CVE-2026-29789
Vito: Cross-project privilege escalation in workflow site-creation actions allows unauthorized server modification
CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.
| CWE | CWE-862 |
| Vendor | vitodeploy |
| Product | vito |
| Published | Mar 6, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for vitodeploy vito
Be the first to know when new critical vulnerabilities affecting vitodeploy vito are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
vitodeploy / vito
< 3.20.3
References
github.com: https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76 github.com: https://github.com/vitodeploy/vito/pull/1036 github.com: https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326 github.com: https://github.com/vitodeploy/vito/releases/tag/3.20.3