{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6356", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-15T13:51:11.794Z", "datePublished": "2026-04-22T13:18:18.360Z", "dateUpdated": "2026-04-22T14:42:10.888Z"}, "containers": {"cna": {"title": "CVE-2026-6356", "descriptions": [{"lang": "en", "value": "A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Augmentt", "product": "Augmentt", "versions": [{"status": "affected", "version": "1.0"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1220: Insufficient Granularity of Access Control"}]}], "references": [{"url": "https://github.com/Penguinsecq/CVE-2026-6356/"}], "x_generator": {"engine": "VINCE 3.0.36", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-6356"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-22T13:18:18.360Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1220", "lang": "en", "description": "CWE-1220 Insufficient Granularity of Access Control"}]}], "references": [{"url": "https://github.com/Penguinsecq/CVE-2026-6356/", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:40:46.719179Z", "id": "CVE-2026-6356", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:42:10.888Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6356", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:40:46.719179Z"}}}], "references": [{"url": "https://github.com/Penguinsecq/CVE-2026-6356/", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1220", "description": "CWE-1220 Insufficient Granularity of Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:39:05.435Z"}}], "cna": {"title": "CVE-2026-6356", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Augmentt", "product": "Augmentt", "versions": [{"status": "affected", "version": "1.0"}]}], "references": [{"url": "https://github.com/Penguinsecq/CVE-2026-6356/"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.36", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-6356"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1220: Insufficient Granularity of Access Control"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-22T13:18:18.360Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6356", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:42:10.888Z", "dateReserved": "2026-04-15T13:51:11.794Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-22T13:18:18.360Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web application allows standard users to escalate their privileges to those of a super administrator through parameter manipulation, enabling them to access and modify sensitive information."}], "id": "CVE-2026-6356", "lastModified": "2026-04-22T15:16:17.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-22T14:17:06.720", "references": [{"source": "cret@cert.org", "url": "https://github.com/Penguinsecq/CVE-2026-6356/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Penguinsecq/CVE-2026-6356/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1220"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:00:58.091631+00:00", "value": {"mitigation_remediation": ["Apply the vendor-supplied patch or upgrade to the latest version of the Augmentt web application.", "Enforce strict role-based access controls on all privileged endpoints and validate user roles on the server side before processing requests.", "Monitor application logs for unexpected access to administrative functions and investigate any anomalies promptly."], "summary": {"action": "Apply patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Augmentt\u2019s web application platform. No specific version numbers are listed in the advisory; therefore, any installation of the Augmentt web application that has not applied a patch from the vendor could be susceptible.", "description_and_impact": "The vulnerability resides in the Augmentt web application where the server fails to properly validate user roles before allowing manipulation of request parameters. By altering specific parameters in the URL or form data, a regular authenticated user can trick the system into treating them as a super administrator. This grants them full read/write access to all protected resources and configuration settings, effectively escalating privileges with no additional authentication steps.", "risk_and_exploitability": "The CVSS score is not disclosed, and the EPSS score is unavailable, but the nature of the bug\u2014unauthorized privilege escalation\u2014indicates a high severity risk. There are no publicly known exploit scripts, and the vulnerability appears to be exploitable with simple parameter changes that do not require elevated permissions. Since the issue is not listed in the CISA KEV catalog, it is likely not actively exploited in the wild yet, yet the potential impact warrants immediate attention."}}}}, "created": "2026-04-22T15:15:16.413801+00:00", "title": "Privilege Escalation via URL Parameter Manipulation in Augmentt Web Application", "updated": "2026-04-22T15:15:16.413812+00:00", "vendors": [], "weaknesses": ["CWE-284", "CWE-639"]}