito to version 3.20.3 or later, which patches the missing authorization check.", "Restrict workflow write permissions to only trusted users or limit them to projects where site\u2011creation is required.", "Review and monitor system logs for unexpected site\u2011creation or management events on servers that should not be affected."], "summary": {"action": "Patch Now", "impact": "Unauthorized Server Modification via Cross-Project Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The issue affects installations of vitodeploy\u2019s Vito, specifically any version prior to 3.20.3. Users running Vito in environments where multiple projects share the same instance and where workflow write permissions are granted to staff must verify that their version is less than 3.20.3.", "description_and_impact": "Vito is a self\u2011hosted web application that manages servers and deploys PHP applications. The vulnerability is a missing authorization check in the workflow site\u2011creation actions. An authenticated attacker who has workflow write access in one project can supply a foreign server_id to create or modify sites on servers that belong to other projects, thereby gaining unauthorized control over those servers. This flaw is a clear breach of access control and could be exploited to deploy malicious code, alter production environments, or disrupt services the affected user cannot otherwise reach. The weakness is identified as CWE\u2011862 (Unauthorized Access).", "risk_and_exploitability": "The flaw carries a CVSS score of 10, indicating critical severity. The EPSS score is less than 1 percent, suggesting that exploitation is currently rare but possible. The vulnerability is not listed in the CISA KEV catalog. The likely attack path requires the attacker to be authenticated and hold workflow write permission in at least one project; based on the description, it is inferred that the vulnerability is relevant in multi\u2011project deployments. Once those prerequisites are met, the attacker can craft a request with a foreign server_id, leading to cross\u2011project privilege escalation and unauthorized server modification."}}}}, "created": "2026-03-09T10:07:00.020209+00:00", "updated": "2026-04-18T10:00:10.314827+00:00", "vendors": ["vitodeploy", "vitodeploy$PRODUCT$vito"]}