CVE-2026-29789 — AI Deep Analysis Summary

🚨 **Essence**: Missing Authorization Check in Workflow Site Creation. <br>💥 **Consequences**: Attackers can create/manage sites on servers belonging to *other* projects. Total loss of isolation between projects.

🛡️ **Root Cause**: CWE-862 (Missing Authorization). <br>🔍 **Flaw**: The system fails to verify if the user owns the target `server_id` when creating a site via workflow. It trusts the input blindly.

📦 **Affected**: Vito (VitoDeploy). <br>📉 **Versions**: All versions **before 3.20.3**. <br>🔧 **Component**: Server management & PHP app deployment web interface.

👮 **Privileges**: Escalates from 'Project Workflow Writer' to 'Cross-Project Server Admin'. <br>📂 **Data**: Can deploy code, modify configs, and potentially access data on servers not owned by the attacker's project.

⚠️ **Threshold**: Medium. <br>🔑 **Auth**: Requires **Valid Login** (PR:L). <br>🎯 **Config**: Needs 'Write' permission on a workflow in *any* project. No UI interaction needed (UI:N).

🚫 **Public Exp**: No PoC provided in data. <br>🌐 **Wild Exp**: Low risk currently. <br>📝 **Note**: CVSS S:C (Changed Scope) implies high impact, but exploitation requires specific internal knowledge of server IDs.

🔍 **Self-Check**: <br>1. Check Vito version. <br>2. Audit users with 'Workflow Write' access. <br>3. Monitor logs for site creation requests with `server_id` not matching the project's servers.

✅ **Fixed**: Yes! <br>📅 **Patch**: Version **3.20.3**. <br>🔗 **Source**: GitHub Release & Security Advisory (GHSA-3m6w-8qh4-qr76).

🛡️ **Workaround**: <br>1. **Upgrade** to v3.20.3+ immediately. <br>2. If stuck: Restrict 'Workflow Write' permissions to admins only. <br>3. Implement WAF rules to validate `server_id` against project ownership.

🔥 **Urgency**: HIGH. <br>📊 **Priority**: P1. <br>💡 **Why**: CVSS 9.1 (Critical). Scope Change (S:C) means one breach affects multiple projects. Patch immediately to prevent lateral movement.