Perceptive Security
SOC/SIEM Consultancy
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authoriz…
Published:
5 March 2026 at 23:00:00
Alert date:
6 March 2026 at 22:01:20
Source:
nvd.nist.gov
Web Technologies, Identity & Access
Vito, a self-hosted web application for managing servers and deploying PHP applications, contains a missing authorization check vulnerability in workflow site-creation actions prior to version 3.20.3. The vulnerability allows authenticated attackers with workflow write access in one project to create and manage sites on servers belonging to other projects by supplying a foreign server_id. This represents a privilege escalation issue that could allow unauthorized cross-project access. The vulnerability has been patched in version 3.20.3.
Technical details
Mitigation steps:
Affected products:
Vito
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-29789
https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326
https://github.com/vitodeploy/vito/pull/1036
https://github.com/vitodeploy/vito/releases/tag/3.20.3
https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.