Pachno 1.0.6 Remote Vertical Privilege Escalation via Cookie Bypass (CVE-2026-40043)

# Vulnerability Summary: Pachno Remote Vertical Privilege Escalation Vulnerability ## Vulnerability Overview The `runSwitchUser()` function in Pachno 1.0.6 contains a remote vertical privilege escalation vulnerability. When checking user permissions, this function only verifies two conditions: `canSaveConfiguration()` and `hasCookie('original_username')`. An attacker can bypass the permission check by setting the `original_username` cookie, thereby switching to any user ID while logged in as a low-privileged user, and gaining administrator privileges. ## Impact Scope - **Affected Version**: Pachno 1.0.6 - **Release Date**: April 12, 2020 - **Test Environment**: GNU/Linux, Apache2, PHP/7.4, MySQL/5.7 (MariaDB) - **CVSS Score**: HIGH - **CVE Number**: CVE-2026-40043 ## Remediation Measures 1. Modify the permission check logic in the `runSwitchUser()` function 2. Ensure stricter validation of the `original_username` cookie 3. Add additional authentication mechanisms ## POC Code ```php // /core/modules/auth/controllers/Authentication.php /** * Switch user action */ #[Route(name="switch_to_user", url="/userswitch/switch/user_id/{user_id}/csrf_token")] #[IsGranted("ROLE_ADMIN")] class Authentication extends Controller { #[Route("/userswitch/switch/user_id/{user_id}/csrf_token")] public function runSwitchUser(Request $request) { if (($this->getParameter('canSaveConfiguration') && $request->hasCookie('original_username')) return $this->forward('app'); $response = $this->getResponse(); $authentication_backend = $this->getParameter('authentication_backend'); if ($request->get('user_id')) { $user = new Entity\User($request->get('user_id')); if ($authentication_backend->getAuthenticationMethod() == Framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) { $response->setCookie('original_username', $request->getCookie('username')); $response->setCookie('original_session_token', $request->getCookie('session_token')); Framework\Context::getResponse()->setCookie('username', $user->getUsername()); Framework\Context::getResponse()->setCookie('session_token', $user->generateToken()); } else { $response->setCookie('original_username', $request->getCookie('username')); $response->setCookie('original_password', $request->getCookie('password')); Framework\Context::getResponse()->setCookie('username', $user->getUsername()); Framework\Context::getResponse()->setCookie('password', $user->getPassword()); } } else { if ($authentication_backend->getAuthenticationMethod() == Framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) { $response->setCookie('username', $request->getCookie('original_username')); $response->setCookie('session_token', $request->getCookie('original_session_token')); Framework\Context::getResponse()->deleteCookie('original_session_token'); Framework\Context::getResponse()->deleteCookie('original_username'); } else { $response->setCookie('username', $request->getCookie('original_username')); $response->setCookie('password', $request->getCookie('original_password')); Framework\Context::getResponse()->deleteCookie('original_password'); Framework\Context::getResponse()->deleteCookie('original_username'); } } $this->forward($this->getRequest()->get('home')); } } ``` ## Disclosure Timeline - April 9, 2024: Vulnerability discovered - April 9, 2024: Vendor contacted - April 11, 2024: No response from vendor - April 12, 2024: Public security advisory released ## References - [CVE-2026-40043](https://nvd.nist.gov/vuln/detail/CVE-2026-40043) - [Pachno GitHub](https://github.com/pachno/pachno) - [Vulnerability Details](https://www.zerosec.org/advisories/pachno-authentication-bypass-via-original-username)

Goal Reached Thanks to every supporter — we hit 100%!

Pachno 1.0.6 Remote Vertical Privilege Escalation via Cookie Bypass (CVE-2026-40043)