Overview
A high-severity improper privilege management vulnerability has been disclosed in SourceCodester Online Examination & Learning Management System version 1.0. The flaw is found in the register.php registration endpoint, where manipulation of the role parameter allows a remote attacker to self-assign elevated privileges — including administrator-level access — during account creation.
Tracked as CVE-2026-14719 with a CVSS base score of 7.3 (High), this vulnerability is exploitable remotely without authentication, making it a critical risk in any internet-facing deployment of this software.
Technical Details
| Field | Details |
|---|---|
| CVE ID | CVE-2026-14719 |
| CVSS Score | 7.3 (High) |
| Attack Vector | Network (Remote) |
| Authentication | None required |
| Affected File | register.php — Registration Endpoint |
| Vulnerable Parameter | role |
| Vulnerability Type | Improper Privilege Management (CWE-269) |
| Vendor | SourceCodester |
| Affected Version | Online Examination & Learning Management System 1.0 |
The register.php endpoint accepts a role field from the client during user registration. The application fails to validate or restrict which role values a user may specify, allowing an attacker to set their role to admin or any other privileged designation. Once the account is created with an elevated role, the attacker can log in and access the full administrative interface.
Impact
Successful exploitation allows an attacker to:
- Create administrator accounts without any prior access or credentials
- Access the admin dashboard, including student records, exam questions, grades, and user management
- Modify or delete exam content — creating academic integrity risks in educational deployments
- Exfiltrate student PII — names, email addresses, exam scores, and potentially payment data
- Disable or lock out legitimate users by altering account states from the admin panel
- Pivot to further attacks — using admin credentials to probe connected systems or escalate to server access
In an educational context, this vulnerability threatens the integrity of examinations, student privacy, and institutional data.
Proof of Concept
An attacker can register with an elevated role by tampering with the POST body sent to register.php:
POST /register.php HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
username=attacker&password=secret&email=attacker@evil.com&role=adminIf the server-side code performs no validation on the role field before inserting into the database, the attacker account is created with admin privileges. The attacker can then authenticate normally and access admin-only features.
Remediation
- Server-side role enforcement — Never trust client-supplied role values. Remove the
roleparameter from the registration form entirely, or enforce a server-side whitelist where new registrations are always assigned the lowest-privilege role (e.g.,student). - Role assignment via admin workflow — Privilege elevation should require an existing administrator to explicitly grant elevated roles through a protected interface.
- Input validation — If a
roleparameter must be accepted, validate it against a strict enum of allowed public values and reject any others with an HTTP 400 error. - Audit existing accounts — Any deployment of this software should immediately audit the
rolecolumn in the users table for any accounts with unexpected admin privileges. - Implement access controls — Use a proper RBAC (Role-Based Access Control) framework and validate permissions server-side on every privileged request, not just at login.