CVE-2026-27899: CVE-2026-27899: The 'Are You God?' Checkbox in WireGuard Portal

CVE-2026-27899: The 'Are You God?' Checkbox in WireGuard Portal Vulnerability ID: CVE-2026-27899 CVSS Score: 8.8 Published: 2026-02-26 A critical Privilege Escalation vulnerability in h44z/wg-portal allows any authenticated user to promote themselves to Administrator by simply adding a JSON field to a profile update request. This classic Mass Assignment vulnerability exposes the entire VPN management interface to compromise. TL;DR WireGuard Portal trusted user input too much. By sending "IsAdmin": true in a profile update, any standard user becomes a root-level administrator. Fixed in v2.1.3 by explicitly filtering sensitive fields. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-269 (Improper Privilege Management) Attack Vector : Network (API) CVSS v3.1 : 8.8 (High) Exploit Status : Proof-of-Concept (Trivial) Patch Date : 2026-02-23 Impact : Full Administrative Access Affected Systems WireGuard Portal (wg-portal) < v2.1.3 wg-portal : < 2.1.3 (Fixed in: 2.1.3 ) Code Analysis Comm