CVE-2025-58386

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

02/12/2025

Last modified:

02/12/2025

Description

In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account&#39;s password, effectively taking full control of it.

Impact

References to Advisories, Solutions, and Tools

https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/
https://terminalfour.com