Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-42571 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI) for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. These may include servers with the following configuration variables enabled:
Issuer.GroupSource is set to internal and an admin of the group has not previously logged in to the server.The OSDF operations team has mitigated these for core services, origins, and caches operated by the PATh project. However, mitigation may be needed for caches and origins not centrally operated.
Pelican Command Line has not currently identified any evidence this attack has been exploited in the services managed by OSDF operators.
When leveraged, an attacker with any kind of authenticated session on the server can create database records that cause the server to grant them admin privileges on subsequent login. Critically, admin access enables modifying the server's configuration, creating persistent API tokens, and changing admin passwords. The table below summarizes potential implications of this exploit.
| Service | Data exposure risk | Data tampering risk | Federation-wide impact | |---------|-------------------|---------------------|----------------------| | Director | Low (no data stored) | High — can modify configuration to point to a different Registry | High — can modify configuration to add GeoIP overrides to steer federation. Denial of service on the federation | | Registry | Low | High — can modify existing or create malicious namespaces that impersonate trusted paths | High — federation-wide namespace poisoning. Denial of service on the federation | | | — can expose protected paths via config or export object store/filesystem paths into a namespace | — can potentially enable writes + change export paths | Medium — scoped to that origin's namespaces | | | — can expose cached protected data via config changes | Low — caches don't originate data | Low — scoped to that cache |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
Both attacks share the same prerequisites:
Server.UIAdminUsers username or a Server.AdminGroups group name) for an admin who has not previously logged into the WebUI.Before upgrading, Pelican Command Line recommends auditing the service's database to see if it has already been exploited and to block further exploitation. Upgrading an exploited server is insufficient to prevent future unauthorized access if the exploit has already occurred.
Pelican Command Line is providing a script mitigate-user-escalation.sh that:
[!] for explicit review — administrators should verify all entries, but especially those with this syntax highlighting. The highlighted changes do not guarantee an exploit occurred but that further examination is needed.This script is available as a github gist: https://gist.github.com/jhiemstrawisc/8c4b2b3ec5cb2ca06537d9439dc16cc9
To run the script:
# Run as the same user that runs the Pelican server (e.g., pelican):
$ sudo bash mitigate-user-escalation.sh
# If using a non-standard config file:
$ sudo bash mitigate-user-escalation.sh --config /path/to/pelican.yaml
# If the database is in a non-standard location:
$ sudo bash mitigate-user-escalation.sh --db-path /path/to/pelican.sqlite
Administrators for Pelican servers running an affected version should upgrade to a patched release. Within each minor release series, these versions include:
>=v7.21.5>=v7.22.3>=v7.23.3>=v7.24.2Administrators can check their server's version by invoking pelican with the --version flag, or by inspecting the WebUI's ? icon displayed in the lower left corner.
If administrators are unable to upgrade to a patched version, disable the vulnerable configuration by commenting or removing the relevant settings from the service's pelican.yaml:
Server:
# Comment or remove these lines:
# UIAdminUsers:
# - user1
# - user2
# AdminGroups:
# - admin-group
Note: Disabling
Server.UIAdminUsersremoves OIDC-based admin access entirely, leaving only password-based login for admin access. Ensure the project has a working admin password before making this change.
If a server doesn't currently configure Server.UIAdminUsers or Server.AdminGroups, do not populate these settings until the administrator has upgraded to a patched version. If their project doesn't currently have these configured but have in the past, they should still audit the records using the provided mitigation script.
In addition to closing the immediate vulnerabilities, the Pelican development team is working toward several defense-in-depth solutions to minimize the risk of similar vulnerabilities in the future. These include: