CVE-2020-36969

HIGH

M/Monit 3.7.4 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36969. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This exploit demonstrates a privilege escalation vulnerability in M/Monit 3.7.4 by updating a user's role to administrator via an API endpoint. It requires valid credentials and leverages a flawed access control mechanism.

Description

M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standard user account.

Exploits (1)

exploitdb WORKING POC
by Dolev Farhi · pythonwebappsmultiple
https://www.exploit-db.com/exploits/49080

This exploit demonstrates a privilege escalation vulnerability in M/Monit 3.7.4 by updating a user's role to administrator via an API endpoint. It requires valid credentials and leverages a flawed access control mechanism.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: M/Monit 3.7.4
Auth required
Prerequisites: Valid user credentials · Access to the M/Monit web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/49080
Product product
https://mmonit.com/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/mmonit-privilege-escalation

Scores

CVSS v3 8.8
EPSS 0.0042
EPSS Percentile 33.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-863
Status published
Products (1)
tildeslash/m\/monit 3.7.4
Published Jan 28, 2026
Tracked Since Feb 18, 2026