SCA: security update for github.com/pelicanplatform/pelican (GHSA-rpfr-x88x-xwcw)

critical Tenable Cloud Security Plugin ID 441096

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to
before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation
vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to
the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in
versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2. (CVE-2026-42571)

Solution

Update the github.com/pelicanplatform/pelican library and its related packages to version 0.0.0-20260408120501-7f73b9c3e677 or later.

See Also

https://github.com/advisories/GHSA-rpfr-x88x-xwcw

Plugin Details

Severity: Critical

ID: 441096

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 5/5/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-42571

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9

Threat Score: 6.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/4/2026

Vulnerability Publication Date: 5/4/2026

Reference Information

CVE: CVE-2026-42571

cwe: CWE-863