Security Advisory: Privilege Escalation via Audit Log
Date: 2. 6. 2026
Severity: 9.0 (Critical)
CVSS 3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H
Affected versions: All midPoint versions prior to 4.8.12, 4.9.7, 4.10.3
Fixed in versions: 4.8.12, 4.9.7, 4.10.3
Description
An authorized user with audit log access can exploit a bug that discloses session identifiers to escalate privileges to system administrator level.
Note: Audit log access is a high-privilege role in midPoint, as it grants visibility into all system events and sensitive operations.
This vulnerability requires: - Attacker to have authorization for audit log access (high-privilege role) - Administrator to be currently logged in - Administrator to have performed an audited action - Attacker to capture and reuse the session identifier
Severity and Impact
This is Critical Severity Issue.
The authorized user may be able to escalate privileges to administrator-level access, which grants them unrestricted access to the MidPoint.
Mitigation
Users of affected midPoint versions are advised to upgrade to the latest maintenance releases: 4.8.12, 4.9.7, or 4.10.3.
If immediate upgrade is not possible:
-
Restrict Audit Log Access - Audit log access is a high-privilege role that should only be assigned to administrators
-
Review audit log viewer assignments - Ensure only trusted administrators have this authorization
Discussion and Explanation
A bug in the authentication / authorization code of the midPoint disclosed session cookie via audit log’s session identifier field, which as per documentation should be random identifier not correlated to cookie.
If the disclosed session cookie is still active, it is possible to hijack it using cookie manipulation.