CVE-2026-26725: Print Shop Pro WebDesk Privilege Escalation Information Summary: Privilege escalation in Print Shop Pro WebDesk enables full application control. Vendor: edu Business Solutions Product: Print Shop Pro WebDesk Affected Asset: https:///PSP/app/web/reg/reg_process.asp?action=insert_registration&LoginID= Version Vulnerable: 18.34 Version Fixed: N/A Researcher: Chandler Johnson NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2026-26725 Description It is possible to self-register a user account and promote it to Super Admin during a profile update in edu Business Solutions Print Shop Pro WebDesk version 18.34. There is no server-side validation on the parameter which is used to alter the role of user accounts. Modifying this value can result in full application takeover. CVSS Vulnerability Scoring Calculator (3.1) AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: H CVSS Base Score: 9.8 (Critical) Impact Full application takeover. Steps to Reproduce 1. Navigate to and observe that there is a hidden form field in the page source with a default value ( ). 2. Using the form, self-register an account to get authenticated access into the application. 3. Once authenticated into PSP, navigate to the same endpoint to update profile details. 4. Perform any arbitrary update and set . 5. Observe that the modification resulted in a new Admin button on the top navigation menu. 6. Navigate to to review admin functionality. Additional Information Attackers exploit privilege escalation vulnerabilities in web applications by abusing flaws in authorization and access control mechanisms. This often involves manipulating user IDs, user role values, or access tokens. By leveraging these weaknesses, attackers can elevate their privileges, gain unauthorized access to restricted functionality, and potentially take full control of the application or other user accounts. Recommendations Enforce server-side authorization checks for all state-changing requests, ensuring users can only modify resources tied to their own identity and permitted role. Do not trust client-supplied parameters such as AccessID, role IDs, or privilege flags; derive authorization context exclusively from the authenticated session. Implement strict allowlists for updatable profile fields and ignore or reject any unauthorized or unexpected parameters. Log and monitor failed and suspicious authorization attempts, such as repeated changes to access-level parameters. Resources https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/ https://cwe.mitre.org/data/definitions/639.html