MEDIUM 6.3

CVE-2026-11476: Privilege Escalation in Kushan2k Student Management System

Kushan2k's student-management-system contains a flaw in its admin profile update endpoint that allows authenticated users to escalate their privileges by manipulating the 'isadmin' parameter. An attacker with legitimate credentials can modify this parameter to grant themselves administrative access without proper authorization checks. The vulnerability has already been disclosed publicly, and remote exploitation requires only network access and valid login credentials.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-266, CWE-285
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the edit-admin function within controllers/AdminController.php. The Profile Update Endpoint fails to properly validate authorization when processing the 'isadmin' argument, resulting in improper access control (CWE-266, CWE-285). An authenticated remote attacker can craft a request that modifies the isadmin parameter to bypass intended privilege restrictions. The affected codebase runs up to commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Because the project uses rolling releases, specific version numbers are not available; administrators must verify the commit hash against their deployment.

Business impact

This vulnerability enables privilege escalation within student management systems. Staff or users with standard credentials can elevate themselves to admin status, gaining unrestricted access to student records, enrollment data, course management, and potentially the ability to modify system settings. For educational institutions, this creates compliance risks (FERPA, GDPR depending on jurisdiction), potential data breach exposure, and operational disruption through unauthorized administrative changes. The low barrier to exploitation—requiring only valid login credentials—makes this a credible insider threat vector.

Affected systems

Kushan2k student-management-system is affected up to commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. The project maintains a rolling release model with continuous delivery, so traditional version numbering is not provided. Organizations must identify their current deployment's commit hash and verify whether it contains this vulnerability by consulting the project repository or vendor communication.

Exploitability

Exploitability is moderate to high in most deployments. The attack requires network access and valid user credentials (low privilege threshold), but no user interaction or complexity in crafting the malicious request. The vulnerability has been publicly disclosed, increasing the likelihood of active exploitation attempts. However, the requirement for prior authentication prevents anonymous attacks and limits the scope to insider threats or compromised low-privilege accounts.

Remediation

The Kushan2k project has been notified but has not yet released a patch or official remediation guidance. Organizations should monitor the project repository for updates and security advisories. In the interim, mitigations include: restricting admin profile update endpoint access via network controls, implementing strict role-based access control (RBAC) validation at the application layer, monitoring for suspicious authorization parameter modifications in logs, and limiting the number of staff with legitimate access to admin functions.

Patch guidance

No official patch version has been released at this time. Administrators should check the Kushan2k project repository and security announcements regularly. When a fix is published, verify the commit hash to confirm you are applying the correct update. Given the rolling release model, patch availability and deployment steps will be communicated through the project's standard channels. Consider implementing the interim mitigations listed above while awaiting an official fix.

Detection guidance

Monitor application logs for requests to the edit-admin endpoint in controllers/AdminController.php where the 'isadmin' parameter is being modified, especially from non-admin user accounts or from unusual source IPs. Implement alerting on successful authorization changes where the requesting user's privilege level does not justify the operation. Database audit logs should capture changes to admin role assignments; compare these against your authorization matrix to identify anomalies. Check for unusual API calls that include the isadmin parameter in POST or PUT requests from authenticated sessions with insufficient privileges.

Why prioritize this

This vulnerability merits prompt attention due to the combination of public disclosure, active exploitability (requiring only standard user credentials), direct privilege escalation impact, and the sensitive nature of student data in educational systems. Although it requires authentication, the low skill barrier and high business impact (data breach, compliance violation, operational compromise) place it above routine patch schedules. Organizations managing sensitive educational or institutional data should prioritize assessment and remediation.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects: network-accessible attack vector (no special network position required), low attack complexity (straightforward parameter manipulation), requirement for low privilege (authenticated user), and impact across confidentiality, integrity, and availability (data exfiltration, unauthorized modification, potential system disruption). The score appropriately captures a credible privilege escalation risk that is not trivial to exploit (requires authentication) but poses significant institutional risk once exploited. The public disclosure and lack of patch availability elevate practical risk beyond the baseline CVSS score.

Frequently asked questions

Our institution uses Kushan2k student-management-system. How do we know if we are affected?

Check your deployed commit hash against the project repository. If your deployment is at or before commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a, you are affected. Because the project uses rolling releases without version numbers, you must verify the exact commit your instance is running. Consult your deployment logs or contact your administrator to determine your current commit hash.

Do we need valid login credentials to exploit this, or is it remotely accessible without authentication?

This is an authenticated attack; an attacker must have valid credentials to access the system. However, the attacker only needs low-privilege credentials (e.g., a standard staff or student account). This makes the vulnerability particularly concerning in insider threat scenarios or if a low-privilege account is compromised through phishing or credential stuffing.

Are there temporary mitigations we can implement while waiting for a patch?

Yes. Restrict API access to the admin profile update endpoint using network-level controls (WAF, API gateway rules), implement strict server-side RBAC validation to reject any authorization parameter modifications from non-admin users, monitor and alert on attempts to modify the isadmin parameter, and conduct access reviews to ensure only legitimate administrators have system access. These do not fix the underlying code flaw but significantly reduce exploitation risk.

What should we monitor in our logs to detect if someone has exploited this?

Watch for successful requests to controllers/AdminController.php with the edit-admin function that modify the isadmin parameter, particularly from low-privilege user accounts. Cross-reference any resulting role or permission changes against your authorization logs. Look for metadata anomalies: unusual source IPs, timing patterns inconsistent with normal admin activity, or changes made by users who should not have administrative access rights.

This analysis is based on the vulnerability description and CVSS data provided and current as of the publication date. The Kushan2k project operates on a rolling release model without traditional versioning; administrators must verify their deployment's commit hash against the project repository. No official patch has been released at the time of publication. This information is provided for educational and defensive purposes. Organizations should verify all technical details against official vendor advisories and conduct their own risk assessment. Exploit code details are not provided in this analysis; the vulnerability has been publicly disclosed and may be exploited by malicious actors. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).